hi everyone i just downloaded the 30 day trial of tds-3 & i'm very impressed. the only problem is when i try & scan drive c my pc crashes i've been having problems for a while,the pc takes about 3 years to boot up!!(well 5 mins). The cpu usage is stuck on 100%,the processes effected are "scvhost.exe" & "svchost.exe" which leads me to believe i have the gabot.ae virus,i just don't seem to be able to get rid of it. any help will be very gratefully recieved. thanks
Hello mrpaul and welcome! Does TDS scan with the startup scans properly? You might like to get Port Explorer (free eval) to look deeper which applications are connected to the svchost processes and which ports are involved. It is not necessarily an infection although possible: i suppose you took the steps mentioned in this thread to get rid of it. There can be a settings problem somewhere on your system, system files versions, drivers, lots of options. Which windows version are you using? Stand alone or in a LAN, router maybe? Was the slow bootup also before you installed TDS? Any other software installed recently? Just in case, is there an older system restore point or image available just in case you need to go back a few steps and try again?
Hi mrpaul, Are you sure of the spelling? scvhost.exe & svchost.exe Depending of the directory where these files are found they could very well be viruses. Regards, Pieter
Please check the thread i posted above and colored it blue now so you might see it better. Try those advices and come back asap after.
hi i checked the thread no luck there i'm affraid,i can't do any type of av scan because the pc just crashes. my os is windows 2000 profesional i tried removing the configuration loader "scvhost.exe" from the registry but after i restart the pc its returned. if i try & end the process in the task manager it says "operation could not be completed access denied" i tried stopping it at startup using msconfig but when i retart the pc its created another entry. not sure what else to do?
Hi mrpaul, Could you please follow instructions here on how to post your HijackThis log: http://www.wilderssecurity.com/showthread.php?t=15913 Regards, Pieter
you can use taskman+ from DCS freewares which will enable you to terminate the process that you can't with the taskmanager.
hi i did an ad-aware scan before posting this- Logfile of HijackThis v1.97.7 Scan saved at 18:15:59, on 11/01/2004 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\scvhost.exe C:\WINNT\System32\CTsvcCDA.EXE C:\WINNT\System32\svchost.exe C:\Norman\NVC\BIN\Zanda.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\MsPMSPSv.exe C:\WINNT\explorer.exe C:\WINNT\System32\devldr32.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\Program Files\PestPatrol\PPControl.exe C:\NORMAN\Nvc\BIN\NJEEVES.EXE C:\NORMAN\Nvc\BIN\NVCSCHED.EXE C:\NORMAN\Nvc\BIN\nvcoas.exe C:\NORMAN\Nvc\BIN\nipsvc.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\downloaded programes\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/ O1 - Hosts: 203.161.127.141 www.dcsresearch.com O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe O4 - HKLM\..\Run: [MSConfig] C:\downloaded programes\MSCONFIG.EXE /auto O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37989.5695949074 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4311/mcfscan.cab
Leaving this to Pieter, the internet HJT specialist or one of the other specialists here. ONLY can say the entry in HOSTS you can delete or replace with this new IP 64.91.255.87 address, so you'll be directed to the proper DiamondCS forum and not to the domain mentioned when you press F5. Did ad-aware find anything special and did you also try a spybotS&D scan? Does your PestPatrol run/scan/update without problems? scvhost - scvhost.exe - Process Information Process File: scvhost or scvhost.exe Process Name: Scvhost Description: Added to the System as a result of the W32/Agobot-S VIRUS! which is a IRC backdoor Trojan and network worm. W32/Agobot-S copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities. Company: N/A System Process: No Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes Common Errors: N/A
hi i did an ad-aware & an spybot s&d scan. it took ages because pc is running slow. didn't find anything special. i can't scan with pestpatrol,pc crashes
First Pieter's solutions and fixes and advices on the HJT log, as i'm getting more and more convinced after more googling of an infection unfortunately.
Hi mrpaul, Check the following items in HijackThis. Close all windows except HijackThis and click Fix checked: O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe Reboot after doing so, preferably into safe mode and delete: C:\WINNT\System32\scvhost.exe <= please pay attention to the name, svchost.exe is in the same directory and a legitimate Windows file. http://www.sophos.com/virusinfo/analyses/w32agobotbb.html Regards, Pieter
If you have a copy still of scvhost.exe I would like to see it just in case submit@diamondcs.com.au And yes you might need to kill the process or do the instructions in Safe Mode, so the trojan is not rewriting the values after you delete them.
Hi, Please make a copy of the file and send it to us as soon as possible. If there is any problem accessing the file do it from safe mode, even zip it with a password if you need to. While in safe mode run Hijack This! again and delete the Configuration Loader keys from there. Now the process should really be stopped from starting, unless there are other startups