Svchost.exe Trojan Virus Spyware??

M

ms4278

Joined
Feb 11, 2007
Messages
3
Reaction score
0
Hi i woke up this morning to find this really nasty process running in my Security Task Manager.

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:29:08 AM, on 2/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\TEMP\svchost.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Security Task Manager\TaskMan.exe
C:\Documents and Settings\Manny\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


Heres a tasklist /svc from command prompt

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Manny>tasklist /svc
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 888 N/A
csrss.exe 944 N/A
winlogon.exe 972 N/A
services.exe 1032 Eventlog, PlugPlay
lsass.exe 1044 PolicyAgent, ProtectedStorage, SamSs
ati2evxx.exe 1216 Ati HotKey Poller
svchost.exe 1268 RpcSs
svchost.exe 1416 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, RemoteAccess, Schedule,
seclogon, SENS, SharedAccess,
ShellHWDetection, TapiSrv, TermService,
Themes, TrkWks, uploadmgr, W32Time, winmgmt,
wuauserv, WZCSVC
ati2evxx.exe 1564 N/A
svchost.exe 1660 Dnscache
svchost.exe 1792 Alerter, LmHosts, SSDPSRV, WebClient
spoolsv.exe 1976 Spooler
explorer.exe 360 N/A
alg.exe 856 ALG
wdfmgr.exe 1508 UMWdf
svchost.exe 1544 N/A <<<<<< This is what im concerened about!!!!!!!!!!!!!!!!!
CFD.exe 3432 N/A
firefox.exe 3820 N/A
TaskMan.exe 5868 N/A
iexplore.exe 584 N/A
HijackThis.exe 1736 N/A
notepad.exe 4168 N/A
iexplore.exe 3200 N/A
wmiprvse.exe 4236 N/A
cmd.exe 4356 N/A
tasklist.exe 4368 N/A
C:\Documents and Settings\Manny>


This is the problem.... svchost.exe 1544 N/A <<<<<< This is what im concerened about!!!!!!!!!!!!!!
Also C:WINDOWS\TEMP\cel90xbe.sys is working with the svchost.exe 1544 N/A. There is only 2 files i can see at C:WINDOWS\TEMP\, svchost.exe and cel90xbe.sys

Heres some more info about this process

(Also runs under safe mode)
Located at C:WINDOWS\TEMP\svchost.exe 1544 N/A
Related file C:WINDOWS\TEMP\cel90xbe.sys
(While in safemode this exe runs with it wuauclt.exe)
(wuauclt.exe doesnt run in normal mode)


This program cannot be run in DOS mode.
/c del
----------------
rpXugE
jpv1ij
Ua\h
HYle
ShellExecuteW
wsprintfW
2SetUnhandledExceptionFilter
GetCurrentProcessWUnhandledExceptionFilter
GetSystemTimeAsFileTimeFTerminateProcess
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
GetVersionExW
DeleteFileW
GetTickCount
uGetModuleHandleA
sGetModuleFileNameA
GetVersion
FreeLibrary
ExitProcessZUnmapViewOfFile
DeleteFileA
GetShortPathNameWtGetModuleFileNameW
FindResourceWQGetEnvironmentVariableW
FLoadResource
SizeofResource
CreateFileWTLockResource
WriteFileR
CloseHandle
FreeResource
HeapFree
GetProcessHeap
HeapAlloc
lstrcatW
xGetModuleHandleW
GetProcAddress
WjeS
tO9ut.u
c\0bulknet\build_root\preloader.27\startdrv\objfre_wxp_x86\i386\StartDrv.pdb
cel90xbe.sys
wuauclt.exe
ComSpec
RtlInitUnicodeString
ZwSetSystemInformation
RtlAdjustPrivilege
.data
.text
RichP


Ive been hearing clicks and dings behind the scenes with no explorer windows open or any programs running.

I have looked everywhere i could and tried everything to make this disappear please any help is much appreaciated!!!!! thank you.
 

