The file name is actually "svichhost.exe" & "svichost.exe". Sorry for the typo
Does any1 ever encountered a virus with the name "svichhost.exe" & "svichost.exe"? I've tried scanning with norton internet security 2007, kaspersky, nod32, avast!, and avg inernet security, but non of them detect this virus!! All of them has been updated to the latest definition. As for my solution, i use tuneup utilities 2007 ProcessManager to manually terminate the process coz my task manager has been disable by the virus then proceed to delete the file in windows/system32. Any help is greatly appreciated.

This post has been edited by zubai: Jan 10 2007, 09:36 AM

www.download.com

exact word and excat filename

spybot search and destroy 1.4

adaware SE Personal Edition

avgfree edition

crap cleaner

hijack this !

thnx never tried hijack this! before. i'll give it a shot.. AVG suxx! cannot detect this virus lor..

what the hell? how many AV's you have on your PC?

Hehe.. not like that lorr.. install, update, scan, no result, uninstall, install another one.. repeat.. drive me crazy siot..! weird.. non of this so-called antivirus detect it.. most of the pc in the network are infected even with avg installed..

Maybe you should zipped the file & send to AV vendor for analysis before delete it.

or maybe it jut spyware or trojans??
possible??

switch to linux. no pain for viruses/spywares/trojans/worms

what kind of answers that u give to him??
hehhehehee..

hmm.. will do.. thanks 4 the heads up..

i've just found out there's another file "nhatquanglan9.exe" located at system32..

Please try upload to Jotti (http://virusscan.jotti.org/) to do a more thourough test. Also send samples to the respective AV companies for further R&D by them.

Thanx for the info bean_man

This is my result:

File: SVICHHOST.exe
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 3876f0891d03d8263875c26b396ce844
Packers detected:PE_PATCH.UPX, UPX

Scanner results
Scan taken on 10 Jan 2007 03:56:04 (GMT)
AntiVir=Found nothing
ArcaVir=Found nothing
Avast=Found nothing
AVG Antivirus=Found nothing
BitDefender=Found nothing
ClamAV=Found nothing
Dr.Web=Found nothing
F-Prot Antivirus=Found nothing
F-Secure Anti-Virus=Found nothing
Fortinet=Found nothing
Kaspersky Anti-Virus=Found nothing
NOD32=Found nothing
Norman Virus Control=Found nothing
VirusBuster=Found nothing
VBA32=Found nothing

send zipped file to samples@eset.com for further test. Please include the other suspicious files as well as well as the snapshot of the scan at jotti.
This will allow the pro to look deeper into it.

use hijack this and post the result... someone might be able to manually help you to remove it... i hate this type of worm...

I think you should post a HJT log in Technical Support and wait for someone to help you.

I've manage to remove the virus manually along with >5500 virus file it created . I search for *.exe file with 261kb size and 258kb, delete all the exe with folder icon. Rite now i hope the av vendors can do something bout the virus i've submitted.

This post has been edited by zubai: Jan 10 2007, 05:08 PM

If u seriously dont know....
This is a Trojan and trojan doesnt uses .exe as it own main file..
Trojan usually comes in .dll and it reproduce itself or makes instructions and create .exe files...

Post a HijackThis log here

What im trying to say is...
Your system isnt clean yet....those thing will come back very soon

This post has been edited by WaCKy-Angel: Jan 10 2007, 05:12 PM

well.. i didn't know that..
tomorrow i'll post the log..

This is the log file, i hope this helps.

Logfile of HijackThis v1.99.1
Scan saved at 9:49:40 AM, on 11/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
J:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{54E6952D-2BBF-495E-86A2-41CFB6B28779}: NameServer = 192.168.0.10,202.188.1.5
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I look at kaspersky log file and there is a keylogger i presume "Monitor.Win32.Perflogger.163" that's has been deleted. Maybe this is the real culprit?