Results 1 to 4 of 4
  1. #1
    Junior Member
    Join Date
    Oct 2007
    Posts
    5

    Exclamation Weird svchost.exe

    out of the blue, either soon after startup or just randomly when i am using the computer a dialog appears asking to connect to the internet. Its icon in the taskbar is the same as a .msi installer. When i went into Process Explorer i discovered it was svchost.exe - but it was located in c:\windows\fonts!. There were several other instances of svchost.exe, but they were all in their proper place (c:\windows\system32). i have tried ending the process, but it just comes back again later. When i tried to find the file using windows explorer it did not exist (even with hidden and system files on). Even using a 'dir' command line did not reveal it.

    What is this? I am worried it might be something serious, like a virus, trojan or rootkit. I have run my antivirus scanner (iolo), adaware (latest updates) and spybot.

    i have even tried booting off a linux live cd, but it cannot see the file, however when i go start>run and type in c:\windows\fonts\svchost.exe it appears!

  2. #2
    Member
    Join Date
    Dec 2004
    Location
    NZ
    Posts
    44,851

    Default Re: Weird svchost.exe

    Post a hijackthis log, its in my sig.

    Put it in its own folder first, then click on scan the system, and save a log.

    Looks like it may belong to a trojan

    I would also do a scan with trojan remover
    Last edited by Speedy Gonzales; 30-01-2008 at 05:43 PM.

  3. #3
    Junior Member
    Join Date
    Oct 2007
    Posts
    5

    Default Re: Weird svchost.exe

    i got worried yesterday, so i booted my system off a Sabayon Linux live CD. i navigated to c:\windows\fonts and found:
    -'a.zip' a zip folder which contained setup.exe
    -'svchost.exe'
    -'setup.exe'
    and a folder called '

    i deleted all of these, so this will hopefully have fixed the problem i hope?
    anyway, i still want to know what it was, how it got there and if i have fully removed it.
    here is my hijack this log (after i deleted those files sorry)

    Logfile of HijackThis v1.99.1
    Scan saved at 4:44:34 PM, on 31/01/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\vssvc.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\system32\TFNF5.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\iolo\AntiVirus\ioloAV.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iolo\AntiVirus\iAVEmailScanner.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WinAVR\pn\pn.exe
    C:\WinAVR\Br@y++ Terminal.exe
    C:\Program Files\Opera\Opera.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Ben Mulholland\Desktop\hijackthis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - F:\Applications & Installers\Free Download Manager\iefdm2.dll (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\AntiVirus\ioloAV.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Download all with Free Download Manager - file://F:\Applications & Installers\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://F:\Applications & Installers\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://F:\Applications & Installers\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://F:\Applications & Installers\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - http://activex.microsoft.com/objects/ocget.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D332EE0C-3EB3-4EF4-94C5-19F01314BEFE}: NameServer = 202.180.64.9 202.180.64.2
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
    O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

    thanks for your assistance

  4. #4
    Member
    Join Date
    Dec 2004
    Location
    NZ
    Posts
    44,851

    Default Re: Weird svchost.exe

    Put hijackthis in its own folder, then run it again tick these. then tick fix checked

    I would also disable system restore

    Close browser/s.

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - F:\Applications & Installers\Free Download Manager\iefdm2.dll (file missing)

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    Run this manually or from the desktop/taskbar

    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll

    O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll

    O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll

    I would install something better than Iolo AV.

    Like Avast or Nod32 (but this isnt free). Uninstall ALL versions of Java. Latest version is in my sig below.

    Then get LSPfix

    And run it AFTER you tick the above entries.

    Then reboot, and enable system restore again.

    Did you download trojan remover, update it then click on scan??

    I would also select all options, under the utilities menu.

Similar Threads

  1. svchost.exe
    By Faded_Mantis in forum PressF1
    Replies: 4
    Last Post: 23-05-2007, 08:56 AM
  2. svchost
    By kale in forum PressF1
    Replies: 2
    Last Post: 14-10-2006, 10:36 PM
  3. SVCHOST.EXE
    By kingsim in forum PressF1
    Replies: 3
    Last Post: 24-04-2004, 03:02 PM
  4. SVCHOST.EXE
    By colbenj in forum PressF1
    Replies: 5
    Last Post: 06-04-2004, 09:23 PM
  5. SvcHost.exe
    By Martina in forum PressF1
    Replies: 7
    Last Post: 10-12-2003, 07:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •