# svchost.exe keeps crashing!



## marcos (Aug 13, 2003)

Help! Everytime I start my computer I get a message saying, "svchost.exe has generated errors and will be closed..." Then I can't access File/Folder Search or the Add/Remove Programs in Control Panel. Does anyone know how I can fix this? I would appreciate it if someone could help me.


----------



## dvk01 (Dec 14, 2002)

go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even

required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## Squashman (Apr 4, 2003)

It could also be the latest Security hole in Windows. Are you running 2000 or XP. If so run this stuff.

For XP run this patch
http://microsoft.com/downloads/deta...6C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

For 2000 run this patch
http://microsoft.com/downloads/deta...46-F541-4C15-8C9F-220354449117&displaylang=en

Then run this tool to see if you have the MSBLAST.exe virus and remove it.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html


----------



## Paquadez (Jun 9, 2003)

I have the same problem!

svchost.exe is forcing closure and generating error codes.

Net results are that:

1. My Network and Dial-up Connections pane suddenly empties of EVERYTHING! including the set-up new connection icon and already set-up connections to ISPs etc;

2. It proves impossible to use hyperlinks in emails and some web sites;

3. When opening Word, earlier, an error message stated that I was unable to generate links to other documents etc.

Another tech web site (is there another tech web site?) had pretty copious info on this and suggested that it was caused by the W31.Blaster Worm. However I use Sophos and went onto their site, yesterday and download all the latest virus identities to add to the August update (already installed). The other site suggested downloading the Symantec fix tool: done and dusted and I thereafter loaded the Security Patch for Win 2000 (using 2000Pro). Symantec tool reported no trace of Blaster?????

Have just downloaded Hi Jack and will run and post results.

This has ruined my day!

Oh, other downside was that it prevents me adding "Smilies" to my posts!:down:  :down: Wow, that seemed to work................

Will post log once run.

Paq


----------



## MsPCGenius (Apr 24, 2000)

Your system has been infected by the W32.BLASTER worm. You will need to eradicate the virus and apply the patch to protect yourself. You can find the fix at www.symantec.com. The link to the patch is listed above.


----------



## Paquadez (Jun 9, 2003)

Thanks MsPC

Problem is that the Symantec Blaster tool reported no trace of the worm!

MS patch loaded directly after the scan.

Anyway, herewith the result of the HiJack This scan

Logfile of HijackThis v1.96.0
Scan saved at 18:14:19, on 13/08/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\MailSword\MSwSrvce.exe
C:\SUPERVOC\PROGRAM\PICPMON.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ups.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\MailSword\TrayView.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\ScanPanel\ScnPanel.exe
C:\Program Files\TextBridge Pro 8.0\Ereg\REMIND32.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
F1 - win.ini: load= C:\PROGRA~1\IOMEGA\IOMEGA~1\REGISTER\remind.exe
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SystemInit] C:\WINNT\iservc.exe
O4 - HKLM\..\Run: [MailSword] C:\Program Files\MailSword\TrayView.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Adaware Bootup] C:\Program Files\Ad-aware 4.5\Ad-aware.exe /Auto /Log "C:\Program Files\Ad-aware 4.5\"
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

Interested in the comments back!

All the best

Paq


----------



## dvk01 (Dec 14, 2002)

paq

you have the fizzer worm read here for instructions to fix it then post back a new log & we can see what else is wrong
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]


----------



## Paquadez (Jun 9, 2003)

Many thanks, dvk

Can't get on the site at present.

Will access in morning and excise (hopefully!).

Strange, went through the exercise with Sophos one month ago, according to their info, worm destroyed!

Hmmmmmm £300 per annum, too!

One wonders!


----------



## dvk01 (Dec 14, 2002)

try the removal tool 
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizzer.removal.tool.html


----------



## Paquadez (Jun 9, 2003)

Hi dvk

Managed to access the Symantec site early this am, downloaded fix said OK and herewith the new scan from Hijack this.

