Thread: scvhost erroe, log inside please help...
View Single Post
Old 05-29-2005, 03:58 PM   #7 (permalink)
sUBs
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,326
OS: N/A


Hello again.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

++++++++++++++++
---- WARNING -----
++++++++++++++++

AdwareAlert - These programs are rogueware and we highly recommend that you uninstall them. Rogue or Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.


++++++++++++++++++++++++++++++++++
--- Prepairing the computer for the fix ---
++++++++++++++++++++++++++++++++++

Go to My Computer > Tools > Folder Options > View tab and make sure that the following are enabled;
  • Show hidden files and folders.
  • Display the contents of system folders
  • Uncheck the Hide protected operating system files option.

If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download and install CleanUp!. We shall use it to clean out the Temp folders as installation programs and hijack programs leave a lot of junk there. Don't run it yet. We'll run it later.

++++++++++++++++++++++++++++++++++++
--- Reboot your system into Safe Mode ---
++++++++++++++++++++++++++++++++++++
  1. Shut Windows down, and then turn off the computer.
  2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
  3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears.
  4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Go to Start->Run and type in services.msc and hit OK. Then look for Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Go into Hijack This > Config > Misc.Tools > Open process manager. Select the following and click “Kill process” for each one.
C:\WINDOWS\system32\scvhost.exe
there is a legitimate Windows process called svchost. Take great care not to kill the wrong process
Click > Start > Control Panel > Add/Remove Programs and uninstall the following programs:
AdwareAlert
Open HijackThis and click on Scan. Check the following entries (make sure you do not miss any)
Please remember to close all other windows, including browsers then click Fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O16 - DPF: Win32 Classes -
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0002.exe

Delete the following file:
C:\WINDOWS\system32\scvhost.exe >> take care not to delete the legitimate svchost.exe
C:\Program Files\AdwareAlert\ >>> delete this folder
Run CleanUp! now. Click Yes when it asks you if you want to logoff.

++++++++++++++++++++++++++++++++++
--- Fixing Registry Error ---
++++++++++++++++++++++++++++++++++

Quote:
  1. Go to Start > Run > type regedit & press Enter (Registry Editor Will start)
  2. On the left column, click once to highlight 'My Computer'.
  3. Select File > Export & Save the file as Registry.reg in a permanent folder in your computer.
  4. Navigate to 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess'
  5. On the left column, double click on Image Path & modify it's value to %SystemRoot%\System32\svchost.exe -k netsvcs
  6. Repeat these steps for these locations:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess
      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess
      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\SharedAccess
  7. Close the Registry Editor when you have finished editing.
Reboot Windows back into Normal Mode.

If you have a fast internet connection (Broadband), run an online scan at Trend Micro or RAV Antivirus. Select the “autoclean” option when using Trend Micro. Note the names and locations of any file it detects but fails to clean.

* Note: You should turn off the real time scanner of any existing antivirus program while you're doing the online scan

Run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.
sUBs is offline