TechSpot

Scvhosts.exe winhosts.exe - Cant' get read of theam.

By Snicks
Jan 19, 2005
  1. Hi... i just installed windows xp (again) and i don't know hwo i get this worms. I guess it from my lan. Anyway, my CPU usage is running at 100%. I have to end scvhosts.exe and winhosts.exe to make it run at 1%. The thing is they are poping in again in a few seconds... i delete the files but they are there after a few seconds. i removed eveything with scvhots.exe and winhosts.exe from registry, and msconfig but after restart they get there again.

    Also, my root is full od random name application. What should i do ?

    Oh, here's a hijackthis og ( i saw it helps you guys)
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Welcome to TechSpot

    Go to my post here and follow the instructions EXACTLY
    How to remove Begin2Search / Coolwebsearch

    Run all the (updated!) programs that are mentioned there.

    Try to UNinstall anything to do with:
    C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL

    After all that, reboot in Safe Mode and let Hijackthis "FIX" (if still there):
    C:\WINDOWS\System32\servoxt.exe
    C:\WINDOWS\System32\scvhosts.exe

    O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
    O4 - HKLM\..\Run: [scvhosts] scvhosts.exe
    O4 - HKLM\..\Run: [Winhost ] Winhost.exe
    O4 - HKLM\..\Run: [blah service] servoxt.exe
    O4 - HKLM\..\RunServices: [MSSWINHELP] wuadampr.exe
    O4 - HKLM\..\RunServices: [Winhost ] Winhost.exe
    O4 - HKLM\..\RunServices: [scvhosts] scvhosts.exe
    O4 - HKLM\..\RunServices: [blah service] servoxt.exe
    O16 - DPF: v3cab - http://searchmiracle.com/cab/4.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/GamesUnlimited/ie/bridge-c6.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105898358986
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{39FB8240-7350-4365-BC1A-02B3193E3475}: NameServer = 83.103.172.1,194.102.255.3

    When done, Delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.
     
  3. Snicks

    Snicks TS Rookie Topic Starter

    Did't help

    Hi.

    Tnx for the help. I did exactly the stept you told me to do, and it removed lots of spyware and trojans, but the main problem is still there.

    I did all twice, second time saving logs to show you.

    My pc runs better but the svcshost.exe, svchosts.exe and winhost.exe are still running all the time even if i stop them ,remvove them from registry or block them with search&distroy. They use my pc up to 100% and generated random name files in my root. I attached you to logs.

    oh, and there is not folder with name beginning with search in program files folder.

    and YPager.exe keeps showing up too (Note: not YPAger.exe wich is Yahoo Messnger)

    Thanks for help.
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Your logs are not realistic. There is NO antivirus program running.
    Who are you trying to fool?

    scvhost.exe belongs to windows and is OK.
    scvhosts.exe was the baddie, which has been eliminated.

    If you don't like Yahoo pager, uninstall and delete the lot.
    Run HJT and have it 'fix' those 2 O9 entries with Yahoo in it.

    If you don't give us full information we can't help you any further.
     
  5. Snicks

    Snicks TS Rookie Topic Starter

    Realistic indeed

    The logs are realistic. There is no antivirus cose since this virus my NAV cimply disaprears from tray when i roll over. so i quit trying to install all the licenced and cracked verions of NAV.. Online RAV find nothing bad to my computer, and online panda find everything woirn with my computer, pretend to disinfect all the files, but it's usless.

    YPager.exe it's the messenger, YPager.EXE pretty much isn't

    scvhost.exe it's ok
    scvhosts.exe and scvshost.exe isn't

    So what should i do ?
     
  6. Snicks

    Snicks TS Rookie Topic Starter

    Oh, and the hosts filekeeps geting replacet with the infected one.
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    With this minimum amount of info I can only advise you this:

    Boot in Safe Mode.
    Uninstall ANYTHING to do with Yahoo/Yahoo! or whatever it calls itself.
    Then delete all directories from Yahoo, with everything in it, including the directory itself.

    Clean your \winnt\system32\drivers\etc\HOSTS file (use Notepad) so it has only one entry in it:
    127.0.0.1 localhost
    Save it, then set the attributes (file Properties) to ReadOnly.

    Delete everything in your \Documents & Settings\[username]\Local Settings\Temp
    Clean your temporary internet files and cookies.

    I don't understand this line:
    Are you saying that NAV disappears from the system-tray when you go over it with your mouse?

    Click on Start/Run and type in msconfig then hit enter. Check all the programs that automatically start. UN-check any program that you don't know or find suspicious.

    Then reboot in safe mode, run Hijackthis and post the log here as before, with a .txt extension.


    This is a fairly complicated process, but have a look at this post here in another forum, scroll down until the first post from Site Moderator taz71498.
    Follow it from there, run that findit program and compare your own findings with that in the post..
    If you have anything similar, sign up to that forum and post your problem there. They have more knowledge.
    http://computercops.biz/postlite93976-.html
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...