Apua SCVhostin poistamiseen?

Discussion in 'Virukset ja haittaohjelmat - HijackThis -logit' started by dare3, Jan 15, 2007.

  1. dare3

    dare3 Member

    Joined:
    Jan 15, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    11
    Niin elikkäs voisko joku tarkistaa mun HJT:n? Epäilen et siel on toi scvhost.exe, mut ei sen poistaminen oikeen tahtonu onnistua niin tarttisin apua? Kiitos!

    Logfile of HijackThis v1.99.1
    Scan saved at 18:04:12, on 15.1.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\scvhost.exe
    C:\WINDOWS\scvhost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Documents and Settings\Jaakko\Työpöytä\HijackThis_v1.99.1.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Program Files\TeleWell\ADSL USB Router\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [] C:\WINDOWS\scvhost.exe
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Registration .LNK = D:\Pelit\Ghost Recon - Advanced Warfighter\Support\Register\RegistrationReminder.exe
    O4 - Startup: Registration Ghost Recon Advanced Warfighter.LNK = D:\Pelit\Ghost Recon - Advanced Warfighter\Support\Register\RegistrationReminder.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Officen käynnistys.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
     
    dare3, Jan 15, 2007
    #1
  2. fixeri

    fixeri Regular member

    Joined:
    Oct 5, 2006
    Messages:
    381
    Likes Received:
    0
    Trophy Points:
    26
    HJT omaan kansioon ihan ekana, C:\hjt\hjt

    Merkkaa nuo ja paina fix checked:

    O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\Run: [] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunServices: [] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [Windows Update] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [msconfig] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [icq lite] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [Update Checker] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [AntiVir] C:\WINDOWS\scvhost.exe
    O4 - HKLM\..\RunOnce: [] C:\WINDOWS\scvhost.exe

    varmista vielä että on kaikki fixattu missä lukee scvhost.exe perässä.

    Käynnistä kone vikasietotilaan, laita piilotiedostot näkyviin ja poista tuo:

    C:\WINDOWS\--->scvhost.exe<---

    käynnistä sitten normaalitilaan ja lataa eScan: http://koti.mbnet.fi/pattaya1/escanmwav.htm
    Päivitä ihan ekana, ohjeet on tuolla sivulla, päivitystapa 2, sitten skannaa kone läpi.

    Lähetä eScan virus log ja uusi HJT logi.
     
    Last edited: Jan 15, 2007
    fixeri, Jan 15, 2007
    #2
  3. dare3

    dare3 Member

    Joined:
    Jan 15, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    11
    Siis fixasin sillä HJT:llä ne scvhost.exe filut. Mut semmonen ongelma et en löytäny sitä scvhost.exe tiedostoa windows kansiosta. Mutta ainakin antivir tuntus toimivan nyt oikeen. Teenkö nyt kuitenki niin et tarkistan sillä escanilla ja pistän sen login ja uuden HJT:n login tähän?
     
    dare3, Jan 15, 2007
    #3
  4. fixeri

    fixeri Regular member

    Joined:
    Oct 5, 2006
    Messages:
    381
    Likes Received:
    0
    Trophy Points:
    26
    Joo, koeta vielä niin että anna olla piilotiedostot näkyvillä ja koeta Etsi toiminnolla löytyykö sitä scvhost.exe tiedostoa.

    Aja tuo eScan ja laita sen virus log ja uusi HJT logi tänne.
     
    Last edited: Jan 15, 2007
    fixeri, Jan 15, 2007
    #4
  5. dare3

    dare3 Member

    Joined:
    Jan 15, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    11
    Noniin eli en löytänyt edes sillä Etsi toiminnolla sitä scvhost.exe filua. Mutta tässä ois nyt se escan virus log ja uus HJT:n logit.

    escan:

    File C:\Documents and Settings\Jaakko\Application Data\SecuROM\UserData\???????????p????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\Jaakko\Application Data\SecuROM\UserData\???????????p????????? infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.
    File C:\Documents and Settings\Jaakko\Local Settings\Temporary Internet Files\Content.IE5\0H893OVJ\ysb_prompt[1].html infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: File Deleted.
    File C:\Documents and Settings\Jaakko\Local Settings\Temporary Internet Files\Content.IE5\9JCYXHOM\ysb_prompt[1].html infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: File Deleted.
    File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.
    File C:\System Volume Information\_restore{2669A4F5-393E-4757-A166-3145F03C4ABA}\RP324\A0037067.exe tagged as not-a-virus:AdTool.Win32.WhenU.a. No Action Taken.

    HJT:n logit:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Kaspersky\mwavscan.com
    C:\Kaspersky\kavss.exe
    C:\HJT\HijackThis_v1.99.1.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Program Files\TeleWell\ADSL USB Router\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Officen käynnistys.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
     
    dare3, Jan 15, 2007
    #5
  6. fixeri

    fixeri Regular member

    Joined:
    Oct 5, 2006
    Messages:
    381
    Likes Received:
    0
    Trophy Points:
    26
    Eipä tuota enää logissakaan näy.

    Tyhjennä vielä järjestelmän palautus kansio.

    Järjestelmän palautus kansion tyhjentäminen.

    1. Klikkaa oikealla oma tietokone-kuvaketta
    2. Valitse ominaisuudet
    3. Valitse järjestelmän palauttaminen välilehti
    4. Valitse "poista järjestelmän palauttaminen kaikissa asemissa"
    5. Paina "käytä"
    6. Paina OK
    7. Käynnistä kone uudelleen
    8. Tarkista kone virustorjuntaohjelmalla
    9. Poista kaikki saastuneet tiedostot
    10. Laita järjestelmän palautus uudelleen päälle.

    Sitten pitäs olla kaikki reilassa, mutta kertoile jos on vielä ongelmia.
     
    fixeri, Jan 15, 2007
    #6
  7. dare3

    dare3 Member

    Joined:
    Jan 15, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    11
    Poistanko "käsin" jotain noista eScan:n löytämistä viruksista?
     
    dare3, Jan 15, 2007
    #7
  8. fixeri

    fixeri Regular member

    Joined:
    Oct 5, 2006
    Messages:
    381
    Likes Received:
    0
    Trophy Points:
    26
    Eikun tyhjennä vaan tuo järjestelmänpalautus kansio.
     
    fixeri, Jan 15, 2007
    #8
  9. dare3

    dare3 Member

    Joined:
    Jan 15, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    11
    Nyt on ohjeiden mukaan toimittu ja ei löytynyt virustorjuntaohjelmilla mitään epäilyttävää. Joten kaikki näyttäis olevan kunnossa. Sen verran vielä kysyn, vaikka en tiiä, että kuuluko tähän keskustelualueeseen. Että kannattaskohan vaihtaa sygate pois, kun kuulin, että sitä ilmaisversiota ei enää kehitetä?

    Kiitos oikeen paljon neuvoista!
     
    dare3, Jan 15, 2007
    #9
  10. kerbo

    kerbo Regular member

    Joined:
    May 15, 2005
    Messages:
    2,796
    Likes Received:
    4
    Trophy Points:
    48
    Samaan kysäisen vielä,että onko turhaa ajaa tota escannia jos käyttää active virus shieldiä tai kasperskyn virustutkaa?? Kun eikös se escan käytä noita kasperskyn tunnisteita niin kuin myös avs??
     
    kerbo, Jan 15, 2007
    #10

Share This Page