Majorly Desperate -- READ NOW!!!!!!

Discussion in 'privacy problems' started by AsH432, Feb 2, 2005.

Thread Status:
Not open for further replies.
  1. AsH432

    AsH432 Guest

    Ok, I downloaded a KeyGen ( stupid, i know ). Now everytime I run Windows, it runs svchost's and i keep getting lagged out or disconnected from the net :/ PLEASE HELP I did virus scans, kept killing the proccess :\
     
  2. AsH432

    AsH432 Guest

    PLEASE!!!! ZoneAlarm keeps popping up with Allow svchost.exe?

    Every 5 seconds :/
     
  3. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39
    Svchost.exe is a necessary system process, also known as Generic Host Process for Win32 Services. It is normal to have multiple copies running. These are collections of services run from dll files. (It can be a worm, but if you have updated your virus definitions and have done a full scan that most likely isn't your problem).
     
  4. AsH432

    AsH432 Guest

    Trust me, i run the cd keygen, then it popped up with all these svchost.exe :/

    And its asking for it every 2 seconds on ZA
     
  5. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39
    Try this, go to Start | "Run" | (type) "CMD" (always no quotes)


    You will get a command console, type in the following:

    "cd\"

    "tasklist /svc >tasklist.txt"

    This creates a file called "tasklist.txt" in the root c:\. Navigate to that file, open in notepad and paste the results here.

    -----------
    Instructions are for XP (syntax could be different for other windows).
     
  6. AsH432

    AsH432 Guest

    omg, what's "winstart32.exe" never there before :/

    I seriously have a feeling it's dropped some sort of file that keeps spamming svchost.exe or something i dunno :/
     
  7. AsH432

    AsH432 Guest

    tasklist is not recognized as an external bla bla ...

    :\
     
  8. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
  9. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39

    I googled it, and according to a number of sites, that is associated with the Purol worm. Check the following links for a description of what to look for.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.purol.html

    http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_PUROL.A
     
  10. AsH432

    AsH432 Guest

    Ahhh, I see ;)

    Thanks for this.

    Ok, how would I remove this? In the easiest way :p
     
  11. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39

    What OS do you run? That is not as important now anyway, you need to follow the instructions for the worm removal. It looks like it deletes the NAV virus definitions.
     
  12. AsH432

    AsH432 Guest

    Doing a "Trend Micro" scan. Thankyou guys :D You are a great help :p
     
  13. AsH432

    AsH432 Guest

    omg, now its making backups of everything :/
     
  14. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39

    You found yourself a nice little worm. :eek: The good news is that it doesn't destroy anything that can't be replaced easily, and mostly it tries to replicate. Just don't run any file sharing programs until it is fully cleaned or your temp files will be shared with the world. Trend Micro's scan should help you to remove everything.



    1. Attempts to delete all the files from the following folders:

    * C:\Progra~1\eSafe\Protect
    * C:\Progra~1\McAfee VirusScan
    * C:\Progra~1\NORTON~1
    * C:\Progra~1\Acceleration Software\Anti-Virus
    * C:\Progra~1\F-prot
    * C:\Progra~1\Mcafee
    * C:\Progra~1\Kasper~1
    * C:\Progra~1\Avpersonal
    * C:\Progra~1\Bullguard

    2. Copies itself as:

    * C:\Windows\Hwinfoq.com
    * C:\Windows\Lorupscr.scr
    * C:\Windows\Winstart32.exe

    3. Creates the folder, C:\Windows\MyShares, and copies the following files to that location:

    * C:\Windows\Temporary Internet Files\*.txt
    * C:\Documents And Settings\Local Settings\Temp\*.doc
    * \My Chat Logs\*.*
    * C:\Windows\*.pwl
    * C:\Windows\*.ini
    * C:\Windows\temp\*.Doc
    * C:\Windows\Temp\*.txt
    * C:\Windows\Temp\*.rtf

    4. Checks the following folders:

    * C:\Windows\Myshares
    * C:\Program Files\Icq\Shared Files
    * C:\Program Files\Bearshare\Shared
    * C:\Program Files\Morpheus\My Shared Folder
    * C:\Program Files\Edonkey2000\Incoming
    * C:\Program Files\Gnucleus\Downloads
    * C:\Program Files\Gnucleus\Downloads\Incoming
    * C:\Program Files\Kazaa\My Shared Folder
    * C:\Program Files\Kazaa Lite\My Shared Folder
    * C:\Program Files\Limewire\Shared

    Then, the worm copies itself to any of the folders that it finds.
     
Thread Status:
Not open for further replies.