Attachments

  • svchostexeprob.webp
    svchostexeprob.webp
    21.4 KB · Views: 603
Is that your complete HijackThis log, as I don't see any AV program there? - also it must be run from its own folder ie: C:\Programs\HijackThis\HijackThis.exe

svchost is a generic process name used by different programs - most folks will have several instances running in Windows - however it should be running from your System32 folder and NOT a Temp folder as you have (there is virus that executes as svchost, but it likes to use 100% of your CPU - so check in Task Manager to see if this is the case)

wuauclt.exe is to do with the Windows Update service.

No idea what cel90xbe.sys is - but google doesn't bring up anything worrying.

Please do a full AV scan in Safe Mode - use your own in safe mode and also use the online scanners from Kaspersky, Panda and Trend Micro then report back with a full HijackThis log together with the result of the AV scans :thumb:
 
Ok boy them scans take a realllly long time... I didnt do everything you said. So heres what i did based on what you said. You said i didnt have any anti-virus so i went and got one; Panda Anti-Virus 2007. I installed it updated it and immediately i found the virus. I had 1 virus and it was that svchost.exe. I tried other methoeds like spybot and others ect but nothing worked but once i got ahold of panda 2007 it was killed. I no longer see the files in my temp folder.. Its a Dead DUCK!

Logfile of HijackThis v1.99.1
Scan saved at 1:25:00 PM, on 2/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\apvxdwin.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AvltMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O15 - Trusted Zone: *.sbcglobal.net
O15 - Trusted Zone: http://*.sbcglobal.net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe



tasklist /svc
C:\Documents and Settings\Manny>tasklist /svc
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 916 N/A
csrss.exe 964 N/A
winlogon.exe 1000 N/A
services.exe 1048 Eventlog, PlugPlay
lsass.exe 1060 PolicyAgent, ProtectedStorage, SamSs
ati2evxx.exe 1232 Ati HotKey Poller
svchost.exe 1276 RpcSs
PAVSRV51.EXE 1456 PAVSRV
AVENGINE.EXE 1472 N/A
svchost.exe 1572 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, RemoteAccess, Schedule,
seclogon, SENS, SharedAccess,
ShellHWDetection, TapiSrv, TermService,
Themes, TrkWks, uploadmgr, W32Time, winmgmt,
wuauserv, WZCSVC
ati2evxx.exe 1696 N/A
svchost.exe 1704 Dnscache
svchost.exe 1744 Alerter, LmHosts, SSDPSRV, WebClient
spoolsv.exe 256 Spooler
alg.exe 364 ALG
PsImSvc.exe 644 PSIMSVC
explorer.exe 1024 N/A
wdfmgr.exe 1396 UMWdf
ApVxdWin.exe 880 N/A
WebProxy.exe 1736 N/A
AVLtMain.exe 2124 N/A
firefox.exe 2720 N/A
HijackThis.exe 3620 N/A
notepad.exe 3640 N/A
iexplore.exe 3756 N/A
psimreal.exe 4084 N/A
cmd.exe 1332 N/A
services.exe 1932 N/A
lsass.exe 532 N/A
tasklist.exe 1888 N/A
wmiprvse.exe 1668 N/A
C:\Documents and Settings\Manny>
 

Attachments

  • allgood.webp
    allgood.webp
    90 KB · Views: 1,205
Now that looks alot better - running without an AV suite is frankly asking for trouble - Panda AV is pretty good, Kaspersky or NOD32 would have been a bit better though ;)

I do note however that you have sbcglobal.net in your windows trusted zone - is this your ISP (possibly AT&T/Yahoo?) - if not then run HijackThis again and select those entries and remove :thumb:

Another thing I note is you are still on Windows XP SP1 - you really do need to install SP2 and all the subsequent security updates to give you the best possible protection
nod.gif
 
Sbcglobal.net is my isp. Its AT&T/Yahoo dsl. I just got xp pro sp2 a few days ago i just need to install. Ive been lazy. Thank you for all the help. ^^
 
Back
Top