Results 1 to 10 of 10

Thread: svshost.exe

  1. #1
    jenaguru Guest

    Default svshost.exe

    My machine is infected with this trojan (svshost.exe). Today Superantispyware free detected this. AVG Antisyware, Kaspersky AV and ZA antispyware could not detect this. It is quarantined now.

    I want to how it spreads and what type of danger it causes.
    How to be sure of its complete removal?

    Thanks in advance.

  2. #2
    findley Guest

    Default Re: svshost.exe


    <blockquote><hr>jenaguru wrote:
    My machine is infected with this trojan (svshost.exe). Today Superantispyware free detected this. AVG Antisyware, Kaspersky AV and ZA antispyware could not detect this. It is quarantined now.

    I want to how it spreads and what type of danger it causes.
    How to be sure of its complete removal?

    Thanks in advance.
    <hr></blockquote>Here's a link which describes the trojan svshost.exe:http://www.processlibrary.com/direct...es=svshost.exe
    you can find other links
    just google svshost.exe
    As to complete removal one suggestion is download HIJACKTHIS http://www.trendsecure.com/portal/en...hijackthis.php, run a scan only, save the log and post it to either www.castlecops.com
    or www.bleepingcomputer.com
    for additional help.
    Findley:8}


  3. #3
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: svshost.exe

    Kind of a slim description. It could be adware or a worm or a troyan depending on the file size and location (root of the windows or in the system32 folder). That alone will help determine as to how it got there- plusit helps if any other malware executibles are also present (located anywhere from the docs and setting to the program files folder to the windows directory). And again those other files names and sizes and locations. Plus any new registry keys (usually the run and start keys and the clsids and the services).

    It also depends on the PC activities or the user's activities- p2p useage, file sharing, unscanned new media, installing strange codec and using strange media formats, irc or mirc useage, opening unscanned emails/attachments and following the links (sometimes the link with .com url is really an executible file with the .com file extension), using unsecured networks and last of all the driveby spyware installs. Some users still get fooled by the double extension files (hey! that not a .wmv file, but really a .wmv.cab or .wmv.exe or .wmv.ocx - all are executible files!) that appear at web sites and in the emails. Browsing at dangerous sites can be risky- some will insert dangerous scripts- so it is best to control the scripts or just block scripts for the global browsing. There are even plain html troyans- so it is not just risky scripts to be guarding.
    Often the weakest link in the security is not the security setup, but the user themselves- or the risky user who is borrowing the safe user's machine!.

    Kind of a general description with limited details of just a file name (which is a very popular name for malware writers, at that) - so I really cannot go further into any more details.

    Oldsod
    Best regards.
    oldsod

  4. #4
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,292

    Default Re: svshost.exe

    Strange... sounds like an old virus.Where was the virus detected? Exact location? You can find it in the Logs...Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  5. #5
    jenaguru Guest

    Default Re: svshost.exe

    C:\WINDOWS\SYSTEM32\SVSHOST.EXE
    HKLM\Software\Micrpsoft\Windows\CurrentVersion\Run (Microsoft Updates - svshost.exe
    HKLM\Software\Micrpsoft\Windows\CurrentVersion\Run Services (Microsoft Updates - svshost.exe

    These are the locations where SuperantiSpyware found it.

    Oldsod, more or less I know about the bad net habits. But recently I had to install a software downloaded from a torrent site (as torrent file), though very small in size. Later I uninstalled it. I think that was the culprit.

    I will give a try to HIJACKTHIS, I never used it.

    Thanks all.

  6. #6
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,292

    Default Re: svshost.exe

    And, if you still have the file,uploadit to www.virustotal.com... and/or send it also to newvirus@kaspersky.com in a password protected zip (include password in the email) so it will be added to KAV database....Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  7. #7
    jenaguru Guest

    Default Re: svshost.exe

    Hi, Fax the file is qurantined. I cannot detect the file in the quarantined folder. There are 4 different files with namely 'Quarantine - 09-12-2007 - 08-09-46.DSC', 'Quarantine - 09-12-2007 - 08-09-46.DSC' etc.

