Solved: scvhost startup error

[njgacuray]

hi. good day. need help. i am getting this on startup.

i have tried fixing it myself,did safemode,selective start up. i also noticed that this is a commom error (as per my search online for related threads). i also noticed that i need to get an error log from hijack to help. so here it is..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:09 AM, on 9/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\svchosts.exe
C:\svchosts.exe
C:\svchosts.exe
D:\svchosts.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
O1 - Hosts: 127.0.0.22 mcafee.com
O1 - Hosts: 127.0.0.22 www.mcafee.com
O1 - Hosts: 127.0.0.22 mcafee.net
O1 - Hosts: 127.0.0.22 www.mcafee
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [svchosts] D:\svchosts.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 2948 bytes

i already tried looking for this entry
" O4 - HKLM\..\Run: [svchosts] D:\svchosts.exe "
but i cant find it on my D drive even if hidden files were already shown

system setup is kind a old ;

32 bit Windows XP Pro, sp2
Pentium III with 256 of RAM

hoping for response. thanks a lot in advance.

 

[speed_hog]

njgacuray welcome to TSG,

Are you sure thats all of the HJT log it looks like there is about half of it missing?

**Here is a long one:
http://forums.techguy.org/windows-nt-2000-xp/753736-crazy-stuff-after-sp3-install.html

**And here is a typical one in length but infected by malware:
http://forums.techguy.org/malware-removal-hijackthis-logs/747959-need-help-virus-win32-trojan.html
-------------------------------------------------------------
Can you look and see if there are any minidump logs?
-------------------------------------------------------------


How to post a minidump log

I barrowed this great tutorial from;
Rollin' Rog
Moderator with 42,872 posts
I can run a debugging utility on the dump files if you do this:

1 > create a new folder on the desktop and call it "dumpcheck" or whatever you like.
2 > navigate to c:\windows\minidump and copy the last few minidump files to that folder. *this assumes 'c' is your boot drive, if it is not, substitute accordingly.
3 > close the folder and right click on it and select Send to Compressed (zipped) Folder.
4 > use the "manage attachments" in the "advanced" reply window to upload that zip file here as an attachment.

This might point us to a non Windows driver causing the error, if one exists for it.

Since almost all bugchecks can be caused by faulty ram, I would recommend you perform memory tests.

Beginners Guides: Diagnosing Bad Memory

Memtest86 - A Stand-alone Memory Diagnostic

 

[muppy03]

You might need your post moved to the security section. Notice your error is relating to sCvhost rather than sVchost.

 

[njgacuray]

thanks speed_hog and muppy03, i'l be cheking over the HJT log again or maybe try upload a new one. i'l have that minidump uploaded as well.

 

[njgacuray]

this is my updated one. and this is all there is on the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:08 PM, on 9/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
O1 - Hosts: 127.0.0.22 mcafee.com
O1 - Hosts: 127.0.0.22 www.mcafee.com
O1 - Hosts: 127.0.0.22 mcafee.net
O1 - Hosts: 127.0.0.22 www.mcafee
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [svchosts] D:\svchosts.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 2785 bytes

 

[eddie5659]

Hiya

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Regards

eddie

 

[njgacuray]

hi sir ed, i think im getting improvement outta here.. heres my sdfix log. i also saw the svchosts.exe got deleted by the tool you gave me. cool.


SDFix: Version 1.230
Run by APPLE_ on Mon 09/29/2008 at 09:11 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :

Restoring Default Security Values
Restoring Default Hosts File
Rebooting

Checking Files :
Trojan Files Found:
C:\autorun.inf - Deleted
C:\WINDOWS\system32\autorun.ini - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted


Removing Temp Files
ADS Check :


Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 09:20:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\Prefetch\HPZIPM12.EXE-145E7369.pf 47178 bytes
C:\WINDOWS\Prefetch\HP_IZE.EXE-14ABF34B.pf 58254 bytes
C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf 121592 bytes
C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf 15796 bytes
C:\WINDOWS\Prefetch\MMC.EXE-39071BCC.pf 30956 bytes
C:\WINDOWS\Prefetch\MSHTA.EXE-331DF029.pf 98530 bytes
C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf 38072 bytes
C:\WINDOWS\Prefetch\MSPAINT.EXE-11CBB631.pf 20500 bytes
C:\WINDOWS\Prefetch\MSTORDB.EXE-08C54F49.pf 22164 bytes
C:\WINDOWS\Prefetch\NERO.EXE-3017C357.pf 43956 bytes
C:\WINDOWS\Prefetch\NEROCHECK.EXE-092C6DFA.pf 5834 bytes
C:\WINDOWS\Prefetch\NEROSTARTSMART.EXE-3289D1AD.pf 63978 bytes
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf 618726 bytes
C:\WINDOWS\Prefetch\OSE.EXE-108AC98F.pf 73550 bytes
C:\WINDOWS\Prefetch\PACKAGER.EXE-1D369367.pf 60056 bytes
C:\WINDOWS\Prefetch\PINBALL.EXE-1233165F.pf 14924 bytes
C:\WINDOWS\Prefetch\POWERPNT.EXE-2F940E7E.pf 63924 bytes
C:\WINDOWS\Prefetch\PTANKS.EXE-055C22DD.pf 21000 bytes
C:\WINDOWS\Prefetch\GAME.EXE-03A581BE.pf 68706 bytes
C:\WINDOWS\Prefetch\HELPCTR.EXE-3862B6F5.pf 27092 bytes
C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf 35168 bytes
C:\WINDOWS\Prefetch\HH.EXE-2D1A70B3.pf 30900 bytes
C:\WINDOWS\Prefetch\HPQDIREC.EXE-251E91FC.pf 65454 bytes
C:\WINDOWS\Prefetch\HPQPHUNL.EXE-2410A5A8.pf 26100 bytes
C:\WINDOWS\Prefetch\HPQPPROP.EXE-09AA9678.pf 16326 bytes
C:\WINDOWS\Prefetch\HPQPSXP.EXE-060E92D3.pf 77348 bytes
C:\WINDOWS\Prefetch\HPQSTE08.EXE-18A7280B.pf 72762 bytes
C:\WINDOWS\Prefetch\HPQTAX08.EXE-01F2B2E3.pf 14344 bytes
C:\WINDOWS\Prefetch\HPQTBX01.EXE-28FA88E4.pf 12922 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1224CF94.pf 27354 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-13CC3015.pf 42244 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1449B22B.pf 25086 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-147710F4.pf 63842 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-15830F12.pf 42244 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-173447A8.pf 13528 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-47C92E09.pf 13528 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-489936CE.pf 13528 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-49B2C829.pf 22688 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-49B41459.pf 13528 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4A900CDD.pf 13528 bytes
C:\WINDOWS\Prefetch\RVSEZM.EXE-2777799C.pf 13084 bytes
C:\WINDOWS\Prefetch\SCVHOST.EXE-2C8D7CBA.pf 12878 bytes
C:\WINDOWS\Prefetch\SETUP_WM.EXE-3135CBD7.pf 17380 bytes
C:\WINDOWS\Prefetch\SNDVOL32.EXE-383480B7.pf 40432 bytes
C:\WINDOWS\Prefetch\SOL.EXE-1C0C14EB.pf 10842 bytes
C:\WINDOWS\Prefetch\SPIDER.EXE-2D998CA6.pf 11686 bytes
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf 55112 bytes
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf 10806 bytes
C:\WINDOWS\Prefetch\TEXTTWIST.EXE-0E0AE554.pf 39130 bytes
C:\WINDOWS\Prefetch\UNREGMP2.EXE-07CACB61.pf 26724 bytes
C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf 20972 bytes
C:\WINDOWS\Prefetch\QTTASK.EXE-342507FB.pf 8126 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1831A4F3.pf 27266 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf 10296 bytes
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf 33588 bytes
C:\WINDOWS\Prefetch\Layout.ini 435414 bytes
C:\WINDOWS\Prefetch\LLINKER.EXE-234F883F.pf 21904 bytes
C:\WINDOWS\Prefetch\LOGON.SCR-151EFAEA.pf 5188 bytes
C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf 43934 bytes
C:\WINDOWS\Prefetch\QUICKTIMEPLAYER.EXE-280B4828.pf 73322 bytes
C:\WINDOWS\Prefetch\RCIMLBY.EXE-29F11D7B.pf 13070 bytes
C:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf 8864 bytes
C:\WINDOWS\Prefetch\EXCEL.EXE-13B3F319.pf 139020 bytes
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf 78812 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-188DF14E.pf 139370 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-190FF270.pf 13820 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1AB36BA4.pf 14796 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC55A4F.pf 36210 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1FAE7AA4.pf 13528 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-219AC37A.pf 16040 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf 128554 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf 10828 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2BA9AF79.pf 13492 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-319FEDC0.pf 19324 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-35118CB9.pf 29584 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-37D91B02.pf 13528 bytes
C:\WINDOWS\Prefetch\RUNDLL32.EXE-42B179DE.pf 48738 bytes
C:\WINDOWS\Prefetch\WHATWORD.EXE-1F7D9934.pf 13860 bytes
C:\WINDOWS\Prefetch\WINAMP.EXE-0D0189CA.pf 56762 bytes
C:\WINDOWS\Prefetch\WINHLP32.EXE-2C18E975.pf 16844 bytes
C:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf 8706 bytes
C:\WINDOWS\Prefetch\WINMINE.EXE-0A3838A4.pf 10358 bytes
C:\WINDOWS\Prefetch\WINRAR.EXE-39C6DAD9.pf 28700 bytes
C:\WINDOWS\Prefetch\WINWORD.EXE-37F6AE09.pf 135806 bytes
C:\WINDOWS\Prefetch\WISPTIS.EXE-0C21B942.pf 13408 bytes
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9C.pf 61214 bytes
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9D.pf 45580 bytes
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9F.pf 57862 bytes
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEFA1.pf 81302 bytes
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEFA3.pf 38664 bytes
C:\WINDOWS\Prefetch\WSCNTFY.EXE-1B24F5EB.pf 51704 bytes
C:\WINDOWS\Prefetch\WSCRIPT.EXE-32960AB9.pf 29058 bytes
C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf 63208 bytes
C:\WINDOWS\Prefetch\ZCLIENTM.EXE-1B874BF9.pf 20866 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 94