Many thanks for your valued assistance.

Paq

:up: Logfile of HijackThis v1.96.0
Scan saved at 09:32:50, on 14/08/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\SUPERVOC\PROGRAM\PICPMON.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ups.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\TextBridge Pro 8.0\Ereg\REMIND32.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINNT\system32\msiexec.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\HijackThis.exe

F1 - win.ini: load= C:\PROGRA~1\IOMEGA\IOMEGA~1\REGISTER\remind.exe
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Adaware Bootup] C:\Program Files\Ad-aware 4.5\Ad-aware.exe /Auto /Log "C:\Program Files\Ad-aware 4.5\"
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Pro 8.0\Ereg\REMIND32.EXE
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{B34550ED-6F5B-435E-9206-B52A1507F33D}: NameServer = 194.62.44.11 194.164.2.10


----------



## dvk01 (Dec 14, 2002)

paq

it all looks clean now, but make sure you have downloaded and installed the patch from M$ (link on the symantec site) to prevent re-occurance

It is also essential to run a firewall

a list of good firewalls is here http://www.wilders.org/firewalls.htm


----------



## Paquadez (Jun 9, 2003)

Many thanks Dv

Patch from MS already in.

What do think of Zone Alarm?

Paq:up:


----------



## dvk01 (Dec 14, 2002)

Any firewall that works and you are happy with it is a good firewall

personally, I prefer Kerio because it is more configureable, but ZA has a good reputation, I just find it a bit restricting when trying to allow or disallow certain applications. But that is the way I work, I like to allow certsain applications free access but certain applications only to & from defined IP numbers, that is easy with kerio but more fiddly withn ZA


----------



## Paquadez (Jun 9, 2003)

Many thanks for you kind and much valued assistance dvk.

Sygate now installed and up and running.

I noticed that your recommended site for Firewalls recommended Paul Gibson's site as source research.

I have used his original SPyware until he passed it over to AdAlert, which I have used until I installed SpyBot last week.

I was on Gibson's news letters until my old NT4 system Blue Screened fatally, last November and I upgraded to a new workstation (generic from EuroPC - excellent value for money!) and Win 2000Pro. Problem was I had to build a slave machine (luckily have a number of spares!) and use the secondary HDD on which I had backed-up the whole of the C drive and all files................ Tried to restore using my Iomega tape streamer with a Brand New 10 Gig cartridge used for the last back up only: and it screwed up the tape first time!

Sometimes IT gets you down!

Still by going down to file level, using WinZip and burning CDRs, I managed to re-capture nearly everything, except email messages for November. Managed to salvage my address book, but cannot no matter how I try, pursaude OE 5.5. to import the email archives....................................sometimes I just Love Uncle Bill.

Anyway, now all seems OK and security bristling out of every seam!

Again, many thanks for assist.

All the best.

Paq:up: :up:


----------



## gavinX (Aug 17, 2003)

Hi I'm new here and hope you are all well.
Can Anyone please help me, I have the same problem with the svchost. I've downloaded the hijackthis scan and here's the result:

Logfile of HijackThis v1.96.0
Scan saved at 16:02:40, on 17/08/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\TrayIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://m30379.tjdo.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://m30379.tjdo.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Go!Zilla\GoIEHlp.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINNT\System32\TrayIcon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\System32\pc32.exe bg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SysW8] C:\PROGRA~1\CLEANS~1\csta.exe startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy &WebWatch - C:\Program Files\Easy WebWatch\swatch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Joyo (HKLM)
O9 - Extra button: ZDNet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauth/internetwasherpro.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28C75B93-C2D7-4013-B46D-568C60F7A652}: NameServer = 207.44.140.102 64.191.22.247

Does anyone know what's wrong? Please help me!!! I really need to get this bl%dy thing fixed!!!


