Scenario: Jim is happily surfing the internet, or talking to happy pals on AIM or mIRC, and bam, Isass.exe randomly closes down, resulting in the 60 second shutdown of my poor pc. Now, that happens whenever I close this one 'svchost.exe' in taskmanager [I have like, three up for some reason..., I can cancel out two of 'em and nothing happens, but one of 'em kills the pc]. But sometimes, I get the 60 second shutdown with svchost.exe still up...so I'm guessing its a virus. I take a look at some of the processes I have going on my machine, and some of them strike me funny. Like wserv32.exe, which would only pop up whenever I'm online, and cause the 60 second shutdown. And others like cmd.exe, and aserv...something another.

Does anyone know how I can stop these from popping up? wserv32.exe and aserv...something, were easily stopped via deleting their files when I was in safemode, and stopped them from starting in via msconfig. But cmd.exe still pops up, and I also get this other one called 'winupd.exe', and it wont let me start up some programs whenever winupd.exe is running, and those same programs get instantly closed whenever winupd.exe pops up. Can someone help me kill these?

OMG its Jim :O

Well, heres the info on your wserv32.exe - At Trend Micro (http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_RBOT.AF)




Description:

This worm spreads through network shares. It uses NetBEUI functions to gather available lists of user names and passwords. It uses these user names and passwords to drop a copy of itself in available network shares.

It drops a copy of itself in the Windows system folder using the file name WSERV32.EXE.

This worm also uses a certain list of user names and passwords (http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_RBOT.AF) aside from those that it is able to gather. It also generates random IP addresses and attempts to drop a copy of itself in default folders of target addresses.

This worm is known to exploit the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:

MS04-011_MICROSOFT_WINDOWS (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=MS04-011_MICROSOFT_WINDOWS)
Microsoft Security Bulletin MS04-011 (http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx)
It opens a varied port and connects to an Internet Relay Chat (IRC) server and joins an IRC channel to receive malicious commands (http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_RBOT.AF&VSect=T#BACKDOOR). It also has the capability to automatically notify the IRC bot if any of the systems have the following Windows vulnerabilities:

RPC/DCOM vulnerability
RPC/Locator vulnerability
WebDAV vulnerability

Information on these vulnerabilities are available in the following sites:

Microsoft Security Bulletin MS03-026 (http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx)
Microsoft Security Bulletin MS03-001 (http://www.microsoft.com/technet/security/bulletin/MS03-001.mspx)
Microsoft Security Bulletin MS03-007 (http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx)
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.


To get rid of it, the trend micro online house call should be more than enough.

Also, for your winupd.exe, doing a search on Trend's site came up with this - here (http://de.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=PE_BAGLE.N), but even if that isnt it, I'm sure the house call can get rid of it anyway.

Hope that helps :)

Oh and one last thins, the svchost.exe's are good, I have like 4 running right now


svchost - svchost.exe - Process Information
Process File: svchost or svchost.exe
Process Name: Service Host Process
Description: Application that works as a host process for services that run from dynamic link libraries.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A

I could have told you that svchost.exe is good. I don't have this wserv32 though.