1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: scvhost startup error

Discussion in 'Virus & Other Malware Removal' started by njgacuray, Sep 28, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. njgacuray

    njgacuray Thread Starter

    Joined:
    Sep 27, 2008
    Messages:
    6
    hi. good day. need help. i am getting this on startup.

    [​IMG]
    i have tried fixing it myself,did safemode,selective start up. i also noticed that this is a commom error (as per my search online for related threads). i also noticed that i need to get an error log from hijack to help. so here it is..

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:27:09 AM, on 9/28/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Grisoft\AVG7\avgw.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\svchosts.exe
    C:\svchosts.exe
    C:\svchosts.exe
    D:\svchosts.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
    O1 - Hosts: 127.0.0.22 mcafee.com
    O1 - Hosts: 127.0.0.22 www.mcafee.com
    O1 - Hosts: 127.0.0.22 mcafee.net
    O1 - Hosts: 127.0.0.22 www.mcafee
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [svchosts] D:\svchosts.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    --
    End of file - 2948 bytes

    i already tried looking for this entry
    " O4 - HKLM\..\Run: [svchosts] D:\svchosts.exe "
    but i cant find it on my D drive even if hidden files were already shown

    system setup is kind a old ;

    32 bit Windows XP Pro, sp2
    Pentium III with 256 of RAM

    hoping for response. thanks a lot in advance.
     

    Attached Files:

    njgacuray, Sep 28, 2008
    #1
  3. speed_hog

    speed_hog

    Joined:
    Jul 28, 2008
    Messages:
    1,092
    njgacuray welcome to TSG,

    Are you sure thats all of the HJT log it looks like there is about half of it missing?

    **Here is a long one:
    http://forums.techguy.org/windows-nt-2000-xp/753736-crazy-stuff-after-sp3-install.html

    **And here is a typical one in length but infected by malware:
    http://forums.techguy.org/malware-removal-hijackthis-logs/747959-need-help-virus-win32-trojan.html
    -------------------------------------------------------------
    Can you look and see if there are any minidump logs?
    -------------------------------------------------------------


    How to post a minidump log

    I barrowed this great tutorial from;
    Rollin' Rog
    Moderator with 42,872 posts
    I can run a debugging utility on the dump files if you do this:

    1 > create a new folder on the desktop and call it "dumpcheck" or whatever you like.
    2 > navigate to c:\windows\minidump and copy the last few minidump files to that folder. *this assumes 'c' is your boot drive, if it is not, substitute accordingly.
    3 > close the folder and right click on it and select Send to Compressed (zipped) Folder.
    4 > use the "manage attachments" in the "advanced" reply window to upload that zip file here as an attachment.

    This might point us to a non Windows driver causing the error, if one exists for it.

    Since almost all bugchecks can be caused by faulty ram, I would recommend you perform memory tests.

    Beginners Guides: Diagnosing Bad Memory

    Memtest86 - A Stand-alone Memory Diagnostic
     
    speed_hog, Sep 28, 2008
    #2
  4. muppy03

    muppy03

    Joined:
    Jun 19, 2006
    Messages:
    1,892
    First Name:
    Chris
    You might need your post moved to the security section. Notice your error is relating to sCvhost rather than sVchost.
     
    muppy03, Sep 28, 2008
    #3
  5. njgacuray

    njgacuray Thread Starter

    Joined:
    Sep 27, 2008
    Messages:
    6
    thanks speed_hog and muppy03, i'l be cheking over the HJT log again or maybe try upload a new one. i'l have that minidump uploaded as well.
     
    njgacuray, Sep 28, 2008
    #4
  6. njgacuray

    njgacuray Thread Starter

    Joined:
    Sep 27, 2008
    Messages:
    6
    this is my updated one. and this is all there is on the HJT log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:36:08 PM, on 9/28/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
    O1 - Hosts: 127.0.0.22 mcafee.com
    O1 - Hosts: 127.0.0.22 www.mcafee.com
    O1 - Hosts: 127.0.0.22 mcafee.net
    O1 - Hosts: 127.0.0.22 www.mcafee
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [svchosts] D:\svchosts.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    --
    End of file - 2785 bytes
     
    njgacuray, Sep 28, 2008
    #5
  7. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,688
    Hiya

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


    Regards

    eddie
     
    eddie5659, Sep 28, 2008
    #6
  8. njgacuray

    njgacuray Thread Starter

    Joined:
    Sep 27, 2008
    Messages:
    6
    hi sir ed, i think im getting improvement outta here.. heres my sdfix log. i also saw the svchosts.exe got deleted by the tool you gave me. cool.


