HiDrag Virus

[Tyrion Lannister]

Something I caught from work, that has infected every fucking executable on my main computer.

Norton AV didn't bother telling me about it, but AVG caught it.

I'd been wondering what the hell svchost.exe was that was running on all the machines at work for at least the last 7 months (all of which run with Norton AV on all the time), and was now showing up on my home machine. I left my job last month and so I started to purge old work stuff off my machine and decided to track down what it was (yeah, kind of like breaking up with your girlfriend and discovering that your "stress eczema" is actually the clap).

This little beauty launches itself as a hardware service called Power Manager, every time any infected executable runs it resets itself up. You have to use a task killing app to actually get rid of the processes (since windows is braindead and won't let you do that by default). It encrypts a portion of every executable it is in, and so the only solution is to delete ALL infected files - yes even the system ones and reinstall windows and all the damn apps.

I now support the public stoning on Virus writers.

[Ben Sones]

svchost.exe is not a bad thing in and of itself. It's just a file that Windows uses to handle the processes running from DLLs. It's not unusual to have three or four instances listed in your "Processes" tab at any given time.

Which is not to say that the svchost.exe file cannot be infected by viruses. Because it can.

[Tyrion Lannister]

http://www.agreyarea.com/win32hidrag.html

[Mark Asher]

How can you tell it's a virus? Microsoft identifies it as a legit file.

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.

http://support.microsoft.com/?kbid=314056

[Bull]

Apparently it's a rogue program with the same name as the real svchost.exe. There are some other items you can check for, too, each listed on the page Ty linked.

I have no idea if this is legit, although I have no reason to believe it's not.

[steve]

There shouldn't be a file svchost.exe in your Windows folder. If there is, there's a chance you have the virus.

[Tyrion Lannister]

svchost.exe is not a bad thing in and of itself. It's just a file that Windows uses to handle the processes running from DLLs. It's not unusual to have three or four instances listed in your "Processes" tab at any given time.

Which is not to say that the svchost.exe file cannot be infected by viruses. Because it can.

I should be clear that I was suspicious about the svchost running when it shouldn't be on the work machines. When I located two different versions of it, one in the main windows directory I knew something was up. This thing is evil, be careful out there - NAV and McAfee don't catch it but AVG, Sophos and Solo do.

BTW The above link has a link where you can download the fantastic KillProg.exe - none of this can't delete process crap.

[Desslock]

There shouldn't be a file svchost.exe in your Windows folder. If there is, there's a chance you have the virus.

I'm not sure if this is consistent with, or contrary to, what you're saying -- it's normal for svchost.exe to be in your windows\system32 folder.

[steve]

I'm not sure if this is consistent with, or contrary to, what you're saying -- it's normal for svchost.exe to be in your windows\system32 folder.

Ah, I meant the root windows folder. It normally resides in system32, but the virus apparently puts one in the root.