Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I have a 'virus' file (svchost.exe) in C:\windows\svchost.exe
I can shut down the process and delete it, but when XP is restarted it's there again :(Things I have tried.....
1) Checked registry (Run) for any rogue items
2) Checked win.ini (run=)
3) Checked Services for any rogue items
4) Trend AV
5) Panda online Activescan
6) AdAware
7) Spybot
8) Aluria anti spyware
9) Anti-Trojan
10) CWShredder
11) Searched here and Google for helpHere is my HijackThis log if anyone can help.
Logfile of HijackThis v1.94.0
Scan saved at 22:52:22, on 15/11/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [AdmTask] C:\Program Files\AdmTask\admtask.exe /m
O4 - HKLM\..\Run: [windll] C:\WINDOWS\System32\wsys.exe
O4 - HKLM\..\Run: [tblfunc] "tblmouse.exe"
O4 - HKLM\..\Run: [RAM Idle] "D:\Customizer XP\RAMIdle.exe"
O4 - HKLM\..\Run: [MessengerPlus] "C:\Program Files\Messenger Plus! Extension\MsgPlus.exe"
O4 - HKLM\..\Run: [LANChatPro] "D:\LANChat Pro\LANChat.exe " /q
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Fix-It AV] "D:\Fix-It\MemCheck.exe"
O4 - HKLM\..\Run: [FastUser] "C:\WINDOWS\System32\fast.exe"
O4 - HKLM\..\Run: [CloneCDTray] "D:\clonecdv4001\CloneCDTray.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\clonecdv4001\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] "C:\WINDOWS\System32\taskswitch.exe"
O4 - HKCU\..\Run: [Iconic Tray] C:\Program Files\Iconic Tray\it.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabThx in advance
Hi keef444,
The version (v1.94.0) of HijackThis you are using is extremely old..Download and run the latest version from here and post the log in a reply.http://www.spywareinfo.com/~merijn/files/hijackthis.zip
0 
Hi Tom41
Many thx for ur help - here is the updated logfile:
Logfile of HijackThis v1.97.6
Scan saved at 23:17:51, on 15/11/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Fix-It\mxtask.exe
C:\Program Files\Sleepy\service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\tblmouse.exe
D:\Customizer XP\RAMIdle.exe
C:\Program Files\Messenger Plus! Extension\MsgPlus.exe
C:\Program Files\Sleepy\monitor.exe
D:\LANChat Pro\LANChat.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\fast.exe
D:\clonecdv4001\CloneCDTray.exe
D:\DU Meter\DUMeter.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Iconic Tray\it.exe
D:\Web Time\WebTim20.exe
D:\DLMage\DnloadMage.exe
C:\Program Files\ATMEL\802.11 Wireless LAN\WlanMonitor.exe
D:\ZoneAlarmPro4\zapro.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\New Folder\Diagnostics Appz\IE Hijacking\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\notepad.exe
C:\Documents and Settings\Dad\Desktop\MSBlast\hijackthis\HijackThis.exeR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [AdmTask] C:\Program Files\AdmTask\admtask.exe /m
O4 - HKLM\..\Run: [windll] C:\WINDOWS\System32\wsys.exe
O4 - HKLM\..\Run: [tblfunc] "tblmouse.exe"
O4 - HKLM\..\Run: [RAM Idle] "D:\Customizer XP\RAMIdle.exe"
O4 - HKLM\..\Run: [MessengerPlus] "C:\Program Files\Messenger Plus! Extension\MsgPlus.exe"
O4 - HKLM\..\Run: [LANChatPro] "D:\LANChat Pro\LANChat.exe " /q
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Fix-It AV] "D:\Fix-It\MemCheck.exe"
O4 - HKLM\..\Run: [FastUser] "C:\WINDOWS\System32\fast.exe"
O4 - HKLM\..\Run: [CloneCDTray] "D:\clonecdv4001\CloneCDTray.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "D:\clonecdv4001\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [DU Meter] D:\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CoolSwitch] "C:\WINDOWS\System32\taskswitch.exe"
O4 - HKCU\..\Run: [Iconic Tray] C:\Program Files\Iconic Tray\it.exe
O4 - Global Startup: Web Time 2.0.lnk = D:\Web Time\WebTim20.exe
O4 - Global Startup: Download Mage.lnk = D:\DLMage\DnloadMage.exe
O4 - Global Startup: Configuration & Monitor Utility.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = D:\ZoneAlarmPro4\zapro.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabMust be a file somewhere that's re-incarnating svchost at boot, but I can't find it :(
0
Open the task manager and end process on C:\WINDOWS\svchost.exe and delete the file.