----------



## MrSoap (Aug 17, 2003)

Same problem around with the schost crashing the system. Here's the hijack log:

Logfile of HijackThis v1.96.0
Scan saved at 7:04:33 PM, on 8/16/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\dsnthser.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Save\Save.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\loadqm.exe
C:\WINNT\PIC.GIF.EXE
C:\WINNT\System32\msblast.exe
C:\Program Files\Common Files\GMT\GMT.exe
D:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\cdplayer.exe
C:\Documents and Settings\Tommy1\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magicthegathering.com/
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MaxInst] MaxInst
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PIC.GIF] C:\WINNT\PIC.GIF.EXE /nomsg
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0989657ae6ed4e8b6e05/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.7082060185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C364B24-E056-4C23-9BC3-86BFFFC4EF67}: NameServer = 206.165.189.4 206.165.189.5


----------



## buckaroo (Mar 25, 2001)

Hi gavinX, Welcome to TSG.

You can have HJT fix the following. Close your browser and reboot afterwards.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://m30379.tjdo.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://m30379.tjdo.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

If this isn't associated with your ISP or network, have HJT fix:

O17 - HKLM\System\CCS\Services\Tcpip\..\{28C75B93-C2D7-4013-B46D-568C60F7A652}: NameServer = 207.44.140.102 64.191.22.247

Finally, not sure what this guy is, do you? Leave it for now.

O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\System32\pc32.exe bg


----------



## buckaroo (Mar 25, 2001)

Hi MrSoap, Welcome to TSG.

You have the MSBlast worm. Let's get that first.

Go here and download removal tool: Follow the instructions.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Then go here and download the patch to fix this security hole:

http://download.com.com/3120-20-0.html?qt=823980&tg=dl-2001&search=+Go!+

After that's done, go here and download Spybot:

http://www.safer-networking.org/index.php?lang=en&page=download

Make sure you check for and download curent updates, then have it scan your system. Anything in RED, can be removed by Spybot safely. Then re-post your log.


----------



## MrSoap (Aug 17, 2003)

Thanks for the welcome, buckaroo. I'm going to make all the listed things and then post it again. Thanks again


----------



## upham (Aug 18, 2003)

Hi, I've just joined as well. What a great resource of info!

Unfortunatly I've got the same problem as those above, but it's not the Fizzer or the blast worms, as I've downloaded the symantic removing tools for these and neiter have detected these worms.

The svchost.exe will crash after about 5 minutes on the net and will not let me disconnect, and do other things like copy and paste, open more new windows, etc.

Any help would be warmly welcome!
Heres my HijackThis scan results.............

I've just noticed FIXBLAST.EXE is running from my D-drive??? I was surfin last night and Nortons antivirus poped up and said it had detected the blast virus, and had deleted it. So I downloaded the Blastfix and ran it. I'm not sure why it's still there.

Logfile of HijackThis v1.96.1
Scan saved at 7:45:57 p.m., on 18/08/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\anvshell.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealJukebox\tsystray.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Sound Control\SC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\FixBlast.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
D:\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealJukebox\tsystray.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - Startup: Sound Control.lnk = C:\Program Files\Sound Control\SC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: RealGuide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA50217D-E188-412D-BE73-E05E0E96D452}: NameServer = 203.96.152.4 203.96.152.12


----------



## buckaroo (Mar 25, 2001)

Hi upham, welcome to TSG.

Just to get a second opinion, go here and get a free online AV scan:

http://housecall.trendmicro.com/housecall/start_corp.asp

Your log looks okay, except for this item:

O17 - HKLM\System\CCS\Services\Tcpip\..\{FA50217D-E188-412D-BE73-E05E0E96D452}: NameServer = 203.96.152.4 203.96.152.12

Now, if you recognize this domain as either your ISP or network, then leave it. If you don't recognize it, then maybe consider having HJT fix it. If it takes care of your problem, then good. If it's a legitimate entry, you can always have HJT restore the entry.

To have HJT fix it, close your browser, run HJT, check the box next to the item. Reboot afterwards.


----------



## gavinX (Aug 17, 2003)

Hey Buckaroo, Thank You so much for your help!!!
I did what u told me to do and it didn't work, the svchost still crash and it said RCP or RPC server doesnt work neither!!! I think there's some virus in me system which damages my anti-virus software, my Norton Anti-Virus didn't seemed work so I installed MacAfee's Virus Scan but that crashed few days later!!! And my system doesnt let me install it again!!! I then scaned for Fizzer Worm using a fix from symantec but it found no traces of the worm. What's the problem??? Please help!!! This is really pecking my head!!! 
Here's me new HJT scan:

Logfile of HijackThis v1.96.0
Scan saved at 11:06:24, on 19/08/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\wins\DLLHOST.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\TrayIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINNT\System32\wins\svchost.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Go!Zilla\GoIEHlp.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINNT\System32\TrayIcon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\System32\pc32.exe bg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ImageDrive.exe] C:\Program Files\ahead\ImageDrive\ImageDrive.exe 
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SysW8] C:\PROGRA~1\CLEANS~1\csta.exe startup
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy &WebWatch - C:\Program Files\Easy WebWatch\swatch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Joyo (HKLM)
O9 - Extra button: ZDNet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauth/internetwasherpro.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28C75B93-C2D7-4013-B46D-568C60F7A652}: NameServer = 207.44.140.102 64.191.22.247

 PLEASE HELP !!!! THANK YOU


----------



## enansiog (Aug 19, 2003)

I'm having the same problem, here is the log I got.

Logfile of HijackThis v1.96.1
Scan saved at 6:21:29 AM, on 8/19/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\PROGRA~1\Navnt\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\Navnt\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
C:\Program Files\CyberLink\PowerVCRII\Agent.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINNT\System32\Grxp4exe.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\J\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://minisearch.startnow.com/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sqwire.com/searchpage.php?aid=958
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ucomics.com/nonsequitur/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://fastmetasearch.com/bar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\J\Application Data\Mozilla\Profiles\default\z9zwcqy2.slt\prefs.js)
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll (file missing)
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\mpz300.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [Splash Screen] E:\SplashScreen\SplashScreen.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [PowerS] "C:\WINDOWS\PowerS.exe"
O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver
O4 - HKLM\..\Run: [Agent] C:\Program Files\CyberLink\PowerVCRII\Agent.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
O4 - HKLM\..\Run: [Sentry] C:\WINNT\Sentry.exe
O4 - HKLM\..\Run: [msbb] C:\WINNT\System32\msbb.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: GetThis4Free (HKLM)
O9 - Extra 'Tools' menuitem: GetThis4Free (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O11 - Options group: [CommonName] CommonName
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/059091641846618e7200/netzip/RdxIE.cab
O16 - DPF: {3C5BA506-6C30-4738-9CED-797ACADEA8DC} - http://www.sqwire.com/toolbar/SQLoader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/220e1cd351b6a4ec9321/netzip/RdxIE6.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://mirror.worldwinner.com/games/v42/shape/shape.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {85411480-DDF9-11D0-8F52-080009CDBAA9} (Starwave_Comparison_Chart) - http://stats.espn.go.com/java/OuterComparisonChart.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} (loader2 Class) - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37672.6487037037
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://pluginaccess.com/Browser_Plugin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/ddc/flipside/corollajoyride/wtinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?4,0,1323,0
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify204.cab


----------



## buckaroo (Mar 25, 2001)

Hi gavinX.

Okay let's take this guy out with HJT:

O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\System32\pc32.exe bg

And this was on my list before...did it come back?

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

Also, do an online scan here:

http://housecall.trendmicro.com/housecall/start_corp.asp

Post back, okay?


----------



## buckaroo (Mar 25, 2001)

Hi enansiog, Welcome to TSG.

