Computer Virus From Hell

[Morgan Ellis]

My PC seems to have caught some sort of uber virus. I've run Norton (2004 Pro, no less), have re installed Windows, have re-formatted my drives, am running firewall software, all to no avail.

The infected file shows up in windows as svchost.exe, and it's write protected. I can't remove it manually, Norton can't remove it, and it seems to protect itself during re formating/re installing.

I'm at a loss as to what else to try. I believe it's a server file of some sort, or an offshoot of the jeefo virus.

It's driving me nuts, as I have spent the last week on trying to get rid of this stupid thing, and un installed net access in the meantime, meaning no email etc.

If anyone has ANY idea how to deal with it (other than 'get a mac', as I already have one of those as well, thanks), I'd be eternally grateful.

TIA,

Morgan

 

[The Shake]

And I thought you were just avoiding me.

 

[Drunken Master]

I have svchost.exe as well. I assumed it was legitimate.

How did you find out it was a virus? What does it do?

 

[The Shake]

And I thought you were just avoiding me.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;250320

http://support.microsoft.com/default.aspx?scid=kb;EN-US;314056

 

[The Shake]

From (http://ask-leo.com/archives/000105.html):

But just what is svchost?

Let me tell you what it is not: On Windows XP, 2000 and 2003, svchost is not a virus. On those systems svchost is a required system component. If you happen to successfully delete it, your system will not run. You'll be much worse off than before.

 

[mrhockey]

svchost.exe is a legit file... however, the virus might be attaching itself to her svchost file.

I suggest you go to windowsupdate.microsoft.com immediatley following a reboot and download the latest critical updates.

that may fix the problem

 

[mrhockey]

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B


this is the latest Windows virus that has people pulling their hair out... easy fix is an update at the WindowsUpdate site

 

[Goober Mcfly]

Did you get an email saying svchost.exe is a virus Morgan?

 

[Asterix]

As others have said, svchost.exe is a legit file. When you do a search for the file, does it show it's been recently modified?

 

[Morgan Ellis]

Norton now confirms that svchost.exe is infected with the jeefo virus.

Here's a short overview of what's been happening. As soon as I connect to the net, my C drive fills with assorted alphanumerically named .exe files. The latest twist is that when I tried to re-start, I received an error message telling me I was 'not authorized to restart this computer'.

I solved this by screaming and yanking the power cord out of the wall. Error message this, you virus writing dickwads.

So, I'm going to try and download the Windows patch, and see if that works.

-- Morgan

ps: Shake, that was just an added bonus.

 

[Morgan Ellis]

PS #2:

Here's what sophos.com says about it:

W32/Jeefo-A infects Windows PE executables with an extension of EXE and a filesize greater than 102,399 bytes, in all folders of all fixed drives C: to Z:.

The virus runs continuously in the background, infecting files at periodic intervals.

When an infected file is run, the virus dropper is extracted to the Windows folder as SVCHOST.EXE and the virus disinfects the host executable, although not all infected files will be successfully returned to their original state.

Under Windows 95/98/Me the virus creates the following registry entries so that the virus is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
PowerManager= <pathname of virus>

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
PowerManager= "C:\<Windows>\SVCHOST.EXE"

Under Windows NT based systems (Windows NT/2000/XP) the virus creates a service named PowerManager with the startup type set to automatic, so that the virus is run automatically on startup.

---

I think this has possibly been sitting on my machine since I had it running Windows ME. Sophos has a patch for it, but, as I said, I'll try Windows Update first.

-- Morgan

 

[Drunken Master]

I solved this by screaming and yanking the power cord out of the wall. Error message this, you virus writing dickwads.

That's my solution to most computer problems. Plus I threaten to kill my computer's children if it doesn't smarten up.

 

[Morgan Ellis]

Plus I threaten to kill my computer's children if it doesn't smarten up.

Does that seem to be working for you? Because I'm willing to try almost anything at this point in time...


-- Morgan

 

[Why Not?]

Many viruses reinstall themselves through the system restore feature in Win Me or Win XP (see Microsoft or Norton Website for instructions on this). It is often recommended that you disable this feature before removing a virus, then reboot and remove again. This is required for the Sasser virus and is supposed to solve the problem.

Did your removal instructions ask you to do this? If not try it.

 

[The Shake]

Wow - Morgan getting her ass kicked by a computer.

My, how the worm has turned...