Then fix this entry with Hijack and reboot.
O4 - HKLM\..\Run: [windll] C:\WINDOWS\System32\wsys.exe
After rebooting, delete C:\WINDOWS\System32\wsys.exe
0
Tried it, but still no go :(
svchost.exe back again.
Doesn't come back in safe mode tho.....
Any other ideas ??
Cheers
0
I seem to have finally sussed it out.....
By trial and error in msconfig I found that this file is initiated by 'Sleepy' (Windows shutdown prog) service.
The prob I was experiencing was that IE popups I wanted to open (eg in autotrader.co.uk) wouldn't open unless this file was shutdown.
This has never been a prob with this program before, but despite un-installing/re-installing the prog, svchost is re-appearing in C:\Windows with the same problem.
So I will just have to live without this prog untill I ghost XP back sometime.
Many thx for ur help Tom41
btw, I get 'Error, You must be coming from Computing.Net to use this feature' when I click on ur name.....
0
Probably not a virus. SVCHOST.exe could very well be infected, but most likely it is just an application that calls services to start from DLL's. (Service Host) The reason you cant delete is is probably because of windows file protection. It was designed to keep idiots from deleting important files :-)
0
My svchost.exe is found in the System32 folder. I really do think it is infected though, I also have 5 copies of the application running in my processes, 3 of them are running under the System user, one is under Local Settings and one under Network Service. Could anyone tell me why this is so?
0
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.
Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SvchostEach value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ServiceTo view the list of services that are running in Svchost:
Click Start on the Windows taskbar, and then click Run.
In the Open box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)GOTO this webpage for more help
http://support.microsoft.com/?kbid=314056now if you have scvhost.exe running that is a virus. Note the scvhost and not svchost. SCVHOST.exe will reside in the system32 dir and can be deleted. You will also have to edit your registry to remove it from starting up there.
Hope this helps. When you do the tasklist write down the programs running under svchost and see what one is your virus. svchost.exe itself cannot be infected since it would not function properly if it was.
0
I have found a similar problem on my computer, and maybe I can help. Warning - I probably not as knowledgable with the Windows OS as most people on here (UNIX was always my preference and I now only use Windows for internet, word processing, and very basic computer usage). However, I did manage to get the problem solved with NO harmful side-effects whatsoever (aside from a couple frustrating hours lost) to the operation of my computer.
I was having a problem with some annoying spyware/virus on my laptop a short bit ago. My startup page on IE was automatically set to some porn-related search page (even after I manually re-set it to about:blank and re-booted), porn links were added to my favorites (ditto for removal & re-boot), and several common search engines such as google, msn and yahoo were automatically re-directed to a completely different porn-related search page.
Without going into the details of how I painstakingly tracked it down and figured it out, I discovered that there was a second file named svchost.exe in my C:\\WINNT\ directory - there should only be ONE svchost.exe file in the system32 directory (even if there are multiple instances of it in execution).
How I got rid of it......
I had to manually shut the program down in the task manager. Even though there are several instances of svchost.exe running, with only one being the culprit (the rest are the normal svchost.exe as described above), it is easy to figure out which to shut down. It will be the ONLY one you will be able to manually shut down - the others (which should be there) will give you an error and not shut down (fortunately).
Once it was shut down, I deleted the svchost.exe file (in WINNT directory, not system32 directory), re-booted the computer, and all was fine. I don't know how/if this will work on other versions of Windows, but it seems fine for the version of 2000 that I am using.
Unfortunately, the rogue version of svchost.exe is not detected by AdAware (usually great at detecting/removing spyware) or by my virus checker (Sophos), so I had to do it manually.
Hope this helps.
0
Sorry if this is a bit off-topic, but I got to this thread from a search on google for admtask.exe and this thread was the only result I got.
Resulting from this line in keef444's pasted log file:
O4 - HKLM\..\Run: [AdmTask] C:\Program Files\AdmTask\admtask.exe /m
I have the exact same line in my hijackthis log, and have been trying to figure out what that program is.
It has it's own program folder with nothing but the .exe in it, and if I run it, all it does is pop up a little window that says:Auto Data Manager 1.2
Status: OK
Copyright 1998 LexoSoft, Inc. All rights reserved.
When I searched for Auto Data Manager 1.2 and LexoSoft, I got no results whatsoever.
And as I said, searching for admtask.exe brings up this thread as the only result.Can keef444 or anybody else tell me what on earth this program is and maybe where it came from?
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