Close your browser and check the following items to fix them in HJT. Reboot afterwards.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://minisearch.startnow.com/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sqwire.com/searchpage.php?aid=958
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ucomics.com/nonsequitur/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://fastmetasearch.com/bar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr...//www.yahoo.com

O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com

O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll (file missing)

O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINNT\System32\mpz300.dll (file missing)

O4 - HKLM\..\Run: [PowerS] "C:\WINDOWS\PowerS.exe"

O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.stripsaver.com!StatsStripSaver

O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe

O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe

O4 - HKLM\..\Run: [Sentry] C:\WINNT\Sentry.exe

O4 - HKLM\..\Run: [msbb] C:\WINNT\System32\msbb.exe

O9 - Extra button: GetThis4Free (HKLM)
O9 - Extra 'Tools' menuitem: GetThis4Free (HKLM)

O11 - Options group: [CommonName] CommonName

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/05909164184661...etzip/RdxIE.cab

O16 - DPF: {3C5BA506-6C30-4738-9CED-797ACADEA8DC} - http://www.sqwire.com/toolbar/SQLoader.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/220e1cd351b6a4...tzip/RdxIE6.cab

O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://mirror.worldwinner.com/games/v42/shape/shape.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download....ctl_0_0_0_0.ocx

After fixing the above, go and download Spybot:

http://spybot.eon.net.au/index.php?lang=en&page=download

After installation, have it check for updates and download any updates. Then have it check for problems. Anything it finds in RED is safe to have Spybot remove.


----------



## doughnut (Aug 21, 2003)

this problem i have started on aug 17 and i have been looking in this page and try the tool removal from symanteca dn it said that didnt find any worm
and with this software that u run today is what i got
and would like some help to fix the problem

Logfile of HijackThis v1.96.0
Scan saved at 2:36:42 PM, on 8/21/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\msblast.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\loadqm.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\doughnut\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Gainward] C:\WINNT\TBPanel.exe /A
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## buckaroo (Mar 25, 2001)

Hi doughnut, Welcome to TSG.

Well you do have the MSBlast worm. The removal tool will work on it, not sure what happened. Try it again, it's been updated as of today, 8/20/03.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Then install the patch right away.

http://download.com.com/3120-20-0.html?qt=823980&tg=dl-2001&search=+Go!+

After MSBlast is taken care of, you can have HJT fix the following. Close your browser and reboot afterwards.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm

O2 - BHO: (no name) - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: WeatherBug (HKCU)

This item should be gone once you remove the worm:

O4 - HKLM\..\Run: [windows auto update] msblast.exe


----------



## gavinX (Aug 17, 2003)

Hey Buckaroo, thanks for your help, it's all sorted now. NO MORE svchost crashing!!! I found out what the promblem was, it was a worm called Welchia. I went to Symantec and removed it  No more problems! Thanks for your support! By the way I still doesn't have any Anti-virus programes, I just downloaded eAnthology- Stop Sign software, is that any good??? Thanks Very Much Buckaroo!!!


----------



## buckaroo (Mar 25, 2001)

W32.Welchia.Worm does the following:

Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer. 
Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic. 
Attempts to remove W32.Blaster.Worm.

Well, at least it wasn't a malacious worm. 

Sorry, I don't know anything about e-anthology. However, you should never be without AV protection. There's free resident scanners you can download as well as free firewalls:

http://www.freebyte.com/antivirus/#scanners


----------



## gavinX (Aug 17, 2003)

Thanks Again Buckaroo, I've done a scan online, it said that my PC is free from all virus and Trojans, GREAT!!!!! So I installed MacAfee Virus Scan Again, no problem, it's working! and everything is running as smooth as silk. Thanks Very Much for your help!!!!!!! You made me a very happy boy  Thanks


----------



## buckaroo (Mar 25, 2001)

Great! :up: You're Welcome!


----------



## Rocal (Aug 27, 2003)

Hi all I am new and have the same prob as the rest of you and i cant get it to work so here is my report and its a fresh install of win 2k pro so it shouldnt be a Virus but you never know.

Logfile of HijackThis v1.96.2
Scan saved at 12:04:40 PM, on 8/27/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\wins\DLLHOST.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\WoC\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.worldofcaenyr.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.9311921296
O17 - HKLM\System\CCS\Services\Tcpip\..\{34FF5BB9-BAC3-42FF-8487-BC40257C94A5}: NameServer = 209.244.0.3 209.244.0.4


----------



## Teenytoona (Aug 27, 2003)

Just found this site, and glad I did. If I can just list what we've got running on our computer, would you all mind giivng me a run down of what the precise problem might be?

Here's what's running

Logfile of HijackThis v1.96.2
Scan saved at 10:51:02 AM, on 8/27/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\wins\DLLHOST.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\essspk.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37690.6522106482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

We're getting the same message with the svchost.exe terminating Word.

Also we have the added touch of not exactly being able to get online (due to company server) to every website (only some). The particular computer doesn't seem to be able to get onto any website. We've been running back and forth to the one computer that does connect, attempting to dl stuff to a floppy and putting it on the "troubled" computer. The troubled computer also had an anti-virus program running on it, but as we can't access any websites on that particular computer, no virus check has been run on it since May.

Anyone care to deal with these issues?

Thanks much in advance!!
Teeny


----------



## buckaroo (Mar 25, 2001)

Rocal, Welcome to TSG.

You can have HJT fix the following. Close your browser, start HJT and put a check next to the following item, click Fix. Reboot afterwards.

O17 - HKLM\System\CCS\Services\Tcpip\..\{34FF5BB9-BAC3-42FF-8487-BC40257C94A5}: NameServer = 209.244.0.3 209.244.0.4


----------



## buckaroo (Mar 25, 2001)

Hi Teenytoona, Welcome to TSG.

You have the MSBlast worm. Download this removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

After removal, download the patch ASAP:

http://download.com.com/3120-20-0.html?qt=823980&tg=dl-2001&search=+Go!+

Nothing else with your log jumps out to me. Just make sure you update your AV and do a scan.


----------



## MrMetal (Sep 4, 2003)

Please help me... 

StartupList report, 04/09/2003, 21:17:49
StartupList version: 1.52
Started from : C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\P&TLUX~1\LuxDSL\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\scvhost.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\P&TLUX~1\LuxDSL\app\EnterNet.exe
C:\Documents and Settings\Administrator\Desktop\Julien\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
Smapp = C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
LoadQM = loadqm.exe
microsoft scvhost for windows = scvhost.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

microsoft scvhost for windows = scvhost.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 4_296 bytes
Report generated in 0,031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## buckaroo (Mar 25, 2001)

Hi MrMetal, welcome to TSG. Let us know what problems you're having, okay?

Also, post your Hijack This scan log. When you open HJT, click on the Scan button, which will then turn into a Save Log button. That's the log we need to review. Here's instructions if you need them:

http://www.tomcoyote.org/hjt/


----------



## MrMetal (Sep 4, 2003)

I have a problem with my svchost.exe. keep crashing after 5-10 min after my comp is on. I can go to the internet but no copy/past and no new internet explorer widows and no new program... :'(

Logfile of HijackThis v1.96.4
Scan saved at 22:27:37, on 05/09/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\P&TLUX~1\LuxDSL\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINNT\system32\scvhost.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\P&TLUX~1\LuxDSL\app\EnterNet.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [microsoft scvhost for windows] scvhost.exe
O4 - HKLM\..\RunServices: [microsoft scvhost for windows] scvhost.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: EPT Applet - https://www.ccp-connect.lu/exbanking.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## buckaroo (Mar 25, 2001)

Okay, let's take these two out of your start up folder. Close your browser, open up HJT, click Scan, check the following two items, then click the Fix button:

O4 - HKLM\..\Run: [microsoft scvhost for windows] scvhost.exe

O4 - HKLM\..\RunServices: [microsoft scvhost for windows] scvhost.exe

...then reboot.

