Scvhosts.exe winhosts.exe - Cant' get read of theam.

[Snicks]

Hi... I just installed windows xp (again) and I don't know hwo I get this worms. I guess it from my lan. Anyway, my CPU usage is running at 100%. I have to end scvhosts.exe and winhosts.exe to make it run at 1%. The thing is they are poping in again in a few seconds... I delete the files but they are there after a few seconds. I removed eveything with scvhots.exe and winhosts.exe from registry, and msconfig but after restart they get there again.

Also, my root is full od random name application. What should I do ?

Oh, here's a hijackthis og ( I saw it helps you guys)

 

[RealBlackStuff]

Welcome to TechSpot

Go to my post here and follow the instructions EXACTLY
How to remove Begin2Search / Coolwebsearch

Run all the (updated!) programs that are mentioned there.

Try to UNinstall anything to do with:
C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL

After all that, reboot in Safe Mode and let Hijackthis "FIX" (if still there):
C:\WINDOWS\System32\servoxt.exe
C:\WINDOWS\System32\scvhosts.exe

O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O4 - HKLM\..\Run: [scvhosts] scvhosts.exe
O4 - HKLM\..\Run: [Winhost ] Winhost.exe
O4 - HKLM\..\Run: [blah service] servoxt.exe
O4 - HKLM\..\RunServices: [MSSWINHELP] wuadampr.exe
O4 - HKLM\..\RunServices: [Winhost ] Winhost.exe
O4 - HKLM\..\RunServices: [scvhosts] scvhosts.exe
O4 - HKLM\..\RunServices: [blah service] servoxt.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/4.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/GamesUnlimited/ie/bridge-c6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105898358986
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39FB8240-7350-4365-BC1A-02B3193E3475}: NameServer = 83.103.172.1,194.102.255.3

When done, Delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

 

[Snicks]

Did't help

Hi.

Tnx for the help. I did exactly the stept you told me to do, and it removed lots of spyware and trojans, but the main problem is still there.

I did all twice, second time saving logs to show you.

My pc runs better but the svcshost.exe, svchosts.exe and winhost.exe are still running all the time even if i stop them ,remvove them from registry or block them with search&distroy. They use my pc up to 100% and generated random name files in my root. I attached you to logs.

oh, and there is not folder with name beginning with search in program files folder.

and YPager.exe keeps showing up too (Note: not YPAger.exe wich is Yahoo Messnger)

Thanks for help.

 

[RealBlackStuff]

Your logs are not realistic. There is NO antivirus program running.
Who are you trying to fool?

scvhost.exe belongs to windows and is OK.
scvhosts.exe was the baddie, which has been eliminated.

If you don't like Yahoo pager, uninstall and delete the lot.
Run HJT and have it 'fix' those 2 O9 entries with Yahoo in it.

If you don't give us full information we can't help you any further.

 

[Snicks]

Realistic indeed

The logs are realistic. There is no antivirus cose since this virus my NAV cimply disaprears from tray when i roll over. so i quit trying to install all the licenced and cracked verions of NAV.. Online RAV find nothing bad to my computer, and online panda find everything woirn with my computer, pretend to disinfect all the files, but it's usless.

YPager.exe it's the messenger, YPager.EXE pretty much isn't

scvhost.exe it's ok
scvhosts.exe and scvshost.exe isn't

So what should i do ?

 

[Snicks]

Oh, and the hosts filekeeps geting replacet with the infected one.

 

[RealBlackStuff]

With this minimum amount of info I can only advise you this:

Boot in Safe Mode.
Uninstall ANYTHING to do with Yahoo/Yahoo! or whatever it calls itself.
Then delete all directories from Yahoo, with everything in it, including the directory itself.

Clean your \winnt\system32\drivers\etc\HOSTS file (use Notepad) so it has only one entry in it:
127.0.0.1 localhost
Save it, then set the attributes (file Properties) to ReadOnly.

Delete everything in your \Documents & Settings\[username]\Local Settings\Temp
Clean your temporary internet files and cookies.

I don't understand this line:

There is no antivirus cose since this virus my NAV cimply disaprears from tray when i roll over.

Are you saying that NAV disappears from the system-tray when you go over it with your mouse?

Click on Start/Run and type in msconfig then hit enter. Check all the programs that automatically start. UN-check any program that you don't know or find suspicious.

Then reboot in safe mode, run Hijackthis and post the log here as before, with a .txt extension.


This is a fairly complicated process, but have a look at this post here in another forum, scroll down until the first post from Site Moderator taz71498.
Follow it from there, run that findit program and compare your own findings with that in the post..
If you have anything similar, sign up to that forum and post your problem there. They have more knowledge.
http://computercops.biz/postlite93976-.html