My 3 day battle with the viruses - I won!

Man, my first real experience with nasty viruses. I fought them for three days, and finally won.

I had all sorts of trojans and worms and stuff like Sasser, Padabot, something Backdoor, and some others (or stuff put their by them) including smsc, sxhzdnj, csmss, GStartup, svxhost, scvhost, wcmdmgr, wauluclt, and winsvc32. If you see any of these on your processes, kill them quick. Also in my windows/system32 folder were two nasties called cmd.ftp and lsac. Delete those if you see them.

The reason they caused so much trouble was that one of them attacked Norton and prevented it from getting Live Updates. I didn’t do anything about that, and that must have let lots of other nastiness in. My system was crashing a lot, and then suddenly my whole Internet slowed to a crawl with 9/10 pages not opening at all.

I finally got most of the web pages to work by killing off most of the processes and deleting their files. But the fucker still wouldn’t let me open the site to download Norton’s updates, and it took me ages to find a site to download the AVG antivirus software. That still didn’t kill everything. Finally deleting the 2 malicious files in the system32 folder allowed me to get my updates and Norton finally killed everthing. Took me 3 days though.

Thanks for your help Tetsuo.

Brian

[quote=“Bu Lai En”]I had all sorts of trojans and worms and stuff like … scvhost … If you see any of these on your processes, kill them quick.[/quote]I read that svchost can be a legitimate thing. Sorry, don’t have the link handy, but it said that various programs, some legitimate, some not, use it.

I have four instances of it running at the moment – is there any way of checking what program it is connected with and whether it’s legitimate? Two of the instances have user name; SYSTEM, one has LOCAL SERVICE and one has NETWORK SERVICE.

My virus checks are up-to-date but my system does slow down a lot sometimes.

SVChost is legitimate, SVXhost, SCVhost, and all sorts of other lookalike names aren’t. They’re conjobs made to look like svchost to avoid suspicion.

And I’m glad to hear it all worked in the end and you didn’t have to reformat :smiley: Oh, and next time I might have to charge for my services :laughing:

you’ll sometimes see trojans named svchost also. The only real way to check is to look in msconfig (WinXP) and take a look in the startup. The really devious ones only hide themselves in the registry key…incredibly time-consuming to solve.

Two years ago, I recommended trying to remove the trojan. These days, there are SO many things that you can catch from the trojan that I recommend reformatting and reinstalling everything behind a hardware firewall and then running Windows Update.

Which trojan are you talking about, “the trojan”? And FWIW, I recommend a hearty dose of running Trojan Hunter, AdAware, Spybot, AVG (or some other Antivirus), and at least a software firewall. It’s bloody ridiculous that it’s come to the point where you have to have so much shit installed and regularly used just to be able to use the 'net and keep control of your own computer… :frowning:

Which virus does that?

There are quite a few, ones that detect Norton in the list of currently running processes (along with most other antivirus programs and some firewalls) and kill them.

Pretty much any trojan. I’ve seek darkIRC, Gaobot, phatBot, and a whole host of others.

The FREE answer to all your (future) virus problems: AVG Free Edition

Re: svchost - it is a necessary process. As Tetsuo pointed out, others have names like scvhost to make it harder to recognise. As Answerer said, a Trojan can also disguise itself as the svchost. Check that it’s in the right folder. There are lists of processes available on the net - for some trojans that masquerade as legitimate processes, the lists will tell you what folders they should be in. If they’re somewhere else, then kill them.

Re: what it was that was disabling my Norton LiveUpdate. I’m pretty sure it was cmd.ftp or lsac - two files that were hiding in the windows/sytem32 folder. This is a core windows folder, so you can’t go deleting things willy nilly, but once I’d managed to get AVG antivirus downloaded (a major effort - as the trojans were also blocking me from Grisoft and other antivirus sites) it told me that there was nasty stuff going on in the system32 folder, but couldn’t fix it. I ordered the folder by date and looked up anything suspicious in it. As soon as I deleted the cmd.ftp and lsac, I was able to get my Norton Updates again (and access Symantec security online) and it dealt with everything.

Also worth noting that although the AVG was useful, Norton picked up a lot that it missed. I think I’m going ot make the radical (for me) move of actually buying (with money!) Norton Antivirus.

Brian

I forgot the name of the program to run to check processes running. Not regedit but something like arrghhh. I forgot but very useful to type at the startup–>run

Can type in all systems ie win 98, ME and Win2000.

There’s no command necessary under 2000 or XP - just press the magical MS Three Finger Salute, Control+Alt+Delete, and click the Processes tab.

And Rascal - AVG is also targetted by most of the viruses/trojans that kill Norton. I checked. It’s well known enough to be targetted.l

[quote]I forgot the name of the program to run to check processes running. Not regedit but something like arrghhh. I forgot but very useful to type at the startup–>run

Can type in all systems ie win 98, ME and Win2000.[/quote]
Just hit Control-Alt-Del.
This works for all versions of Windows (95, 98, 98SE, ME, 2000, NT, and XP).

Maybe you were thinking about the program that lets you choose which progams start running when you boot up. That’s “msconfig”, and you need to go to Start -> Run for that because it’s a DOS program.

But “msconfig” doesn’t work on Windows 2000, NT, or XP.

[quote=“Mark Nagel”]
Maybe you were thinking about the program that lets you choose which progams start running when you boot up. That’s “msconfig”, and you need to go to Start -> Run for that because it’s a DOS program.[/quote]

Yup that’s the one and you are right. It doesn’t work on win2000.

[quote=“Mark Nagel”]
Maybe you were thinking about the program that lets you choose which progams start running when you boot up. That’s “msconfig”, and you need to go to Start -> Run for that because it’s a DOS program.[/quote]

Yup that’s the one and you are right. It doesn’t work on win2000.

Thanks.

[quote=“sticks of fury”]I forgot the name of the program to run to check processes running. Not regedit but something like arrghhh. I forgot but very useful to type at the startup–>run

Not necessary but helpful since it contains more information than the Taskmanager: ‘tasklist’ and ‘tasklist /svc’

Ok. Though I guess if you update regularily (I set mine to check every day) it can protect itself. Or I am just lucky.

Works on XP. There’s also something you can download that checks all your start-up processes.

Brian

[quote=“sticks of fury”][quote=“Mark Nagel”]
Maybe you were thinking about the program that lets you choose which progams start running when you boot up. That’s “msconfig”, and you need to go to Start -> Run for that because it’s a DOS program.[/quote]

Yup that’s the one and you are right. It doesn’t work on win2000.[/quote]

Copy the msconfig.exe from a Windows XP computer and you can run it on a 2000 computer. No clue why it was left out…

In any case, if you’re trying to remove a trojan, check out the documentation I wrote for my technicians a while back. Some of the stuff is horribly outdated though… http://www.rescomp.berkeley.edu/about/training/rcc/02-03/CompromisedComputer/

Bu La En got most of it right, although you really need to delete the registry keys, otherwise the trojans often regenerate…

Uh . . . Morphix :smiley:

Or Knoppix, if you’re so inclined. (Anyone without an nVidia chipset in their machine. . . .)

So, how do you delete the registry keys (in simple language please)?

Or could I assume that now thatI’ve got Norton up and running, it will do the deleting for me?

Brian