Then go here and do an AV scan:

http://housecall.trendmicro.com/housecall/start_corp.asp

Let us know if that helps.


----------



## Lyta (Sep 8, 2003)

I've read thousands of post from everywhere and I can't find a solution to my problem w/ svchost... 
It's not:
msblast
fizzer
sobigb
welchia
winshell stealther

The problems are the same; within 3-5 minutes connected to the net the svchost.exe is closed by windows and copy/paste stops working, ctrl+f, moving stuff is not allowed and some liks don't open.

I've run HJT and the log is here:

Logfile of HijackThis v1.96.4
Scan saved at 21:15:18, on 7/9/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\ARQUIV~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Fmctrl.EXE
C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe
C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
C:\Arquivos de programas\Winamp\Winamp3\winampa.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Discador Telefonica\ddt.exe
C:\WINDOWS\system32\internat.exe
C:\REGINA\WINZIP7.0\WZQKPICK.EXE
C:\Arquivos de programas\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\REGINA\WINZIP7.0\winzip32.exe
C:\Documents and Settings\Administrador\Configurações locais\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ubbi.com.br/busca/ieak/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Save Flash - {8C25D102-1E68-4DAA-8E5F-B4B6D5E0CC3A} - C:\Arquivos de programas\Pilot Group\Save Flash\PilotBand.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Arquivos de programas\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Arquivos de programas\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ddt] "C:\Arquivos de programas\Discador Telefonica\ddt.exe" -F
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\REGINA\WINZIP7.0\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global User StartupMicrosoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global User StartupWinZip Quick Pick.lnk = C:\REGINA\WINZIP7.0\WZQKPICK.EXE
O4 - Global User StartupAdobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global User StartupAcrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com.br
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.com.br
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F58D897C-33DB-4DB8-8C20-4079960139A8}: NameServer = 200.204.0.138 200.204.0.10

Help me please!!!!!!!!


----------



## buckaroo (Mar 25, 2001)

Hi Lyta, Welcome to TSG.

Well nothing jumps out to me with your log. The only potential one could be this item:

O17 - HKLM\System\CCS\Services\Tcpip\..\{F58D897C-33DB-4DB8-8C20-4079960139A8}: NameServer = 200.204.0.138 200.204.0.10

.....now, if you recognize the I.P. address as either your ISP or perhaps network router, then leave it. Otherwise, you can have HJT remove it.

I see you have House Call, you should do a current AV scan if you haven't done one recently.

You may also want to download Spybot:

http://security.kolla.de/index.php?lang=en&page=download

...after installing, have it go online and download all updates, then have it scan your system. Everything it finds in RED is safe to remove.


----------



## Lyta (Sep 8, 2003)

Hiya
I've deleted the one you told me to, but nothing happened... it's still the same; I've booted the computer and connected again and the problem is still here.

I believe the log I gave you was after having my svchost closed by windows. This time I'll give ya the one before connecting to the net.

here it goes:

Logfile of HijackThis v1.96.4
Scan saved at 19:24:18, on 8/9/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\ARQUIV~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Fmctrl.EXE
C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe
C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
C:\Arquivos de programas\Winamp\Winamp3\winampa.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Discador Telefonica\ddt.exe
C:\WINDOWS\system32\internat.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\REGINA\WINZIP7.0\WZQKPICK.EXE
C:\Arquivos de programas\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\REGINA\WINZIP7.0\winzip32.exe
C:\Documents and Settings\Administrador\Configurações locais\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ubbi.com.br/busca/ieak/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Save Flash - {8C25D102-1E68-4DAA-8E5F-B4B6D5E0CC3A} - C:\Arquivos de programas\Pilot Group\Save Flash\PilotBand.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Arquivos de programas\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Arquivos de programas\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ddt] "C:\Arquivos de programas\Discador Telefonica\ddt.exe" -F
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\REGINA\WINZIP7.0\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global User StartupMicrosoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global User StartupWinZip Quick Pick.lnk = C:\REGINA\WINZIP7.0\WZQKPICK.EXE
O4 - Global User StartupAdobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global User StartupAcrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com.br
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.com.br
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