    SDFix: Version 1.230
    Run by APPLE_ on Mon 09/29/2008 at 09:11 AM
    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix
    Checking Services :

    Restoring Default Security Values
    Restoring Default Hosts File
    Rebooting

    Checking Files :
    Trojan Files Found:
    C:\autorun.inf - Deleted
    C:\WINDOWS\system32\autorun.ini - Deleted
    C:\WINDOWS\system32\svchosts.exe - Deleted


    Removing Temp Files
    ADS Check :


    Final Check :
    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-29 09:20:07
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden services & system hive ...
    scanning hidden registry entries ...
    scanning hidden files ...
    C:\WINDOWS\Prefetch\HPZIPM12.EXE-145E7369.pf 47178 bytes
    C:\WINDOWS\Prefetch\HP_IZE.EXE-14ABF34B.pf 58254 bytes
    C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf 121592 bytes
    C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf 15796 bytes
    C:\WINDOWS\Prefetch\MMC.EXE-39071BCC.pf 30956 bytes
    C:\WINDOWS\Prefetch\MSHTA.EXE-331DF029.pf 98530 bytes
    C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf 38072 bytes
    C:\WINDOWS\Prefetch\MSPAINT.EXE-11CBB631.pf 20500 bytes
    C:\WINDOWS\Prefetch\MSTORDB.EXE-08C54F49.pf 22164 bytes
    C:\WINDOWS\Prefetch\NERO.EXE-3017C357.pf 43956 bytes
    C:\WINDOWS\Prefetch\NEROCHECK.EXE-092C6DFA.pf 5834 bytes
    C:\WINDOWS\Prefetch\NEROSTARTSMART.EXE-3289D1AD.pf 63978 bytes
    C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf 618726 bytes
    C:\WINDOWS\Prefetch\OSE.EXE-108AC98F.pf 73550 bytes
    C:\WINDOWS\Prefetch\PACKAGER.EXE-1D369367.pf 60056 bytes
    C:\WINDOWS\Prefetch\PINBALL.EXE-1233165F.pf 14924 bytes
    C:\WINDOWS\Prefetch\POWERPNT.EXE-2F940E7E.pf 63924 bytes
    C:\WINDOWS\Prefetch\PTANKS.EXE-055C22DD.pf 21000 bytes
    C:\WINDOWS\Prefetch\GAME.EXE-03A581BE.pf 68706 bytes
    C:\WINDOWS\Prefetch\HELPCTR.EXE-3862B6F5.pf 27092 bytes
    C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf 35168 bytes
    C:\WINDOWS\Prefetch\HH.EXE-2D1A70B3.pf 30900 bytes
    C:\WINDOWS\Prefetch\HPQDIREC.EXE-251E91FC.pf 65454 bytes
    C:\WINDOWS\Prefetch\HPQPHUNL.EXE-2410A5A8.pf 26100 bytes
    C:\WINDOWS\Prefetch\HPQPPROP.EXE-09AA9678.pf 16326 bytes
    C:\WINDOWS\Prefetch\HPQPSXP.EXE-060E92D3.pf 77348 bytes
    C:\WINDOWS\Prefetch\HPQSTE08.EXE-18A7280B.pf 72762 bytes
    C:\WINDOWS\Prefetch\HPQTAX08.EXE-01F2B2E3.pf 14344 bytes
    C:\WINDOWS\Prefetch\HPQTBX01.EXE-28FA88E4.pf 12922 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-1224CF94.pf 27354 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-13CC3015.pf 42244 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-1449B22B.pf 25086 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-147710F4.pf 63842 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-15830F12.pf 42244 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-173447A8.pf 13528 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-47C92E09.pf 13528 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-489936CE.pf 13528 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-49B2C829.pf 22688 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-49B41459.pf 13528 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-4A900CDD.pf 13528 bytes
    C:\WINDOWS\Prefetch\RVSEZM.EXE-2777799C.pf 13084 bytes
    C:\WINDOWS\Prefetch\SCVHOST.EXE-2C8D7CBA.pf 12878 bytes
    C:\WINDOWS\Prefetch\SETUP_WM.EXE-3135CBD7.pf 17380 bytes
    C:\WINDOWS\Prefetch\SNDVOL32.EXE-383480B7.pf 40432 bytes
    C:\WINDOWS\Prefetch\SOL.EXE-1C0C14EB.pf 10842 bytes
    C:\WINDOWS\Prefetch\SPIDER.EXE-2D998CA6.pf 11686 bytes
    C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf 55112 bytes
    C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf 10806 bytes
    C:\WINDOWS\Prefetch\TEXTTWIST.EXE-0E0AE554.pf 39130 bytes
    C:\WINDOWS\Prefetch\UNREGMP2.EXE-07CACB61.pf 26724 bytes
    C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf 20972 bytes
    C:\WINDOWS\Prefetch\QTTASK.EXE-342507FB.pf 8126 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-1831A4F3.pf 27266 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf 10296 bytes
    C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf 33588 bytes
    C:\WINDOWS\Prefetch\Layout.ini 435414 bytes
    C:\WINDOWS\Prefetch\LLINKER.EXE-234F883F.pf 21904 bytes
    C:\WINDOWS\Prefetch\LOGON.SCR-151EFAEA.pf 5188 bytes
    C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf 43934 bytes
    C:\WINDOWS\Prefetch\QUICKTIMEPLAYER.EXE-280B4828.pf 73322 bytes
    C:\WINDOWS\Prefetch\RCIMLBY.EXE-29F11D7B.pf 13070 bytes
    C:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf 8864 bytes
    C:\WINDOWS\Prefetch\EXCEL.EXE-13B3F319.pf 139020 bytes
    C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf 78812 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-188DF14E.pf 139370 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-190FF270.pf 13820 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-1AB36BA4.pf 14796 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC55A4F.pf 36210 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-1FAE7AA4.pf 13528 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-219AC37A.pf 16040 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf 128554 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf 10828 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-2BA9AF79.pf 13492 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-319FEDC0.pf 19324 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-35118CB9.pf 29584 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-37D91B02.pf 13528 bytes
    C:\WINDOWS\Prefetch\RUNDLL32.EXE-42B179DE.pf 48738 bytes
    C:\WINDOWS\Prefetch\WHATWORD.EXE-1F7D9934.pf 13860 bytes
    C:\WINDOWS\Prefetch\WINAMP.EXE-0D0189CA.pf 56762 bytes
    C:\WINDOWS\Prefetch\WINHLP32.EXE-2C18E975.pf 16844 bytes
    C:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf 8706 bytes
    C:\WINDOWS\Prefetch\WINMINE.EXE-0A3838A4.pf 10358 bytes
    C:\WINDOWS\Prefetch\WINRAR.EXE-39C6DAD9.pf 28700 bytes
    C:\WINDOWS\Prefetch\WINWORD.EXE-37F6AE09.pf 135806 bytes
    C:\WINDOWS\Prefetch\WISPTIS.EXE-0C21B942.pf 13408 bytes
    C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9C.pf 61214 bytes
    C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9D.pf 45580 bytes
    C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9F.pf 57862 bytes
    C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEFA1.pf 81302 bytes
    C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEFA3.pf 38664 bytes
    C:\WINDOWS\Prefetch\WSCNTFY.EXE-1B24F5EB.pf 51704 bytes
    C:\WINDOWS\Prefetch\WSCRIPT.EXE-32960AB9.pf 29058 bytes
    C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf 63208 bytes
    C:\WINDOWS\Prefetch\ZCLIENTM.EXE-1B874BF9.pf 20866 bytes
    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 94

