TechSpot

Infected and need help

By Zough
Apr 17, 2007
  1. Hi,
    I can't get rid of the following processes which I regard as suspicious.
    I kill them and they return immediately. I do not use IE , I use Firefox.
    iexplore.exe
    svchost.exe

    Attached the HjT log

    Hope someone can help.

    Zough
     
  2. c_h_e

    c_h_e TS Rookie

    svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated.

    svchost.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. If unaccounted for, this process should be removed immediately.

    svchost.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

    svchost.exe is a process belonging to Microsoft Service Host Process. This could also be a stealth monitoring software that sits in the background and tracks all activities such as keyboard input (including websites visited, passwords etc.) This information can be sent to third parties through email or ftp uploads. If you did not intentionally install this program make sure you remove it to protect your privacy.

    Determining whether svchost.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from.

    ________________________________________

    iexplore.exe is the main executable for Microsoft Internet Explorer. This Microsoft Windows application allows you to surf the world wide web and the Internet. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

    iexplore.exe could also be a process which belongs to the . This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

    iexplore.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

    Determining whether iexplore.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from.


    Hope this helped you...
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your running an outdated version of HijackThis.

    Your system has a lop advertising infection.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Please Download NoLop to your desktop from one of the links below...
    http://www.spywareedge.net/nolop/NoLop.exe
    http://www.thespykiller.co.uk/forum/...pmod;dl=item16

    First close any other programs you have running as this will require a reboot
    Double click NoLop.exe to run it
    Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
    When scanning is finished you will be prompted to reboot only if infected, Click OK
    Now click the "REBOOT" Button.
    A Message should popup from NoLop.
    If not, double click the program again and it will finish.

    --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx

    Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above. Also, please attach the C:\NoLop.log.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of Zough only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. Zough

    Zough TS Rookie Topic Starter

    NSIS Error when opening/running AVG Antispyware

    I am following the instructions in
    Viruses/Spyware/Malware, preliminary removal instructions.
    and got as far as d/ling AVG antispyware,
    When I tried to open it I got an NSIS error message.
    I went to this site and d/led directly and this opened no problem.
    http://www.ewido.net/en/download/

    Not sure why this happened.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Possibly just a glitch. Carry on with the instructions and post the requested logfiles.

    Regards Howard :)

    This thread is for the use of Zough only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. Zough

    Zough TS Rookie Topic Starter

    Results upto step 12

    Nothing found in AVG antirootkit.
    Zough
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please post the requested logfiles.

    Regards Howard :)

    This thread is for the use of Zough only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. Zough

    Zough TS Rookie Topic Starter

    HJT and other files

    Here are the files. AVG Antirootkit scan was clear.

    Zough
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All items in your AVG Antispyware log say "No Action Taken". That`s because you haven`t told AVG Antispyware to quarantine it`s results as per the instructions. See this pictorial guide.

    Also, you`re running an outdated version of Hijackthis and it hasn`t been renamed as per the instructions. See HERE. I have therefore removed your logfiles as they`re not of much use.

    Please run fresh AVG Antispyware and Combofix scans, followed by another HJT scan and post the logfiles.

    Regards Howard :)

    This thread is for the use of Zough only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. Zough

    Zough TS Rookie Topic Starter

    Okay, I'll do as you say and get back to you.

    Zough

    3 files attached

    Zough
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Wipe Corn Bold.exe
    Nero7Keygen.exe
    EvID4226Patch.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKCU\..\Run: [oozedefault] C:\DOCUME~1\Harry\APPLIC~1\SHOWPL~1\Wipe Corn Bold.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\DOCUME~1\Harry\APPLIC~1\SHOWPL~1<Delete the entire folder.
    C:\Program Files\Common Files\Real\WeatherBug<Delete the entire folder.
    C:\Documents and Settings\Harry\My Documents\Nero 7 Keygen from Paradox<Delete the entire folder.
    C:\Program Files\Common Files\Synacast\SynaLive\EvID4226Patch.exe

    Reboot into normal mode and rehide your protected OS files.

    Run the Ccleaner programme as per step9 of the instructions HERE.

    Post fresh AVG Antispyware and HJT logs. See these instructions on how to use AVG Antispyware properly.

    Regards Howard :)

    This thread is for the use of Zough only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. Zough

    Zough TS Rookie Topic Starter

    latest files

    Latest AVG Antispyare and HJT logs

    Zough
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Delete all files in AVG Antispyware quarantine.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Zough only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. Zough

    Zough TS Rookie Topic Starter

    Completed all as you recommended. Thanks for all the help. I have one more query. I have files stored on an external hard drive. I have not connected it since I started this process on Techspot. What should I do now about those files. Am I at risk if I reconnect this hard drive to my PC or will the AVG software catch anything that may be a risk?

    Zough
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    There is always a risk of connecting something that may be infected, but unless you run something that`s infected, you should be ok. However, you should scan the drive with your antivirus and antispyware tools and see if they find anything, before actually using it.

    Regards Howard :)

    This thread is for the use of Zough only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...