Other > Viruses and worms
I think I might have a worm
Liza:
Hi,
I'm not sure exactly what you mean about process viewer.
If you are referring to the Task Manager process tab here is what it says:
svchost, local service, no cpu, 4212K
svchost, network service, no cpu, 4384K
svchost, system, no cpu, 4212K
svchost, newtwork service, no cpu, 4212K
svchost, system, no cpu, 4212K
Not sure if this is what I am supposed do to.
Thanks
Wolfie0827:
Sysinternals is a company that provides a program similar but better with more detail than taskmanager, but you may have trouble getting thier software if you can't load thier page. Suggest you try running msconfig.exe from start>run then disable anything on the tabs you don't recognise. If you still have the problem you may have a trojan, if not then a setting in windows, possibly the time sync or file sync is set wrong.
Lisandro:
--- Quote from: Liza on January 09, 2005, 05:51:59 PM ---I'm not sure exactly what you mean about process viewer.
--- End quote ---
http://sysinternals.com/files/procexpnt.zip
svchost = Application that works as a host process for services that run from dynamic link libraries.
svchost itself is not harmfull. But when it asks for permission to the net it depends on what is asking. Normally it is ok to allow it, but there are viruses/trojans that are using to svchost process for not so nice reasons. You can use this application to see what modules are used.
Liza:
Hi,
I ran the process program but I have no idea what it means. There
does seem to be one that is upset about the time as per the post by Wolfie.
Here at the five that are running:
Process: svchost.exe Pid: 860
Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\crypt32LogoffEvent
Event \BaseNamedObjects\TermSrvReadyEvent
Event \BaseNamedObjects\WinMMConsoleAudioEvent
Event \BaseNamedObjects\ReconEvent
Event \BaseNamedObjects\TermSrv: machine GP event
Event \BaseNamedObjects\userenv: Machine Group Policy has been
applied
Event \BaseNamedObjects\DINPUTWINMM
Event \BaseNamedObjects\userenv: User Profile setup event
Process: svchost.exe Pid: 944
Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\ScmCreatedEvent
Process: svchost.exe Pid: 980
Type Name
Desktop \Default
Desktop \SADesktop
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\RasAutodialNewLogonUser
Event \BaseNamedObjects\RasAutodialLogoffUser
Event \BaseNamedObjects\RasAutodialLogoffUserDone
Event \BaseNamedObjects\RasAutoDialSharedConnectionEvent
Event \BaseNamedObjects\Ready0: ESENT Performance Data Schema
Version 40
Event \BaseNamedObjects\IPNAT
Event \BaseNamedObjects\DHCPNEWIPADDRESS
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\Go0: ESENT Performance Data Schema Version 40
Event \BaseNamedObjects\crypt32LogoffEvent
Event \BaseNamedObjects\{7E372094-36D7-4ECE-8013-3EF85F01885E}ShellHWDetection
Event \BaseNamedObjects\{7E372094-36D7-4ECE-8013-3EF85F01885E}ShellHWDetection
Event \BaseNamedObjects\DINPUTWINMM
Event \BaseNamedObjects\PrefetchOverrideIdle
Event \BaseNamedObjects\PrefetchProcessingComplete
Event \BaseNamedObjects\PrefetchTracesReady
Event \BaseNamedObjects\SAConEvt
Event \BaseNamedObjects\PrefetchParametersChanged
Event \BaseNamedObjects\WkssvcToAgentStartEvent
Event \BaseNamedObjects\WkssvcToAgentStopEvent
Event \BaseNamedObjects\AgentToWkssvcEvent
Event \BaseNamedObjects\wkssvc: MUP finished initializing event
Event \BaseNamedObjects\userenv: User Profile setup event
Event \BaseNamedObjects\SENS Started Event
Event \LanmanServerAnnounceEvent
Event \BaseNamedObjects\SRCounter
Event \BaseNamedObjects\SRStopEvent
Event \BaseNamedObjects\SRInitEvent
Event \BaseNamedObjects\SRIdleReqEvent
Event \BaseNamedObjects\SC_AutoStartComplete
Event \Security\TRKWKS_EVENT
Event\BaseNamedObjects\W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
Event \BaseNamedObjects\userenv: Machine Group Policy has been
applied
Event \BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
Event \BaseNamedObjects\WMI_SysEvent_LodCtr
Event \BaseNamedObjects\WMI_SysEvent_UnLodCtr
Event \BaseNamedObjects\WMI_RevAdap_Set
Event \BaseNamedObjects\WMI_RevAdap_ACK
Event \BaseNamedObjects\WMI_ProcessIdleTasksStart
Event \BaseNamedObjects\WMI_ProcessIdleTasksComplete
Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event \BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
Event \BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
Event\BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
This is the one that seems to be upset about the time Whether this
means anything I don't know.
Process: svchost.exe Pid: 1024
Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
File \Device\WMIDataDevice
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Udp
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Device\NamedPipe\net\NtControlPipe5
File \Device\Tcp
File \Device\Ip
File \Device\Ip
File C:\WINDOWS\system32
File C:\WINDOWS\system32\drivers\etc
File \Device\Tcp
File \Device\WMIDataDevice
This one does not list any events.
and finally:
Process: svchost.exe Pid: 1136
Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\crypt32LogoffEvent.
Once again any and all help is greatly appreciated.
Thanks,
Liz
Liza:
HI again,
One thing that I forgot to mention a few programs have been trying to access the internet. I know these are legitimate programs but I can see no reason that they need internet access. I have denied them access.
One in particular spool.exe has tried 22 times, I know this is the printer spooler but why would it need internet access.
Sorry forgot to mention in last post.
Liz
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version