    Remaining Services :


    Authorized Application Key Export:
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
    "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    Remaining Files :

    File Backups: - C:\SDFix\backups\backups.zip
    Files with Hidden Attributes :
    Thu 27 Sep 2007 212,992 ..SHR --- "C:\svchosts.exe"
    Wed 8 Aug 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Wed 8 Aug 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
    Thu 27 Sep 2007 212,992 ..SHR --- "C:\WINDOWS\system32\drivers\etc\svchosts.exe"
    Tue 14 Aug 2007 54,784 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\~WRL0004.tmp"
    Tue 14 Aug 2007 44,032 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\~WRL2898.tmp"
    Wed 8 Aug 2007 4,348 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\My Music\License Backup\drmv1key.bak"
    Wed 8 Aug 2007 401 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\My Music\License Backup\drmv1lic.bak"
    Wed 8 Aug 2007 312 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\My Music\License Backup\drmv2key.bak"
    Wed 8 Aug 2007 1,536 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\My Music\License Backup\drmv2lic.bak"
    Finished!
     
    njgacuray, Sep 28, 2008
    #7
  9. njgacuray

    njgacuray Thread Starter

    Joined:
    Sep 27, 2008
    Messages:
    6
    and here's ny new HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:29:11 AM, on 9/29/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    --
    End of file - 2575 bytes
     
    njgacuray, Sep 28, 2008
    #8
  10. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,688
    Okay, lets just run some other programs, as its removed it here, but may still be hidden:

    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


    ----------


    Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Link 1
    Link 2
    Link 3


    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    --------------------------------------------------------------------

    Double click on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.



    So, in your next reply, post the contents of the MBAM log, ComboFix log and a fresh HijackThis log :)

    eddie
     
    eddie5659, Sep 29, 2008
    #9
  11. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,688
    Oops, see you marked it Solved. Its no biggie, we can still have a look at it, as you can reply still :)

    Its just that I think there may still be some traces left on the pc.

    eddie
     
    eddie5659, Sep 29, 2008
    #10

  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/754015

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice