• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Worm

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Worm

    I have a problem on Windows 2000 that everytime I login into the internet through my modem, a svchost process consumes increasing amounts of CPU resources until I have to switch off.

    There are now no new obvious executables and I suspect some viral service is being run by the svchost. I can't find any recent dll files.

    A few months ago I caught the blaster virus, which I sort of suspect has something to do with it. I removed the msblast executable, but it appears some svchost service remains.

    It would even be helpful if I could abort the svchost, which would enable me to download microsoft patches though I^m not sure this would work until I'm free of this worm.

    Any help appreciated.

    #2
    have you tried

    procexp.exe from sysinternals,com. it gives more info about users of services, processes etc and might help carify things a bit?

    Comment


      #3
      Re: have you tried

      Thanks Scotspine.

      I've noticed the virus does file transfers generates TFTPXXX files in my system32 directory.

      Does this ring a bell ?

      Comment


        #4
        sounds nimda-esqe

        to me. also sounds like you have a fairly unprotected, unpatched machine?

        Comment


          #5
          Re: sounds nimda-esqe

          Well there is a virus checker, but I'm going to download the rpc patch and a firewall.

          What caused the problem I think was teekids.exe that is a variant of msblaster.

          I deleted teekids but it seems to have left something hanging around.

          You wouldn't know what that was ?

          Comment


            #6
            if you're not patched, firewalled, ad-awared, spybotted,

            anti-virused, mbsa'd, routed, etc, then you're doomed

            have you tried

            securityresponse.symantec....tool.html

            yet?

            Comment


              #7
              better

              securityresponse.symantec....worm.html

              Comment


                #8
                Sounds like you need to run Stinger.

                Then you need to patch the machine to the hilt, and install up-to-date AV and firewall.
                (Just removing the msblast.exe file doesn't fix it, there's stuff left in the registry to help it "reproduce".)

                Comment


                  #9
                  Well thanks for the advice, Im going to try these anti-virus programs out and then stick the patch and a firewall on.

                  Comment


                    #10
                    how are you connecting ?

                    If you are on broadband go out and buy a properish firewall router, less than £100.

                    then run a software firewall as well. (I like kerio)

                    def get the tools for specific removal.

                    When Im looking at a possibly flaky machine I go through the process list and google the name of everything executing.

                    then go through the registry for the startup programs and google on those as well.

                    Comment

                    Working...
                    X