About House Call, yes, I've actually installed it because of this probelm w/ svchost.....
My last scan was just 3 days ago!!!!! And it has found nothing....
Any clues???
lyta


----------



## Lyta (Sep 8, 2003)

Hi.
I've just run Spybot as you said. It found a lot of stuff in my computer, but mainly related to ads.

take a look at the log:

Logfile of HijackThis v1.96.4
Scan saved at 21:06:07, on 8/9/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\ARQUIV~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Fmctrl.EXE
C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe
C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
C:\Arquivos de programas\Winamp\Winamp3\winampa.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Discador Telefonica\ddt.exe
C:\WINDOWS\system32\internat.exe
C:\REGINA\WINZIP7.0\WZQKPICK.EXE
C:\Arquivos de programas\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\REGINA\WINZIP7.0\winzip32.exe
C:\Documents and Settings\Administrador\Configurações locais\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ubbi.com.br/busca/ieak/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.br/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com.br
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ANTIVI~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Arquivos de programas\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Arquivos de programas\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ddt] "C:\Arquivos de programas\Discador Telefonica\ddt.exe" -F
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\REGINA\WINZIP7.0\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global User StartupMicrosoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global User StartupWinZip Quick Pick.lnk = C:\REGINA\WINZIP7.0\WZQKPICK.EXE
O4 - Global User StartupAdobe Gamma Loader.exe.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global User StartupAcrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com.br
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.com.br
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Lyta (Sep 8, 2003)

After cleaning all of it and connecting to the net again I got this HUGE problem!!!!!!!!!
It doesn't copy/ paste or any other of those things it wasn't doing before, but it also DOESN'T SAY THERE'S A PROBLEM W/ SVCHOST ANYMORE!!!!!!!!!
what the hell is going on here?????? any clues????


----------



## buckaroo (Mar 25, 2001)

Hi Lyta, well like I said, there's nothing that really jumps out with your log. You did the Spybot scan and House Call, so it's unlikely a security-related issue. Have you downloaded all MS updates? Did you recently install something before this started?


----------



## Lyta (Sep 8, 2003)

Hiya!
After a long list of posts.....
yesterday I did everything I could and nothing seemed to work. Today, on the other hand, things seem to have cooled down!!!

After leaving my last post yesterday I thought my computer was behaving too weirdly and I decided to take a last look at HJT log. I ran it again and... surprisingly... it found msblast on it again!!!!
I ran symantec's FixBlast and connected to the net again. This time nothing else happened.....

I've run your Spybot and it cleaned a lot of stuff in my system. Maybe it also erased my problem w/ all the other things!!!!

Today I was able to connect for some time and svchost hasn't crashed yet. I believe you got another one right!!!!
Thanks a lot,
Lyta.

(I'll be around; let's just hope not w/ other problems...)


----------



## buckaroo (Mar 25, 2001)

To keep from getting infected, you must download the MS patch:

http://download.com.com/3120-20-0.html?qt=823980&tg=dl-2001&search=+Go!+


----------



## Lyta (Sep 8, 2003)

hiya
I've already installed the msblast patch.
thanks, anyway.
lyta


----------



## buckaroo (Mar 25, 2001)

Spiritwalker and kenbattou

Don't piggy-back on existing posts. It gets real confusing and makes it harder to get the help you want.

This thread should have been put to bed a long time ago.


Spirtwalker.....nothing going on with your log. It doesn't sound like you're having any problems. I believe stisvc.exe is a legitimate app.


kenbattou....nothing going on with your log either. I'm going to ask a mod to split your problem off onto it's own thread so you;ll have a better chance of folks seeing it.


----------



## ~Candy~ (Jan 27, 2001)

Split both people into their own threads, and closing post


----------

