hijack log

Discussion in 'adware, spyware & hijack cleaning' started by mrpaul, Jan 11, 2004.

Thread Status:
Not open for further replies.
  1. mrpaul

    mrpaul Guest

    hi
    i did an ad-aware scan before posting this-

    Logfile of HijackThis v1.97.7
    Scan saved at 17:45:27, on 11/01/2004
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\scvhost.exe
    C:\WINNT\System32\CTsvcCDA.EXE
    C:\WINNT\System32\svchost.exe
    C:\Norman\NVC\BIN\Zanda.exe
    C:\WINNT\explorer.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\WINNT\System32\devldr32.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\Program Files\PestPatrol\PPControl.exe
    C:\downloaded programes\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [MSConfig] C:\downloaded programes\MSCONFIG.EXE /auto
    O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37989.5695949074
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4311/mcfscan.cab
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hello mrpaul , :)
    and do wait for some experts to take care of ur probz...
    (there is a C:\WINNT\System32\scvhost.exe ) in ur log with some more like that in
    O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe... when it should be svchost.exe
    [scvhost - scvhost.exe - Process Information

    Process File: scvhost or scvhost.exe
    Process Name: Scvhost
    Description: Added to the System as a result of the W32/Agobot-S VIRUS! which is a IRC backdoor Trojan and network worm. W32/Agobot-S copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
    Company: N/A
    System Process: No
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
    Common Errors: N/A]

    experts here will throw more light in the matter
    thx
     
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi mrpaul,

    Fix the following with HijackThis :

    O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe

    Restart the PC after doing so and remove :

    scvhost.exe <- this file from your PC (make sure its svchost.exe and not svchost.ee! That one is legit.

    It's also always a good idea to do a checkup online scan :

    Bitdefender

    and / or here :

    TrendMicro

    Hope this helps,

    Cheers,
     
  4. mrpaul

    mrpaul Guest

    hi
    i did this but i'm still having the same problems :(

    i also did the online scan but the pc didn't like it & guess what...........it crashed!

    i'm not having much luck :doubt:
     
Thread Status:
Not open for further replies.