Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected SVCHOST.EXE?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected SVCHOST.EXE?

Unread postby dawvi » August 6th, 2009, 12:45 pm

McAfee Stinger identifies SCVHOST.EXE as a Conficker! mem virus but cannot clean it. No other AV will detect this file as infected. I cannot hit any MS or security websites on this server. Any help will be appreciated.

Thank you



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:50 PM, on 8/6/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\Documents and Settings\secondadmin\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
C:\Hyperion\BIPlus\bin\SQR\Remote\bin\atrls.exe
c:\centenn.ial\audit\CAgent32.exe
c:\centenn.ial\audit\xferwan.exe
C:\Program Files\Citrix\Licensing\LS\lmgrd.exe
C:\Program Files\Citrix\Licensing\LicWMI\Citrix_GTLicensingProv.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\Licensing\LS\CITRIX.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Symantec\Backup Exec\beremote.exe
C:\Program Files\Citrix\system32\cdmsvc.exe
C:\Program Files\Citrix\System32\ctxxmlss.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Citrix\system32\encsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Citrix\GoToMyPC\G2ProcessFactory.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Program Files\Citrix\System32\wfshell.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\secondadmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\secondadmin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1802775417-3232460409-2919711924-1119\..\RunOnce: [tscuninstall] "%systemroot%\system32\tscupgrd.exe" (User 'Ctx_SmaUser')
O4 - HKUS\S-1-5-21-203641612-3859587353-3240750082-2465\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe" (User 'symantecbackup')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\secondadmin\windows\system32\mswsock.dll' missing
O15 - Trusted Zone: http://*.kitconet.com
O15 - Trusted Zone: http://api.wxbug.net
O15 - Trusted Zone: http://*.yimg.com
O15 - ESC Trusted Zone: http://rmd.atdmt.com
O15 - ESC Trusted Zone: http://view.atdmt.com
O15 - ESC Trusted Zone: http://www.belarc.com
O15 - ESC Trusted Zone: http://www.citrixonline.com
O15 - ESC Trusted Zone: http://www.google-analytics.com
O15 - ESC Trusted Zone: http://www.google.ca
O15 - ESC Trusted Zone: http://broker.gotoassist.com
O15 - ESC Trusted Zone: http://*.kitconet.com
O15 - ESC Trusted Zone: http://search.live.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.rimrock.com
O15 - ESC Trusted Zone: http://entsearch.symantec.com
O15 - ESC Trusted Zone: http://entsupport.symantec.com
O15 - ESC Trusted Zone: http://maillist.entsupport.symantec.com
O15 - ESC Trusted Zone: http://searchg.symantec.com
O15 - ESC Trusted Zone: http://seer.entsupport.symantec.com
O15 - ESC Trusted Zone: http://www.symantec.com
O15 - ESC Trusted Zone: http://*.symantec.com
O15 - ESC Trusted Zone: http://ftp.support.veritas.com
O15 - ESC Trusted Zone: http://seer.support.veritas.com
O15 - ESC Trusted Zone: http://symantec.webex.com
O15 - ESC Trusted Zone: http://m.webtrends.com
O15 - ESC Trusted Zone: http://l.yimg.com
O15 - ESC Trusted Zone: http://us.js2.yimg.com
O15 - ESC Trusted IP range: http://192.168.1.250
O15 - ESC Trusted IP range: http://68.142.201.31
O15 - ESC Trusted IP range: http://192.168.1.2
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bluecoat.webex.com/client/T26L/ ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = XXXXX.local
O17 - HKLM\Software\..\Telephony: DomainName = XXXXX.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDD7B614-F7B0-4FD1-BD20-93B1F080911F}: NameServer = 192.168.1.3,192.168.1.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = XXXXX.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = XXXXX.local
O23 - Service: Citrix Activation Host Service (ActivationServiceHost) - TODO: <Company name> - C:\Program Files\Citrix\Access Gateway\Bin\ActivationServiceHost.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Embedded Database (ASANYs_sem5) - iAnywhere Solutions, Inc. - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32\dbsrv9.exe
