netsvc.exe....

Yep, my little sis just called and she has identified NetSvc.exe as a problem and I can’t figure how to get rid of it. Any help would be much appreciated.

We will need more information to be able to help you:

  • Which OS are you using? Is it up to date?
  • What avast! version and VPS file (virus database) number?
  • What was the filename and path where the virus was found?
  • Which actions have you taken to try solving the problem?
  • Do you use a firewall? Which one?
  • Do you have any other antivirus installed in your system?
  • Any other security programs that could interfere?
  • Any useful information into Control Panel > Administrative Tools > Events, specially ‘Errors’.

To know how to post a screenshot, see http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

How has she identified it as a problem ?
What is the malware name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

Does your sister have a firewall, if so what ?
That should hopefully block unauthorised outbound Internet Connections, provided it has outbound protection.

A google search for netsvc.exe returns many hits, http://www.google.com/search?q=NetSvc.exe and as you can see many variants of what could be a mass-mailing worm and IRC backdoor Trojan. Howver the file name could also be legit so care has to be taken, what ever she does don’t delete a file, send it to the avast chest until it is absolutely confirmed it is malicious.

http://www.liutilities.com/products/wintaskspro/processlibrary/netsvc/

Process File: netsvc.exe or netsvc Process Name: Trojan.W32.Mytob

Description:
netsvc.exe is a process which is registered as the Trojan.W32.Mytob worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open its hostile attachment. The worm has its own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. This process is a security risk and should be removed from your system.

http://www.sophos.com/security/analyses/w32mytobgc.html

Thanks heaps. Will call her today and get her to follow those steps. I know she is running Avast, but I don’t think any other firewalls. Thanks again.

No problem, let us know if you need any more help, perhaps your sister should join the forums as working through a third party will slow any process.

Welcome to the forums.

Yeah, hi i am the little sister and here are the details that were asked for.
We will need more information to be able to help you:

  • Which OS are you using? Is it up to date? Windows XP, SP2
  • What avast! version and VPS file (virus database) number? Avast version 4.7, File Version 000737-2, Compilation Date 30/04/07
  • What was the filename and path where the virus was found? C:\WINDOWS\NetSvc.exe
  • Which actions have you taken to try solving the problem? Remove with malwhere and adaware
  • Do you use a firewall? Yes Which one? Windows XP Firewall
  • Do you have any other antivirus installed in your system? Avast
  • Any other security programs that could interfere? no
  • Any useful information into Control Panel > Administrative Tools > Events, specially ‘Errors’. Not too sure what to do here.

How is your system running now ? I would recommend a firewall to stop outgoing, the windows one is not quite up to it. There are several free ones available ZONEALARM, COMMODO and PCTOOLS. If you are still having problems then

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

And welcome to our little world ;D