| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 85689 | 2007-12-18 21:48:00 | schost.exe - Help Please! | Rumba (13183) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 622587 | 2007-12-18 21:48:00 | Hello, recently I have noticed a program on my comuter. And a little bubble with a yellow warning triangle : Windows antivirus. Windows has detected spyware infection! It is recomended to use special antispyware tools to prevent data loss. Windows will now download and install te most up-to-date antispyware for you Click here to protect your comuter from spyware! I did I Hijackthis scan, Results : Logfile of HijackThis v1.99.1 Scan saved at 21:36:22, on 18/12/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\slmdmsr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\shell.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\VTtrayp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MESSEN~1\Msmsgs.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\taskmgr.exe C:\Documents and Settings\zmmj\Application Data\trant.exe C:\DOCUME~1\zmmj\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iqon.ie F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2F7DB3BF-658D-4F3E-923E-42EE40226DDE} - C:\WINDOWS\system32\avicap3.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtim e.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background O4 - HKCU\..\Run: [lovefilm DLM Manager] C:\Program Files\LOVEFiLM International\Lovefilm Download Manager\Download Manager.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe O4 - Startup: findfast.exe O4 - Global Startup: autorun.exe O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - upload.facebook.com O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - messenger.zone.msn.com O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - messenger.zone.msn.com O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - static.photobox.co.uk O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe If there is any info that I need to take out of that, please tell me. I looked at my system proccess list and I saw : svchost.exe Thank you. Edit : Oh and the program it asks me to install when I click the text is : UltimateDefender |
Rumba (13183) | ||
| 622588 | 2007-12-18 22:01:00 | Put HJT in its own folder first, run it again, then tick these entries. Close browser/s. C:\WINDOWS\shell.exe F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) These are safe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime Nasty O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe O4 - Startup: findfast.exe O4 - Global Startup: autorun.exe O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll Uninstall ALL versions of Sun Java. Latest version is in my sig, get trojan remover and rogue remover in my sig as well. Update both then click on scan. Then select all options, under the utilities menu in trojan remover. Then install an AV program and a firewall. Looks like Ultimate Defender is rogue software. Rogue remover should remove it. |
Speedy Gonzales (78) | ||
| 622589 | 2007-12-18 22:49:00 | Hey Speedy. The Java link in your sig takes you to the Java download page which could be confusing. Maybe your link should take you to this page. www.java.com :) |
Trev (427) | ||
| 622590 | 2007-12-18 22:54:00 | Did you have an issue with svchost.exe rumba? Or did you just think it was suspicious? svchost is a windows app that runs other apps. I'm just wondering what help you actually wanted with it, or if you did. | Thebananamonkey (7741) | ||
| 622591 | 2007-12-18 22:58:00 | Hey Speedy. The Java link in your sig takes you to the Java download page which could be confusing. Maybe your link should take you to this page. www.java.com) Good idea, I've changed it :) |
Speedy Gonzales (78) | ||
| 622592 | 2007-12-18 23:00:00 | Thank you for the help Speedy, but it hasn't worked yet. I'm re-doing the steps. xD And I read about about scvchost, apparently that is the bad one and the good one is scYchost? *Shrug* The real problem is UltimateDefender, guess I should of put that in the title. 'Doh! Edit : I've also noticed it won't let me go to the control pannel / edit user accounts. Is this conncected? EDIT : And sorry, my bad I missed the V on my title but not in my post. |
Rumba (13183) | ||
| 622593 | 2007-12-18 23:04:00 | Did u tick ALL of the entries I posted?? And get trojan remover as well? | Speedy Gonzales (78) | ||
| 622594 | 2007-12-18 23:16:00 | Yep I got Trojan Remover, although it stopped halfway last time I did it. I'm trying again now and seems to be working. And the yellow triangle went after I hovered over it. OK, now I did a full Trojan Remover scan. Then it restarted my comp, but the triangle is still there. Would it be easier to just download UltimateDefender and just remove it, as there are ways to? And Rogue Remover says its removed it, but when I do another scan it comes up again. Edit : I get a windows-type popup saying : Windows Security Alert Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your system and Internet files. Run full scans now to pervent unauthorized any access to your files! Click here to download spyware remover ... (Note, pervet is not a typo xD) |
Rumba (13183) | ||
| 622595 | 2007-12-18 23:23:00 | See if Ultimate defender is in add/remover programs uninstall it. If its there. And no you dont want to download it, its crap. Follow this (www.bleepingcomputer.com) |
Speedy Gonzales (78) | ||
| 622596 | 2007-12-18 23:33:00 | This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator. ^ I get that message when I try to get to Control pannel or RUN any of the control pannel..Sub-sections on RUN. And I actually haven't got Ultimate Defender, isn't that link you gave for if you downloaded it? |
Rumba (13183) | ||
| 1 2 3 4 5 6 | |||||