# HELP!!! SVC.EXE TROJAN HORSE keeps reappearing!!!



## deepblue501 (Oct 24, 2003)

help anyone, i'm desperate!!!

I have the svc.exe trojan horse on my pc, and even after scanning everything (symantec internet check and norton antivirus do not even recognize it, first they did, but now not anymore!!), deleting relevant parts of the registry, the svc.exe command (c:\windows\system32\svc.exe) keeps reappering and blocking everything!!! Everytime I try to open my computer, internet, anything, norton antivirus detects the virus and I have to quarantaine or delete it. No matter how many times I delete everything, it keeps coming back!

I saw one of your threads, titles CLIENTMAN.... (04-10-2003) which is about this problem. There IMM says that I have to use Process Explorer and kill svc.exe. But svc.exe does NOT appear when I use process explorer so I cannot continue!!! What now!??

It might be however the file symproxysvc.exe connected with Norton Internet Security. Is it that one? Do I have to kill that one?? 

What can I do to get this horrible trojan horse out of my system?

Thanx for all the help!!

pete


----------



## Flrman1 (Jul 26, 2002)

Hi deepblue501

Welcome to TSG!

Please do this. Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Un Zip it and click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

Do NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

The log may reveal the source of the problem.


----------



## deepblue501 (Oct 24, 2003)

Hi firman!

thanx for the advice. I did it and here are the results:

Logfile of HijackThis v1.97.3
Scan saved at 3:01:57 AM, on 10/25/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\RVP\BPC.EXE
C:\PROGRAM FILES\SAY THE TIME\SAYTIME.EXE
C:\PROGRAM FILES\SAY THE TIME\SAYTIME.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\SAVE\SAVE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
D:\DOWNLOAD\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://revolto3.da.ru/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://revolto3.da.ru/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmx.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fastweb.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fastwebfinder.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by FastWeb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.supret.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\PROGRAM FILES\NAVEXCEL\NAVHELPER\V2.0.4\NHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Say the Time] C:\Program Files\Say the Time\SayTime.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [svc] C:\WINDOWS\system32\svc.exe
O4 - Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.fastweb.it
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.ea.com/downloads/games/common/ieell.cab
O16 - DPF: {FFFF0029-0001-101A-A3C9-08002B2F49FB} - http://www.astagiudiziaria.org/g2/s.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.abiweb.net/groups/FSX37162/astex.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37909.3147685185
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

one strange thing is that i already fixed 04 HCKU -svc.exe before, because i saw it on the other thread. But look, it's right there again!!! I cannot seem to get rid of it! Please help!

bye!
pete


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://revolto3.da.ru/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://revolto3.da.ru/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fastwebfinder.com/sp.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.supret.com/

O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe

O4 - HKCU\..\Run: [svc] C:\WINDOWS\system32\svc.exe

O16 - DPF: {FFFF0029-0001-101A-A3C9-08002B2F49FB} - http://www.astagiudiziaria.org/g2/s.exe

O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.abiweb.net/groups/FSX37162/astex.exe

Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

In Safe Mode delete:

The C:\WINDOWS\system32\svc.exe file

Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

Install the program and launch it.

I strongly recommend that you read the help file to familiarize yourself with the program.

Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Let windows remove files in use at next reboot" then click "Proceed"

Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
After getting the latest referencefiles you are ready to scan.

Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

When it is finished put a check by and let it fix everything it finds.

Restart your computer.

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent future attacks. 
On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests..

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.


----------



## deepblue501 (Oct 24, 2003)

hi flrman,

i'll do it, but are you sure i have to delete the once mentioning Fastweb (=my ISP) and gmx.net (=my email site)??

I'm asking this just to make sure that I will not delete my access to these two fundamental services.

If you are sure, i'll do it, and then i'll do all the other steps. If it works, I will really be grateful!!! Thanx very much!!!
pete


----------



## Flrman1 (Jul 26, 2002)

Sorry my mistake! I got in too big of a hurry I guess. 

The fastweb one threw me because of this one:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.fastwebfinder.com/sp.php

Which leads to a porn site.

The other one to gmx I didn't mean to put it in for removal.

I have edited my post above.


----------



## deepblue501 (Oct 24, 2003)

no problem, 4 eyes are always better than 2!! 
I will now proceed. Cross my fingers that it helps. Will get back with the answer and flowers if it works!!!

 pete


----------



## deepblue501 (Oct 24, 2003)

allright, things seem to be ok, I have just a few more little questions before I will jump in the air 

1) I couldn't go into safe mode -F8 was not responding, but since I couldn't find c:\windows\system32\svc.exe, I assume I can safely skip that part, right? If not how do I access safe mode cauz f8 doesn't seem to work

2) furthermore two odd things that might be related to the svc.exe trojan - when I have my Norton Internet Security enabled I cannot access the internet. It just doesn't work. This was never the case before. Now I can only access internet when i disable NIS. This is strange. Might the svc.exe file have some remnants in my NIS or might it have affected NIS in some way and do I need to uninstall NIS just to make sure?
second one is that every time I startup my explorer window automatically starts showing my c: drive. Might this be connected as well to the svc problem or not at all (if not....uh...how can I get rid of it...??)

I just did the scan of spybot everything seems fine, so if you could just as a last answer me on the small questions above! 

Anyway, THANK YOU!!! It really makes me feel good that there are friendly people around that like to help. I will definitely recommend this site to anyone having problems. You are the best!!!

 pete


----------



## Flrman1 (Jul 26, 2002)

You definitely need to find and delete the svc.exe file.

See here for an alternative to start in safe mode:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

You better check for this entry in hijack this again:

O4 - HKCU\..\Run: [svc] C:\WINDOWS\system32\svc.exe

It probably has returned since you did not delete the svc.exe file.

Boot to safe mode and delete the C:\WINDOWS\system32\svc.exe file

I'm not familiar with NIS, but I'll see what I can find out on that.


----------



## deepblue501 (Oct 24, 2003)

well, i did hijack this again, and 04-HCKU (..) svc.exe is not in there!! Might it be hidden only to reappear after a certain time? Besides the file c:\windows\system32\svc.exe is not there, also not to be found with DOS. It seems that either I was lucky somehow or the svc.exe is changing names and hiding places. Is that possible? Maybe it is an active trojan horse?

Pete


----------



## Flrman1 (Jul 26, 2002)

I'm sure it's not changing names as it's not the polymorphic type trojan.

Just to be sure open Mu computer and go to View > Folder Options click on the view tab and make sure there is a check by "Show all Files" and look for it again. If you don't find it then we'll just have to assume it's gone.


----------



## deepblue501 (Oct 24, 2003)

I always have the show all files on so it must be gone, i guess. I do have problems with ie sometimes though especially after using command or wmp and then when I start typing something in internet i get an error message. Oh, i'm just guessing, don't know if that has anything to do with the whole thing....probably not! If you know anything about this, let me know please (or about the NIS thingie, or the C: explorer thingie  - my pc seems to be a mess really....)!!!

I think you solved my problem. Now if I could just find the beer smiley...

Here's to you flrman!!! thanx a lot!!!!!

pete


----------



## Flrman1 (Jul 26, 2002)

I just had a thought about the problem you are having with the windows explorer opening on restart. 

Do you have Adaware 6? There was an issue like this in the first build of Adaware 6 build 161 I think. If you do have adaware check the version. Open Adaware and click on the little squiggly i icon in the upper right corner and it will tell what version you have.

Edit: I guess I should say did you already have Adaware before I recommended you get it in this thread.


----------



## deepblue501 (Oct 24, 2003)

hi flrman!

it's build 162, and yes, I did have it already before. I installed most of the software that you told me, it seems very useful and I feel more secure now, thanx!

No word on the NIS problematic?

pete


----------



## Flrman1 (Jul 26, 2002)

Well I suspect that is your problem, The current build of Adaware is 6.181. You need to update it. If I remember correctly you will have to uninstall the curreent build first then download the latest version.


----------



## Flrman1 (Jul 26, 2002)

> _Originally posted by flrman1:_
> *Well I suspect that is your problem, The current build of Adaware is 6.181. You need to update it. If I remember correctly you will have to uninstall the curreent build first then download the latest version. *


----------



## deepblue501 (Oct 24, 2003)

hi there again!

did it, but explorer keeps starting on startup. Besides, when I try to delete files from C: it goes extremely slowly and almost blocks up everything, takes about 30 seconds to delete small folders! There is something wrong with it. Could it be connected with the virus I had, and what can I do to fix it?

pete


----------

