Quantcast Blaster Virus in Svchost.exe? - digitalFAQ.com Forums [Archives]
  #1  
01-15-2005, 09:42 AM
the viking the viking is offline
Free Member
 
Join Date: Sep 2004
Location: Norway
Posts: 174
Thanks: 0
Thanked 0 Times in 0 Posts
Hello,In december 2003 I got Blaster virus on my PC.
The virus was removed with Symantecs FixBlast tool.
But one day I was killing processes before capturing video,I
noticed something strange:When I try to kill one of the svchost.exe
prosesses,the well known blaster window comes up and
count down from one minute and restarts the computer.
I have scanned the computer with all the known antivirus programs,
but there is not a single one of them who detects anything.
So I did a clean install op WinXP from my recovery CDs,but
the problem svchost.exe is still there.One more thing,the blaster
window doesnt show up before I try to kill the prosess,so I dont
think it does anything with my work.
But I like to have the thing completely out of my PC,so if any
of you have any ideas how to remove/kill the thing,
ill be happy



Thanks
-----------------
viking
Reply With Quote
Someday, 12:01 PM
admin's Avatar
Site Staff / Ad Manager
 
Join Date: Dec 2002
Posts: 42
Thanks: ∞
Thanked 42 Times in 42 Posts
  #2  
01-15-2005, 10:28 AM
Boulder Boulder is offline
Free Member
 
Join Date: Sep 2002
Location: Lahti, Finland
Posts: 1,652
Thanks: 0
Thanked 0 Times in 0 Posts
It's perfectly normal to have svchost.exe as a background process. The worm just exploited a security hole, which allowed it to do a "remote shutdown". That is, the shutdown window you see is normal.
Reply With Quote
  #3  
01-15-2005, 10:37 AM
the viking the viking is offline
Free Member
 
Join Date: Sep 2004
Location: Norway
Posts: 174
Thanks: 0
Thanked 0 Times in 0 Posts
Yes I know its normal to have svchost as background process.

But if the shutdown window I see is normal,why does it appear only
when I try to kill that single svchost(the one underlined at the screenshot)
and not on the others svchosts??
Just wondering
--------------------
viking
Reply With Quote
  #4  
01-15-2005, 11:22 AM
Dialhot Dialhot is offline
Free Member
 
Join Date: May 2003
Posts: 10,463
Thanks: 0
Thanked 0 Times in 0 Posts
You didn't understand something : blaster never opened any window or launch any shutdown at all !

In fact this was due to a bug of the virus ! I does crash a vey important process of windows (the RPC management service). Without this service, windows can't work and then claims for a reboot. That is why the "shutdown" windows appeared. (the goal of blaster was to "blast" the m$ site by launching a lot of call on it from any computer infected but due to this bug, this nearly never worked).


If you kill manually a such vital process, then windows will react the same way and that is why you have the shutdown process when you kill this instance of svchost !

(svchost is the generic process used to handle services, that is why you have so much instance of it : one instance by service that needs it). You probably just found the instance that host "RPC management" service
Reply With Quote
  #5  
01-15-2005, 11:45 AM
the viking the viking is offline
Free Member
 
Join Date: Sep 2004
Location: Norway
Posts: 174
Thanks: 0
Thanked 0 Times in 0 Posts
Ok,things looks a little brighter now .

So,if I understand you right, it was the bug of the blaster virus that shut down my PC in Dec.2003.And when I removed blaster the call
for a shutdown was stopped,right?
But now I call for a shutdown manually,by trying to kill
that spesific svchost prosess?
---------------
viking
Reply With Quote
  #6  
01-15-2005, 12:07 PM
Dialhot Dialhot is offline
Free Member
 
Join Date: May 2003
Posts: 10,463
Thanks: 0
Thanked 0 Times in 0 Posts
Yes it is.

(do read the complete message in the shutdown window, you will see that the reason is because a critic process has crashed. the process or service is named, if I remember well).
Reply With Quote
  #7  
01-15-2005, 01:00 PM
the viking the viking is offline
Free Member
 
Join Date: Sep 2004
Location: Norway
Posts: 174
Thanks: 0
Thanked 0 Times in 0 Posts
Ok,I understand.
The message in the shutdown window says this (translated correct I hope ) :
"Windows has to reboot beacause
DCOM Server Process Launcher
was stopped in a irregular way"

------------------
viking
Reply With Quote
Reply




Similar Threads
Thread Thread Starter Forum Replies Last Post
BitDefender Anti Virus kwag Computers 73 08-25-2007 01:15 PM
Trojan/Virus Detection nicksteel Computers 5 11-09-2004 10:04 AM
Virus Scan this file please. Prodater64 Computers 27 07-11-2004 10:47 AM
WARNING: possible Virus alert !! vhelp Computers 7 02-11-2004 10:32 PM
Avisynth: IS THIS A VIRUS ?! Wolfi Avisynth Scripting 9 09-19-2003 10:56 AM

Thread Tools



 
All times are GMT -5. The time now is 08:54 AM  —  vBulletin Jelsoft Enterprises Ltd