[quoted text, click to view]

FYI, I searched www.sarc.com to try to find a virus that used svchost.exe
and modified the hosts file, couldn't find any. I have to wonder if the
instructions on the website are misguided, or maybe they know something we
don't.

On Fri, 12 Dec 2003 20:01:22 -0500, "Karl Levinson [x y] mvp"
[quoted text, click to view]

It appears a combination of Welchia/Qhosts and possibly others. I
wouldn't think SVCHost would normally be an issue to pull out of
Startup, and it's a common method of loading several
viruses/trojans/malware/etc. *Most* users wouldn't run into a problem
deleting the HOSTS file and I suspect those that would either know
enough not to or have admins that know enough not to let them, but it
isn't what I'd say was proper either. I'd agree with the advice not
being the best, and wasn't really commenting on the advice being the
most useful, but rather on the fact that a hijacked site now provided
removal instructions at all.

[quoted text, click to view]

I've run into a couple of servers hit by script kiddies loading warez FTP
sites using scripts that rename the Serv-U executable to *SCVHOST.EXE* (note
the reversal of "c" and "v") and create an scvhost service. If memory
serves, there was also a recent trojan/worm/virus that created scvhost.exe
as well.


Charlie

On Mon, 15 Dec 2003 16:29:34 -0500, "Karl Levinson [x y] mvp"
[quoted text, click to view]

Not sure it's a virus, but we pulled svchost out of startup for an IE
home page resetting issue. Could have been a malware program doing
it, and wouldn't show on virus scans. Though I'd think using Ad-Aware
or Spybot should pick up those. In our case, we have no reason
svchost should be in the Startup group.

At any rate, a page that didn't give specific instructions but pointed
to tools that would help across the board may have been better.

It sounds like you may have been infected with the Nachi Worm and possibly
a variant/combination of another worm.

Try browsing to http://housecall.trendmicro.com/ and using thier Free
online scan/clean option.

Here is KB article discussing this worm and it's manipulation of
svchost.exe:
http://support.microsoft.com/default.aspx?kbid=826234

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks!
~Andrew Davis
Microsoft PSS Security

--------------------
| Content-Class: urn:content-classes:message
| From: "RLF" <reinyf@shaw.ca>
| Sender: "RLF" <reinyf@shaw.ca>
| Subject: "we have been hacked"
| Date: Fri, 12 Dec 2003 10:53:50 -0800
| Lines: 64
| Message-ID: <00e801c3c0e1$48138800$a401280a@phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| thread-index: AcPA4UgTVG+cYXt2Rj2fvuEh7rTAoA==
| Newsgroups: microsoft.public.inetserver.iis.security
| Path: cpmsftngxa07.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.inetserver.iis.security:7840
| NNTP-Posting-Host: tk2msftngxa12.phx.gbl 10.40.1.164
| X-Tomcat-NG: microsoft.public.inetserver.iis.security
|
| Our web home page (tools<internet options<general<
| homepage)seems to be hijacked, or as the information on
| the page we are directed to suggests (see below) "we have
| been hacked".
|
| My question: is the info below legitimate? Can we or
| should we follow the instructions it provides to rid our
| computer of its current plague?
|
| Note: The following is the info I cut from page we
| continually get directed to. If this doesn't provide the
| solution, what should we do? Pls help!
|
| COPIED INFO IS EXACTLY AS FOLLOWS:
| If you see this page your hosts file has been hacked.
| Please use the instruction below to clean your machine.
|
| You cannot reach the site you where trying to reach
| without following this procedure! - Please follow the
| steps provided in this document and make sure to download
| all patches for your computer from the Windows Update Site
| which can be found here:
| http://windowsupdate.microsoft.com
|
| 1. Start regedit,
| find
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
| \Run ,
| delete starting of svchost.exe file,
| reboot your computer,
| delete file svchost.exe in windows directory.
|
| 2. Reboot windows and start in
| SAFE MODE (F8 key on keyboard before windows starting),
| delete file winlogon.exe in directory: C:\Documents and
| Settings\All Users\Start Menu\Programs\Startup
|
| 3. Clear your 'hosts' file.
| How to edit your hosts file: locate it first, either by
| browsing to the directory (as shown above) or by
| hitting "Start - Search - select all files and folders -
| type in 'hosts' (without the quotation marks) and hit
| search. When the file is found, click with your right
| mouse button on the file and select 'Open With...' This
| will bring up a list of programs to edit the file with.
| Select Notepad from that list and click OK. - Remove all
| lines from the file and type in: 127.0.0.1 localhost. Now
| close the file and save your changes.
| For Windows 95/98/Millenium machines: Locate the file
| hosts in your C:\Windows directory. Just delete it or edit
| it with a text editor like notepad and make sure there is
| only one line there:
| 127.0.0.1 localhost
| For Windows 2000 machines: Locate the file hosts in your
| C:\Winnt\System32\Drivers\Etc directory. Just delete it or
| edit it with a text editor like notepad and make sure
| there is only one line there:
| 127.0.0.1 localhost
| For Windows XP machines: Locate the file hosts in your
| C:\Windows\System32\Drivers\Etc directory. Just delete it
| or edit it with a text editor like notepad and make sure
| there is only one line there:
| 127.0.0.1 localhost
|
|