pc crashing

Discussion in 'Trojan Defence Suite' started by mrpaul, Jan 11, 2004.

Thread Status:
Not open for further replies.
  1. mrpaul

    mrpaul Guest

    hi everyone
    i just downloaded the 30 day trial of tds-3 & i'm very impressed.
    the only problem is when i try & scan drive c my pc crashes :'(
    i've been having problems for a while,the pc takes about 3 years to boot up!!(well 5 mins).
    The cpu usage is stuck on 100%,the processes effected are "scvhost.exe" & "svchost.exe" which leads me to believe i have the gabot.ae virus,i just don't seem to be able to get rid of it.
    any help will be very gratefully recieved.

    thanks :D
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello mrpaul and welcome!
    Does TDS scan with the startup scans properly?
    You might like to get Port Explorer (free eval) to look deeper which applications are connected to the svchost processes and which ports are involved.
    It is not necessarily an infection although possible:
    i suppose you took the steps mentioned in this thread to get rid of it.
    There can be a settings problem somewhere on your system, system files versions, drivers, lots of options.
    Which windows version are you using? Stand alone or in a LAN, router maybe?
    Was the slow bootup also before you installed TDS?
    Any other software installed recently?
    Just in case, is there an older system restore point or image available just in case you need to go back a few steps and try again?
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi mrpaul,

    Are you sure of the spelling?
    scvhost.exe & svchost.exe

    Depending of the directory where these files are found they could very well be viruses.

    Regards,

    Pieter
     
  4. mrpaul

    mrpaul Guest

    yeah,i checked the spelling its correct :)
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Please check the thread i posted above and colored it blue now so you might see it better. Try those advices and come back asap after.
     
  6. mrpaul

    mrpaul Guest

    hi i checked the thread no luck there i'm affraid,i can't do any type of av scan because the pc just crashes.

    my os is windows 2000 profesional

    i tried removing the configuration loader "scvhost.exe" from the registry but after i restart the pc its returned.

    if i try & end the process in the task manager it says "operation could not be completed access denied"

    i tried stopping it at startup using msconfig but when i retart the pc its created another entry.

    not sure what else to do? o_O
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi mrpaul,

    Could you please follow instructions here on how to post your HijackThis log:
    http://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    you can use taskman+ from DCS freewares which will enable you to terminate the process that you can't with the taskmanager.
     
  9. mrpaul

    mrpaul Guest

    hi i did an ad-aware scan before posting this-

    Logfile of HijackThis v1.97.7
    Scan saved at 18:15:59, on 11/01/2004
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\scvhost.exe
    C:\WINNT\System32\CTsvcCDA.EXE
    C:\WINNT\System32\svchost.exe
    C:\Norman\NVC\BIN\Zanda.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\explorer.exe
    C:\WINNT\System32\devldr32.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\Program Files\PestPatrol\PPControl.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\downloaded programes\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [MSConfig] C:\downloaded programes\MSCONFIG.EXE /auto
    O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37989.5695949074
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4311/mcfscan.cab
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Leaving this to Pieter, the internet HJT specialist or one of the other specialists here.
    ONLY can say the entry in HOSTS you can delete or replace with this new IP 64.91.255.87 address, so you'll be directed to the proper DiamondCS forum and not to the domain mentioned when you press F5.

    Did ad-aware find anything special and did you also try a spybotS&D scan?
    Does your PestPatrol run/scan/update without problems?

    scvhost - scvhost.exe - Process Information
    Process File: scvhost or scvhost.exe
    Process Name: Scvhost
    Description: Added to the System as a result of the W32/Agobot-S VIRUS! which is a IRC backdoor Trojan and network worm. W32/Agobot-S copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.
    Company: N/A
    System Process: No
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
    Common Errors: N/A
     
  11. mrpaul

    mrpaul Guest

    hi
    i did an ad-aware & an spybot s&d scan. it took ages because pc is running slow.
    didn't find anything special.
    i can't scan with pestpatrol,pc crashes
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    First Pieter's solutions and fixes and advices on the HJT log, as i'm getting more and more convinced after more googling of an infection unfortunately.
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi mrpaul,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Configuration Loader] scvhost.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] scvhost.exe

    Reboot after doing so, preferably into safe mode and delete:
    C:\WINNT\System32\scvhost.exe <= please pay attention to the name, svchost.exe is in the same directory and a legitimate Windows file.

    http://www.sophos.com/virusinfo/analyses/w32agobotbb.html

    Regards,

    Pieter
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If you have a copy still of scvhost.exe I would like to see it just in case :) submit@diamondcs.com.au

    And yes you might need to kill the process or do the instructions in Safe Mode, so the trojan is not rewriting the values after you delete them.
     
  15. mrpaul

    mrpaul Guest

    i did this but its still there! o_O

    i'm stuck!!!
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Please make a copy of the file and send it to us as soon as possible. If there is any problem accessing the file do it from safe mode, even zip it with a password if you need to.

    While in safe mode run Hijack This! again and delete the Configuration Loader keys from there. Now the process should really be stopped from starting, unless there are other startups :(
     
Thread Status:
Not open for further replies.