Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 356
  • Last Modified:

I have a virus that is hitting every port on the switch the file is srvhost32.exe

I have a virus that is hitting every port on the switch  The file is srvhost32.exe  If I stop the service on the 4 of 20 computers that have it the traffic stops. Norton is not detecting anything. I remove it from the run command in the reg but it comes back   HELP o ya windows 2000 pro fully patched and Norton with virus DAT's as of last night.
0
Brendle
Asked:
Brendle
1 Solution
 
SheharyaarSaahilCommented:
Hello Brendle =)

Can you find this file on your hard drive with show hidden and protected files turned on ??
0
 
BrendleAuthor Commented:
I will check . . the file is scvhost32.exe not srv
0
 
SheharyaarSaahilCommented:
>> scvhost32.exe

Im again confirming, is it "scvhost32.exe" OR "svchost32.exe"
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
BrendleAuthor Commented:
Yes  its in the winnt\system32 directory
0
 
BrendleAuthor Commented:
scvhost32.exe
0
 
SheharyaarSaahilCommented:
thanx :)
now before i give my next suggestion to remove this file, i want a last favour from you 8)

Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
Hit analyse, scroll down to the page, hit Save Analyse,
a new page will open, i want the address of that page :)
0
 
riotzCommented:
hmm that sounds like a network spreading worm to me...

if SheharyaarSaahils method fails get a copy of the kaspersky virus scanner
==> http://www.kaspersky.com/trials
and scan one of the pcs with it.. i'm pretty sure that it will catch the virus and remove it..

if it does.. i would suggest you to disconnect each pc from the network..
or just disable the connection in the connection dialog and start to clean up every single pc that is infected with it..
and not connecting one back till each of them are cleaned!
0
 
knoxj81Commented:
Hey Brendle, =]

Identifing the virus:
Since it's on 4 different computer this is obviously a network issue, which is obviously a worm. Now, do you have any protection on the exchange server to prevent these types of attacks?  I would run a free online scan @: http://housecall.trendmicro.com/housecall/start_corp.asp  - just to verify what type of worm/trojan your dealing with.

Removal & Prevention:
Trend Micro Client/Server/Messaging Suite is great to handle all your security needs for a network.
"Trend Micro Client/Server/Messaging Suite provides a powerful, multi-layered defense against viruses, spyware, and other malicious code, to protect mail servers, file servers, and desktops. The suite of integrated products can be remotely configured and managed to create the right mix of security and performance for any organization."

http://www.trendmicro.com/en/products/suites/c-s-m-suite/evaluate/overview.htm  - That link will provide you with all the features, benefits and info on the product. ALso gives a 30 evaluation trial.

If you'd like to keep Norton and just addon security for exchange server to prevent these types of attacks from happening again, I recommend:

GFI MailSecurity: TO KEEP worms/viruses/spyware out of your mail servers.
http://gfi.com/mailsecurity/ 

GFiLANguard: This is a wonderful program to perform security audits and receive alerts of attacks and other critical events.
http://gfi.com/languard/

GFi products are a little on the higher budget side, however very effective products.

Let me know if you have any questions or concerns!!

good luck,

jorden
0
 
HypoviaxCommented:
hmmmm...

svchost.exe is the legit version but svchost32.exe is not (on XP anyway).

It would be wise to check the version information of the file.

If there is no version information then it is most definetly a virus.

Regards,

Hypoviax
0
 
BrendleAuthor Commented:
knoxj81  I allready use GFI products and YES! I do agree they are great.
0
 
BrendleAuthor Commented:
SheharyaarSaahil - Thanks for all the help. I was not able to identify the virus but I turned port 445 off(the flood) and deleted the file.
0
 
SheharyaarSaahilCommented:
great brendle :)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now