Options
svhost.dll and error messages at start up
PC gives a sequence of errors while starting: first "explorer encountered error with SVHOST", then others applications like msgrv32 (many times) and mmtask. Once ended the error message sequence the PC runs normally or blocks or forbids you to see start menu.
In the C:\windows, svhost.dll appears (reappearing every normal boot even if you wipe it out). Only in safe mode it doesn't reapper. Arrival and Sent .dbx files contain the word svhost somewhere. A cooky named standard@sophos[1] and containing the word svhost is in the cooky folder. Regedit doesn't show any svhost name anywhere. The sophos cooky contains the following ASCII (read by notepad):
__utma
92984479.1565398232.1168622942.1168622942.1168622942.1
sophos.com/
1600
2350186496
32111674
645881760
29832815
*
__utmb
92984479
sophos.com/
1600
1457512576
29832819
645881760
29832815
*
__utmz
92984479.1168622942.1.1.utmccn=(organic)|utmcsr=google|utmctr=svhost.dll+me+windows|utmcmd=organic
sophos.com/
1600
3798011008
29869527
656781760
29832815
*
I scanned in safe and normal modes, without restore option, and without any other application self starting (i.e.by Msconfig option) for Norton, Ad-Aware SE Personal, multi AV-CLS (Sophos and Kapersky work, Trend and Mcafee not) , SpybotSD, without any success.
There are no differences betweem hijack in safe mode and in normal mode.
Here is my Hijack in normal mode:
Logfile of HijackThis v1.97.7
Scan saved at 0.11.37, on 14/01/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\DESKTOP\PC\PULISCI SPYWARE\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.acer.com/
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37975.0218981481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {0858E8F8-1901-4E87-BB34-8B6F2D404A9E} (WebCamSetup Object) - http://webcam-stage.tiscali.it/activex/TiscaliWebCamSetup.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
Any one could help me? I can send the svhost.dll file for analysis What happens if I re-install windows ME?
In the C:\windows, svhost.dll appears (reappearing every normal boot even if you wipe it out). Only in safe mode it doesn't reapper. Arrival and Sent .dbx files contain the word svhost somewhere. A cooky named standard@sophos[1] and containing the word svhost is in the cooky folder. Regedit doesn't show any svhost name anywhere. The sophos cooky contains the following ASCII (read by notepad):
__utma
92984479.1565398232.1168622942.1168622942.1168622942.1
sophos.com/
1600
2350186496
32111674
645881760
29832815
*
__utmb
92984479
sophos.com/
1600
1457512576
29832819
645881760
29832815
*
__utmz
92984479.1168622942.1.1.utmccn=(organic)|utmcsr=google|utmctr=svhost.dll+me+windows|utmcmd=organic
sophos.com/
1600
3798011008
29869527
656781760
29832815
*
I scanned in safe and normal modes, without restore option, and without any other application self starting (i.e.by Msconfig option) for Norton, Ad-Aware SE Personal, multi AV-CLS (Sophos and Kapersky work, Trend and Mcafee not) , SpybotSD, without any success.
There are no differences betweem hijack in safe mode and in normal mode.
Here is my Hijack in normal mode:
Logfile of HijackThis v1.97.7
Scan saved at 0.11.37, on 14/01/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\DESKTOP\PC\PULISCI SPYWARE\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.acer.com/
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37975.0218981481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {0858E8F8-1901-4E87-BB34-8B6F2D404A9E} (WebCamSetup Object) - http://webcam-stage.tiscali.it/activex/TiscaliWebCamSetup.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
Any one could help me? I can send the svhost.dll file for analysis What happens if I re-install windows ME?
0
Comments
svhost.exe is a process which is registered as the W32.Mydoom.I@mm worm. This virus is distributed via the Internet through e-mail.
Your computer is actually infected with this virus. Now few things can be done in order to remove it completely--
Firstly, use ZONE ALARM PRO or its internet security suite., update it and then restart the system. If Zone alarm comes with a pop up on the screen showing that svhost.exe wants to access the system., tick the option always apply and then click deny.
this svhost process will be stopped imediately. but if at all it doesnt stop then enter the zone alarm suite, go to program control , then go to programs., then find out svhost.exe from the list and kill the process
Well, i think this will solve your problem because i went through the same situation a week back.. but in case it doesn't solve your problem then format the system and install fresh windows....