Ah.. svhost.exe as Welchia Worm??

Discussion in 'malware problems & news' started by Oneothora, May 26, 2005.

Thread Status:
Not open for further replies.
  1. Oneothora

    Oneothora Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    33
    Location:
    Canada eh? ;)
    Hey again.

    I come with yet another question..

    Lately Zone Alarm Pro keeps telling me that svchost.exe is trying to access the internet or act as a server or something in some new port. I denied it because it looked weird to me and I wasn't sure if I could trust it so I looked it up.

    On some page it said svchost.exe is part of Win32 and is important to run or something, and on another it said it works as a Welchia Worm. Or something like that, a worm with the letter W in the beginning of it's name.

    What should I do?
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Download Process Explorer and take a look at what is running. Unzip to a folder or your desktop. No installation required. Check the options in Process Explorer so you can get the full benefit of the program.
    Double click the entries or right click the entries for info.

    http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
     
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    If you look in the Process tab of Task Manager you will see several instances of svchost.exe running. It is a platform for the running of .dll based services and is hosted by the Generic Host Process for Win32. The important thing to note is the file path, which should be C:\Windows\system32\svchost.exe.

    Malware often uses the name, or variants of it, so you should check both the filepath and the exact spelling of the name. The genuine svchost.exe never appears as an auto-start in msconfig, so that is another place to look.

    Edit - Ron beat me to the post; Process Explorer is similar to TM but with more detailed information.
     
  4. Oneothora

    Oneothora Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    33
    Location:
    Canada eh? ;)
    Hmm.. Maybe I'm just half asleep or retarded or something. What am I looking for? :blink:
     
  5. Oneothora

    Oneothora Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    33
    Location:
    Canada eh? ;)
    Yea, I just figured that out.. but it says for the Welchia worm, it tries to run on a Port 135 or something. My memory is lacking intelligence right now.

    But totally aside from all of this, I'm running a virus scan for the hell of it, and it told me 3 things have changed: user32.dll, shell32.dll, and ntoskrnl.exe

    I'm annoyed and am positive I caught something here. Too tired to throw a tantrum though.. should I just get the worm remover thing?
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    What scan have you just run? What malware did it say you had (I mean the name not the file)?

    PS - svchost will usually be trying to get through port 135 because of epmap (run by the Remote Procedure Call - RPC).
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
  8. Oneothora

    Oneothora Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    33
    Location:
    Canada eh? ;)
    Ah. I have 2 Anti Viruses. I just ran AVG Free Edition. I'm sure I have the Welchia Worm.

    Any way to remove it without any big fusses?
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    What makes you so sure? :)
     
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Well if it says you've got it. Go here and D/L Stinger:- http://vil.nai.com/vil/stinger/

    Boot into safe and run Stinger, then do a full system scan with your AV. (Best to clear out your temp files and disable System Restore as well).
     
  11. Oneothora

    Oneothora Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    33
    Location:
    Canada eh? ;)
    The fact that I had a sleepless night because of too much caffeine. :D
     
  12. Oneothora

    Oneothora Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    33
    Location:
    Canada eh? ;)
    Will I need any fancy things like the Windows XP CD to restore key registries or something?

    I also use Symantec Antivirus Corporate Edition.
     
  13. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
  14. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    No, just run it (and the above tool as well if you like!).
     
  15. Oneothora

    Oneothora Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    33
    Location:
    Canada eh? ;)
    I have a fancy Idea. What if I just all together do the General Cleaning AND the Welchia Worm removal tool.

    Is there any chance the general cleaning will further mess up my computer beyond function?

    (I'm talking about his general cleaning: https://www.wilderssecurity.com/showthread.php?t=50662 )
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It shouldn't as all tools are designed to run while on a infected machine.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  17. John, uk

    John, uk Guest

    Hi,

    I wouldn't use a program like process Explorer ads unless your a very experienced user it can be hard to use. Try a programm like What process, that is easier to use and has online support.

    www.what-process.com
     
  18. Oneothora

    Oneothora Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    33
    Location:
    Canada eh? ;)
    Great, So I did it all, and it managed to find 3 trojans, but kept insisting I had no worm.

    So I moved on.

    Then, I had a setup for a game that I had installed some time ago, and when I went to install the game again, Ewido Security Suite freaks out and keeps insisting it's a TrojanDropper.small.mt ... Err? Its a damn game's setup that I've installed before and was a game... Could Ewido just be crazy or can Trojans be shoved in game setups too?
     
  19. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    That sounds like a false positive but to be sure, scan the file flagged by Ewido with the Kaspersky Online Virus Checker and let us know what if anything it says. If KAV is not detecting anything in that file flagged by Ewido, most likely a f.p. You can submit the file to, I think, submit@ewido.net and mention you think it is a f.p.
     
  20. Oneothora

    Oneothora Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    33
    Location:
    Canada eh? ;)
    That's what I was thinking, because I've installed the game before.

    Thanks for the website, but it says the file can't be more than 1mb, and the setup is a good 240mb.

    I'm so fed up with viruses and worms I'm at the point where I'd just install the damn game anyway, lol.
     
  21. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Well then that has to be f.p. because no malware would ever come packaged as such a large file -- nobody would ever download it onto their system! I guess that rules out sending the file to ewido, hehe .. :D :eek: I believe Kaspersky also has an online system scan if you want to try that, just to make sure you are clean. There is also the Microworld Free AntiVirus Scanner, a free KAV-based scanner. Good Luck .. ;)
     
  22. Oneothora

    Oneothora Registered Member

    Joined:
    Jan 3, 2005
    Posts:
    33
    Location:
    Canada eh? ;)
    Oh I know I'm not quite clean yet. But I'm just so fed up with computers, they tick me off and drive me up the wall. Blame it on Microsoft if I end up in a psichiatric unit by the time I'm 25.

    Also, for some reason, since I did the general cleaning, my computer's been having these weird slooooooowwwwwwwwww moments where I could swear it was as if it was upping itself with a carrot in the brain. Man, I wish these things could hear us and understand us, then I wouldn't be wasting my cussing.

    However I remembered reading somewhere that Ewido Guard likes to do random guard scans or something, could that be the responsible little bunny? :ninja:
     
Loading...
Thread Status:
Not open for further replies.