Remaining Services :


Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Thu 27 Sep 2007 212,992 ..SHR --- "C:\svchosts.exe"
Wed 8 Aug 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 8 Aug 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv11.bak"
Thu 27 Sep 2007 212,992 ..SHR --- "C:\WINDOWS\system32\drivers\etc\svchosts.exe"
Tue 14 Aug 2007 54,784 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\~WRL0004.tmp"
Tue 14 Aug 2007 44,032 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\~WRL2898.tmp"
Wed 8 Aug 2007 4,348 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\My Music\License Backup\drmv1key.bak"
Wed 8 Aug 2007 401 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 8 Aug 2007 312 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\My Music\License Backup\drmv2key.bak"
Wed 8 Aug 2007 1,536 A..H. --- "C:\Documents and Settings\APPLE_\Desktop\APPLE\My Documents\My Music\License Backup\drmv2lic.bak"
Finished!

 

[njgacuray]

and here's ny new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:11 AM, on 9/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 2575 bytes

 

[eddie5659]

Okay, lets just run some other programs, as its removed it here, but may still be hidden:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


----------


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

So, in your next reply, post the contents of the MBAM log, ComboFix log and a fresh HijackThis log

eddie

 

[eddie5659]

Oops, see you marked it Solved. Its no biggie, we can still have a look at it, as you can reply still

Its just that I think there may still be some traces left on the pc.

eddie