Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Strange list of IP hosts in hijackthis / How to prevent svcchost from coming back?

7K views 4 replies 2 participants last post by  cybertech 
#1 ·
Hey guys, I'm new here. :)

I have always had a pretty clean system and never even needed to download hijackthis until today because I had a pesky problem that was annoying me with popup alerts in AntiVir (Vundo...ssttt.dll). So I ran vundofix and a couple other things and it seems to be gone. But now that I've got hijackthis, I noticed something I thought I'd ask about. I see a list of host IP's and banking related sites and such. I have no idea what this is, but I suspected a virus. So I googled and found 9 results, but they were all in German, mostly at the hijackthis.de site. Since my knowledge of germanic languages is "Ja" and "Gutentag", I found no help there, even with the pages badly translated. :D

So I thought I'd post here, here's the latest log, please let me know what needs to be done.

hijackthis log said:
Logfile of HijackThis v1.99.1
Scan saved at 5:40:10 PM, on 10/7/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\IT\Desktop\hijackthis\HijackThis.exe

O1 - Hosts: 82.146.56.35 personal.barclays.co.uk
O1 - Hosts: 82.146.56.35 barclays.co.uk
O1 - Hosts: 82.146.56.35 www.barclays.co.uk
O1 - Hosts: 82.146.56.35 hsbc.co.uk
O1 - Hosts: 82.146.56.35 www.hsbc.co.uk
O1 - Hosts: 82.146.56.35 personal.hsbc.co.uk
O1 - Hosts: 82.146.56.35 abbey.com
O1 - Hosts: 82.146.56.35 www.abbey.com
O1 - Hosts: 82.146.56.35 www.abbey.co.uk
O1 - Hosts: 82.146.56.35 abbey.co.uk
O1 - Hosts: 82.146.56.35 www.banesto.es
O1 - Hosts: 82.146.56.35 banesto.es
O1 - Hosts: 82.146.56.35 www.bbvanet.com
O1 - Hosts: 82.146.56.35 bbvanet.com
O1 - Hosts: 82.146.56.35 www.halifax.co.uk
O1 - Hosts: 82.146.56.35 halifax.co.uk
O1 - Hosts: 82.146.56.35 bankofscotlandhalifax.co.uk
O1 - Hosts: 82.146.56.35 www.co-operativebank.co.uk
O1 - Hosts: 82.146.56.35 co-operativebank.co.uk
O1 - Hosts: 82.146.56.35 www.co-operativebank.com
O1 - Hosts: 82.146.56.35 co-operativebank.com
O1 - Hosts: 82.146.56.35 welcome2.co-operativebankonline.co.uk
O1 - Hosts: 82.146.56.35 welcome6.co-operativebankonline.co.uk
O1 - Hosts: 82.146.56.35 welcome8.co-operativebankonline.co.uk
O1 - Hosts: 82.146.56.35 welcome10.co-operativebankonline.co.uk
O1 - Hosts: 82.146.56.35 www.woolwich.co.uk
O1 - Hosts: 82.146.56.35 woolwich.co.uk
O1 - Hosts: 82.146.56.35 cahoot.com
O1 - Hosts: 82.146.56.35 www.cahoot.com
O1 - Hosts: 82.146.56.35 www.cahoot.co.uk
O1 - Hosts: 82.146.56.35 cahoot.co.uk
O1 - Hosts: 82.146.56.35 www.smile.co.uk
O1 - Hosts: 82.146.56.35 smile.co.uk
O1 - Hosts: 82.146.56.35 www.volksbank.de
O1 - Hosts: 82.146.56.35 volksbank.de
O1 - Hosts: 82.146.56.35 www.berliner-volksbank.de
O1 - Hosts: 82.146.56.35 postbank.de
O1 - Hosts: 82.146.56.35 www.postbank.de
O1 - Hosts: 82.146.56.35 direkt.postbank.de
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A900B37-98AA-42DC-B4D4-0FE8A04E4A0D}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Also, for the last month I keep seeing svcchost.exe, mysvcc.exe and other related processes running. I keep killing them and removing their startup entries from msconfig, but here's the weird part... If I startup my PC and open Task Manager and keep it open, these processes usually don't show up. But if I run my PC without Task Manager open, it often freezes up and things stop responding. Like I'll try to pull up task manager and the icon will appear down by the clock, but the actual program window never opens. I'm running AntiVir, Spybot, Spyware Blaster, and TeaTimer. I would think that TeaTimer should be asking me or flat out denying repeated attempts to add these svcc processes as startup items, but for some reason it's not. I tried to dig around in Spybot/TeaTimer settings to see if maybe I could reset some of the "Learning" procedures but it seems that once it has already learned how to handle something, it's done asking for your input. But I never would have allowed this crap, so I'm confused. :(

Any help is appreciated. Thanks for your time :)
 
See less See more
#2 ·
Ok I checked all the banking sites and the two svcc related entries and fixed them. Now my log looks like this...

Logfile of HijackThis v1.99.1
Scan saved at 5:54:02 PM, on 10/7/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\IT\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A900B37-98AA-42DC-B4D4-0FE8A04E4A0D}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 
#5 ·
Hi, Welcome to TSG!

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top