O23 - Service: Ataman TCP Remote Logon Services - Unknown owner - C:\Hyperion\BIPlus\bin\SQR\Remote\bin\atrls.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: Citrix Diagnostic Facility COM Server (CdfSvc) - Citrix Systems, Inc. - C:\Program Files\Common Files\Citrix\System32\CdfSvc.exe
O23 - Service: Client Network (CdmService) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\cdmsvc.exe
O23 - Service: CentennialClientAgent - Centennial Software Limited - c:\centenn.ial\audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - c:\centenn.ial\audit\xferwan.exe
O23 - Service: Citrix SMA Service - Citrix Systems Inc. - C:\Program Files\Citrix\Sma\SmaService.exe
O23 - Service: Citrix Virtual Memory Optimization - Citrix Systems, Inc. - C:\Program Files\Citrix\Server Resource Management\Memory Optimization Management\Program\CtxSFOSvc.exe
O23 - Service: CitrixLicensing - Macrovision Corporation - C:\Program Files\Citrix\Licensing\LS\lmgrd.exe
O23 - Service: Citrix XTE Server (CitrixXTEServer) - Citrix Systems, Inc. - C:\Program Files\Citrix\XTE\bin\XTE.exe
O23 - Service: Citrix Licensing WMI (Citrix_GTLicensingProv) - Unknown owner - C:\Program Files\Citrix\Licensing\LicWMI\Citrix_GTLicensingProv.exe
O23 - Service: Citrix Print Manager Service (cpsvc) - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\CpSvc.exe
O23 - Service: Citrix CPU Utilization Mgmt/CPU Rebalancer (CTXCPUBal) - Aurema Pty Limited - C:\Program Files\Citrix\Server Resource Management\CPU Utilization Management\bin\ctxcpubal.exe
O23 - Service: Citrix CPU Utilization Mgmt/Resource Mgmt (ctxcpuSched) - Aurema Pty Limited - C:\Program Files\Citrix\Server Resource Management\CPU Utilization Management\bin\ctxcpusched.exe
O23 - Service: Citrix CPU Utilization Mgmt/User-Session Sync (CTXCPUUsync) - Aurema Pty Limited - C:\Program Files\Citrix\Server Resource Management\CPU Utilization Management\bin\ctxcpuusync.exe
O23 - Service: Citrix XML Service (CtxHttp) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\ctxxmlss.exe
O23 - Service: Citrix Deployment Server (CtxMsamDeployment) - Citrix Systems, Inc. - C:\Program Files\Citrix\Access Gateway\Bin\Citrix.Msam.Deployment.Service.exe
O23 - Service: Citrix Resource Aggregation Server (CtxMsamResAgg) - Citrix Systems, Inc. - C:\Program Files\Citrix\Access Gateway\Bin\ResAggSvc.exe
O23 - Service: Secure Gateway (CtxSecGwy) - Citrix Systems, Inc. - C:\Program Files\Citrix\Secure Gateway\bin\CtxSGSvc.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Backup Exec DLO Administration Service (DLOAdminSvcu) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: Encryption Service - Citrix Systems, Inc. - C:\Program Files\Citrix\system32\encsvc.exe
O23 - Service: Citrix Activation Engine Service (EngineMgrService) - TODO: <Company name> - C:\Program Files\Citrix\Access Gateway\Bin\EngineMgrService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Independent Management Architecture (IMAService) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MetaFrame COM Server (MFCom) - Citrix Systems, Inc. - C:\Program Files\Citrix\System32\mfcom.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Symantec Endpoint Protection Manager (semsrv) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\bin\SemSvc.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies, LLC - C:\WINDOWS\ProPatches\Scheduler\stSchedEx.exe
O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 15696 bytes
dawvi
Active Member
 
Posts: 1
Joined: August 6th, 2009, 12:10 pm
Advertisement
Register to Remove

Re: Infected SVCHOST.EXE?

Unread postby MWR 3 day Mod » August 11th, 2009, 12:57 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Infected SVCHOST.EXE?

Unread postby Shaba » August 14th, 2009, 1:44 am

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 39 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware