# svc.exe trojan, hijackthis log files



## Woolie (Oct 30, 2003)

Hey guys,

Preformed a seach of the forums and came up with as much info as possible for ya.

I have the svc.exe virus...abviously, I tried ending the process in the explorer, there was about 5 or 6 in total and once I stoped the last one, two more pop up, I end those to, and they come right back.

Here is my hijackthis log, I was tempted to clear everything just to see what would happen, but i thought better of it and decide to post here instead.

Just out of curiousity, what would have happend if I did "fix checked" all of the files?

Thanks for the help...much appreciated!!!

Logfile of HijackThis v1.97.3
Scan saved at 7:37:56 PM, on 10/29/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\svc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Wooly\Desktop\HijackThis.exe

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\BrowserHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [svc] C:\WINDOWS\system32\svc.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Rollin' Rog (Dec 9, 2000)

Have you tried starting up in Safe Mode?

Delete the file from c:\windows\system32\*svc.exe*

Then run HijackThis and check and "fix" these two entries:

O4 - HKCU\..\Run: [svc] C:\WINDOWS\system32\svc.exe

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\BrowserHelper.dll (file missing)

The surest way to start in Safe Mode is to run *msconfig* and open the Boot.ini tab. You can put a check in */safeboot* there. It needs to be removed to reboot to normal mode.

Alternately, press f8 promptly on restart to access the Boot Menu and select Safe Mode from there.

Post another Scanlog after deleting the file and registry entries once you return to Normal mode.

>> checkiing and "fixing" entries in HijackThis removes the startup calls for them in the registry. You would have to restore all those for the programs you want to start, like your antivirus. They could be restored from HijackThis's backup if you preserve it, but this is not good procedure.

If you want to "troubleshoot" rather than delete, run *msconfig* and UNcheck entries under the startup tab.


----------



## Woolie (Oct 30, 2003)

Rollin,

in safe mode,

I've deleted the svc.exe and MP3.EXE.

I can't delete the svchost.exe file.

It is in use and i can't stop the processes the virus is running in the task manager. I'll stop them all and seconds later they reappear.

I've deleted

O4 - HKCU\..\Run: [svc] C:\WINDOWS\system32\svc.exe

and

O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\system32\BrowserHelper.dll (file missing)

here is the scanlog after returning to normal mode.

Logfile of HijackThis v1.97.3
Scan saved at 11:24:09 PM, on 10/29/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Wooly\Local Settings\Temporary Internet Files\Content.IE5\AXORMHM5\hijackthis[1]\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

arrrgghhh.....


----------



## Rollin' Rog (Dec 9, 2000)

The log is now "clean". Are you still having problems?

svchost.exe is a required system service and multiple instances are normal.

http://support.microsoft.com/?kbid=314056


----------



## Woolie (Oct 30, 2003)

the virus seems to be gone, I ran another AVG test and it came up clean, thanks alot for the help Rollin, much appreciated, i'll let you know if it resurfaces.


----------



## Woolie (Oct 30, 2003)

Rollin, it was a short lived victory, the virus is back. My log appears clean, but i've included it anyway. My AVG is detecting it when I scan. I'm about to try link you supplies, so i'll let you know what i find. any other suggestions?

Logfile of HijackThis v1.97.3
Scan saved at 7:23:41 PM, on 10/30/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Wooly\Local Settings\Temporary Internet Files\Content.IE5\AXORMHM5\hijackthis[1]\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

thanks


----------



## Woolie (Oct 30, 2003)

Rollin'

The virus seem to be contained in the following file

C:\System Volume Information\_restore{08CAAEDD-061F-434E-B48D-FFF4F7687394}\RP118\A0007343.dll

I've searched for this file, but can't seem to locate it.

My AVG can't find it either. 

Any thoughts?


----------



## Rollin' Rog (Dec 9, 2000)

That is your System Restore archive. In order to clean those you must turn off System Restore. Then your antivirus can delete it.

Once you reboot and turn on System Restore again, launch it and create a new check point.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039


----------



## Woolie (Oct 30, 2003)

Rog,

OK, i'll try that when I get home from work. I'll let you know the results....Happy Halloween!!!

Thanks again


----------



## Rollin' Rog (Dec 9, 2000)

You're welcome. The file is definitely in the restore archive. By turning it off and rebooting you will be completely purging the check points. Your antivirus should be run before re-enabling it. 

Then once the system is clean and it is turned back on again, create a new "checkpoint"; you can name it anything, but that will give you something right off the bat.


----------