    Now after scanning second time another location for Trojan.SVSHOST is showing - C:\WINDOWS\Prefetch\svshost.exe-2DCA3CE2.pf

    But again the problem is I cannot find the file svshost.exe in the folders specified by superantispyware after restoring, instead only svchost.exe is showing, which I think a legitimate file. Please suggest what to do now?

    Thanks.

  8. #8
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,292

    Default Re: svshost.exe

    Hi!strange problem... I don't have superantispyware at hand right now.So, even if you restore the quarantine folder you don't get the file back?Might be a superantispyware glitch rather than avirus... or a malfunction of the quarantine folder in superantispyware.Sorry no idea...Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  9. #9
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: svshost.exe

    Indeed it is, Guru fax. Even though Prevx says it is only from this summer, CastleCops has it down for a few years since 2005). It does have a very familiar ring to it.

    Sites that do file/processes definitions such as here

    Read the prevx description...
    It uses the memory to gaiu control ot inject itself into other process; this is where it all probably started- it sat in the memroy and waited for the windows shutdown and once the security is off, it then became alive and installed itself from the Temp folder! When the windows booted up, it was already installed and firmly entrenched as a service and in the registry in the OS. Malware writers are very good- they sign the files to pass themselves off as genuine windows files/certificates. It then registered itself as an actual windows file and became part of the OS (very troyan like characteristic). I have seen this myself, up close to examine. Then it basically did what it wnated and get new files to install once it has achieved outbound by the http. It controlled the activeX/com objects and the DCOM to spread and alter the windows OS (disable the updates, service packs and supported security setting. It has the ability to inject itself via the memory or directly into other .dll and gain control. It installed a rootkit and acts as a keylogger and can copy itself and will accept commands from remote machines (bot). Since it calls out and sends your keystrokes and can be remotely controlled, it is not a good thing for your privacy. But malware never is.

    Jena, the usual advice- do not trust any downloads from unsafe sites. Period. Installing from unsafe sites is always a risk. Always scan the unknown file six ways from Sunday Scan with all your security applications before opening or executing the files. Then go online and scan it at virustotal. Once it has passed, then and only then finally open the file. The downside to this- even sometimes the scanners will unpack the file so it can scan it and accidently execute the malware file at the same time, just by unpacking it.
    Sure the KAV and the ZA have some limited memory protection, but the process of this maklware started off as a buffer overflow in the memory. This is why I use a seperate buffer overflow protection on my machines and a dedicated HIPs such as AH or SSM on my non KAV machines. I still believe a fw is just a fw and an av is just an av- they cannot really give proper as, am, at, ar and ak protection. But a simple hips can do so easily.

    Jena, please post your HJT logs - both the startuplist and the system scan. If you wish to, that is. I will take an untrained look at it. Or just post back with the link for the HJT forum where you have posted your HJT logs.

    Oldsod
    Best regards.
    oldsod

  10. #10
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: svshost.exe

    Disable the system restore and boot into safe mode. Now delete the prefetch file (use the HJT delete on reboot if you have to!). There are dedicated applications ot pull the well entrenched files, so do not despair. Delete all of the registry keys involved and delete that file! Then scan with some of the readily available antirootkit scanners F Secures Blacklight, Sysinternal antirookit finder and the AVG antirootkit scanner. Do again complete scans with all of the scanners on the PC. Then delete all found. Run a registry/file cleaner such as CCleaner and Abexo free reg cleaner. Run the system file check. Run the HJT log once again. Now boot back to the normal mode. Go online and use the IE to do a seperate online scan from BitDefender. Run the Malicious software remover from MS- or go to the iste and run it online. Re-enable the DCom server in the Services. Clean all cookies and IE Temp files and Temp folders while still in the safe mode.

    Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •