1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Window 98 "pauses" on shut down then this "szchostc" window pops up

Discussion in 'Virus & Other Malware Removal' started by chainsaw, Apr 17, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. chainsaw

    chainsaw Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    7
    Window 98 "pauses" on shut down then this "szchostc" Message window pops up.

    Then another window a few minutes later "End task" "Continue" or "Cancel" box pops up. When I push end task windows then will shut down.


    It is linked to the < sync.eye crypt 32 dll:certget name string A > because this will come up if i push the buttons to much to shut my PC downand the ram hits bottom.

    I don;t know what to do. Microsoft support "SUCKS"!!! I visted this "trojan" web site that link me to "Szchostc" I downloaded their zip file and I tried to extract the bad files but it didn't seem to work. They had a notepad work sheet that was way over my head with PC jagon!


    Please feel free to e-mail me with any help! this problem is working my nerves!


    Chainsaw
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Unzip HijackThis to a permanent folder; then run it and select Scan. After saving the Scanlog, copy/paste the results here.

    http://tomcoyote.com/hjt/

    Yes you have a trojan. MS does not help with these.

    I've taken the liberty of removing your e-mail address. It is very bad practice to publish these in open forums as they will be "harvested" for spam. You can be e-mailed through the forum e-mail link, (if you enable it in the user Control Panel) but you are best off getting open advice which is peer reviewed.

    The site you went to before was bogus if it was giving you files to extract for that problem.
     
  3. chainsaw

    chainsaw Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    7
    hI ROLLIN' rOG

    I down loaded the HJ

    After saving the Scanlog, copy/paste the results here?

    Copy and paste where?


    I checked every box to fix the errors and only 3 boxes remained. Nothing changed on my PC "but it seemed to get quicker" I have C-version of Bug Doctor and I ran it after HiJack and it showed no errors.

    Then I crossed my fingers went to shut down my Win 98 from my start up menu and a yellow triangle & ! (in the middle popped up) The yellow triangle is locate in the left hand corner and right above that is the word szchostc
    This is how the rest of it reads word for word!! Help lp!!!

    You must quit this program before you quit windows
    Click OK to quit the program and windows, or click cancel to continue running program

    then the other box about 30 seconds saying the same thing but in a push button format pops up end task


    For some reason my PC thinks I am still using a szchostc program and won't shut down the first time. It will shut down when I push end task.

    Maybe this Hijack is the answer to fixing this I just don't know alot about PC. I know drives, downloads & files that sort of thing!



    Need further hellllp!

    Thanks for the hot-tip with the e-mail didn't realize that snakes were in the house! Hee! Hee!


    Chainsaw
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Lordie, lordie, you do NOT want to check every box in HijackThis. That removes everything good or bad.

    I hope you saved it to a permenant folder so you can restore the backups. To do that run it, select Config > Backups and restore everything there.

    Then run the Scan again, save the log. With the log open select Edit > Select All > Edit > Copy. Then right click on a message reply window here and select "paste". The copied text should appear.

    If you are not able to use HijackThis's restore feature, go to start > shutdown> Restart in MS-DOS mode. At the c:\windows> prompt enter:

    scanreg /restore and choose a date on the morning of the day you did this, don't go back further.

    Also, since you appear to have this trojan:

    http://se.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=TROJ_DAEMOZ.A

    Try running Trend's HouseCall Scan:

    http://housecall.antivirus.com/

    If that does not resolve the problem, in addition to giving me a Scanlog, also provide a "Startuplist". This is made by running HijackThis and selecting the following:

    Config > MiscTools > Generate Startuplist. That can be copy/pasted here as well.
     
  5. chainsaw

    chainsaw Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    7
    Hey;

    Rollin"

    I Restarted my PC from the MS-Dos mode and restore any features that Hijack deleted or edited. Can we start from scratch again with this I still have the exe file and I deleted all the other files that Hijak had except for the of course the ZIP!

    I already dumped the trojan software, but if you think if it's a shot that might work I'kk search and reload the zip file.

    I'm going to try that house call antivirus to see if that helps!


    Thanks for your support!


    Chainsaw!
     
  6. chainsaw

    chainsaw Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    7
    Rollin;

    You Da Man!

    That house call site you linked me too fixed the problem. I had to go into the Start /Run program type regedit and delete in Windows/Current / Run this >
    system%\scchost.exe"

    Thanks man!

    Ok now thats behind me I have another problem? I can't view any jpegs on my Win 98. I have Corel Draw 4 and it won't even load up anymore cause it says I lost some cdr files. At one time a few weeks back Internet explorer was letting me open up the jpegs pictures.

    I do alot of CD grafics, just basic cut and paste stuff , but can't do that now.


    Rollin;

    you know what really scares me is that that house call program showed I had 37 viral errors ??? I only picked out the directions to fix the one that was bothering me and I went back to see if there was a CDR problem because this is what the error message pops up as and I didn't see anything (Corel Draw & Jpeg extra). Well thanks for fixing the first problem now on to the next one!


    Chainsaw!
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Well I still haven't seen a Win98 Scanlog and you should post that here so I can verify you don't have any remaining problems.

    The jpeg issue should really posted in the Win98 forum, but try this to see if you can get it to reset to the defaults which will cause jpegs to open in IE.

    Go to the site here and find and run the "all in one" jpeg fix. It is a .reg file, you download it and just double click it to merge it to the registry.

    http://www.geocities.com/one_human/advanced.html#JPG_GIF_fix
     
  8. chainsaw

    chainsaw Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    7
    Hi Rollin;

    that geocities fixed my jpegs. They open fine but my corel program is hit. I loaded still says missing files when I uninstalled in the jpegs stopped working again so I reloaded the jpeg fixes!

    Here is a copy of my latest Win Scanlog from Hijack as you seem to be dx and correcting all my PC problems! Which is cool!!

    Logfile of HijackThis v1.97.7
    Scan saved at 9:24:03 PM, on 4/19/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Well does it look that bad?


    Chainsaw?
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Well you never restored the HijackThis Scanlog entries that you SHOULDN'T have removed. This is important as without them you have no running antivirus and any fine day you are likely to find yourself with a registry that has been restored to when you did this and no subsequently installed programs will work.

    You need to run HijackThis, select Config > Backups and look for the entries for default Windows startups and known legitimate startups that you removed, such as your Antivirus program.

    Windows Startups will include:

    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    ... and possibly mstask.exe (taskscheduler)

    >> In this HijackThis Scanlog you need to check and "fix" this entry:

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

    Then reboot and delete the bolded folder above

    You should also install, UPDATE and run either Spybot or Ad-Aware or both:

    Spybot Instructions and Download
    Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73

    Post another Scanlog after you have restored the entries I indicated and removed the new one.

    The problem with Corel will probably require the entire Corel Program Files folder to be renamed or deleted following a removal and before a reinstall.
     
  10. chainsaw

    chainsaw Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    7
    Rollin;


    I tried to Delete that file ISTsvc\istsvc.exe. The complete folder was deleted but in my trash can it won't let me empty it?


    Here's a up-dated Scanlog- Those file names didn't seem to match but the 04-Hklm\..Run did so I restored those files and a few more . So you can have a look at it. Your right I don;t have a AntiVirus program! I downloaded that Spybot and I'm figuring it out as we speak!

    well here's my hijack scan log with the Spybot not downloaded yet!!

    Logfile of HijackThis v1.97.7
    Scan saved at 12:40:44 AM, on 4/21/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\SAVE\SAVE.EXE
    E:\KAZAA LITE K++\KAZAA.KPP
    C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
    C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} - (no file)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
    O4 - HKLM\..\Run: [KAZAA] "E:\KAZAA LITE K++\KPP.EXE" "E:\KAZAA LITE K++\KAZAA.KPP" /SYSTRAY
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Olive System] C:\WINDOWS\SYSTEM\szchost.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Let me know what I can get rid of. And how do I dump that file ISTSVE.EXE thats stinking up my trash can??

    thanx "Rollin" for your killer helllllllllllllllllp!!

    Chainsaw
     
  11. chainsaw

    chainsaw Thread Starter

    Joined:
    Apr 17, 2004
    Messages:
    7
    Rollin;


    that spybot works well, should I uninstall HIjack since -this Spybot seems to do it all?




    P.S.

    My P.C. runs muchs fasters, and starts, and stuts down without hesi!!

    thanx!!! Chainsaw!
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Don't know how I missed your follow-up, sorry about that...

    No, HijackThis does not need to be uninstalled. It should be kept in a permanent folder so that the backups it creates can be reinsntalled if necessary. You should not have restored those particular entries, but hopefully Spybot has taken care of them. Post another Scanlog after you have followed my directions below.

    You are still missing an important startup -- and if you do not restore it you will sooner or later find yourself in a big mess because Windows sometimes chooses to restore registries. If it does that and no recent backups have been created your are back to square one and nothing you have installed subsequently will work.

    Follow my directions here to restore it, since you do not seem to have preserved the HijackThis backup:

    http://forums.techguy.org/showthread.php?postid=586210#post586210
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/221153

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice