Dave
Sun Nov 14 06:26:53 CST 2004
its one of many infections that disables virus scanners. try rebooting to
safe mode, kill any unknown process you may find there, and then run a scan.
some of these things install a service that looks like a normal window
service like scvhost instead of svchost or other similar masquerades in
addition to the one you are noticing... kill one and the other restarts
it... sometimes with a randomly generated file name... or sometimes with a
real windows name but out of the wrong folder... svchost from the c:\winnt
instead of c:\winnt\system32... very sneaky and very tough to get rid of.
some of them are even more fun, they close down task manager, regedit,
msconfig and other tools as fast as you open them. you may want to ask in
a virus specific group, they may have more direct fixes.
"Tim" <noanswer@hotmail.com> wrote in message
news:ujjOzUdyEHA.3624@TK2MSFTNGP09.phx.gbl...
> I have now run every scanner here and it shows no infection but the
process
> still keeps coming back what the hell is it?
> "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
> news:%23M3tumYyEHA.3844@TK2MSFTNGP12.phx.gbl...
> >
> > "Tim" <noanswer@hotmail.com> wrote in message
> > news:OCcqcCXyEHA.3336@TK2MSFTNGP11.phx.gbl...
> >> Hi Karl,
> >> It wouldnt allow me to run the housecall it said applet crashed so how
do
> > I
> >> check?
> >
> > There are also on-line virus scanners here:
> >
> >
http://security2.norton.com
> >
http://www.kasperskylabs.com/remoteviruschk.html
> >
> >> I have also tried running a search for the file but it doesnt appear to
> >> be
> >> there
> >> It seems to have mysteriuosly disappeared
> >
> > Is it still listed in the list of running processes?
> >
> > It could be that the file was actually removed by something you did, or
it
> > is using ADS to conceal itself from the completely inadequate utilities
> > Microsoft gave you with Windows like Windows Explorer that as recently
as
> > Windows 2003 still hides ADS from you due to poor planning and lack of
> > foresight. You may be able to see ADS files starting up in the Registry
> > by
> > using something like MSCONFIG [which doesn't exist in Windows 2000] or
> > better yet, use both silent runners from www.silentrunners.org and
> > Autostart Explorer from www.trojanhunter.com/products. ADS is usually
> > shown in the Registry as c:\folder\filename1:filename2
> >
> > ADS can also be seen by using a tool like LADS, although note that
Windows
> > uses ADS to hide files relating to image thumbnails and XP SP2 AES
> > security
> > settings, even though hiding files from the user has proven to be a
> > monumentally bad security problem.
> >
> >
http://www.heysoft.de/nt/ep-lads.htm or another similar tool is from
> > www.foundstone.com/knowledge
> >
> > It could also be that a Windows root kit like Hacker Defender is being
> > used
> > to hide the file from you. Such root kits can be seen if you download
and
> > run RKDETECT [which can be found by searching www.google.com] You can
> > also
> > see root kits if you boot to another OS such as the Linux rescue disk
from
> > www.bitdefender.com, or if you scan the computer from another computer
via
> > Windows networking, or if you take the hard drive and slave it in
another
> > windows computer, though these are generally more difficult than running
> > RKD
> > ETECT.
> >
> >
> >
>
>
>