scvhost.exe - Tech Support Forums

krzyazn · October 7th, 2006, 02:39 AM

hi i got this virus thing called scvhost.exe and ive done everything to remove it but it still starts up at system startup. i tried deleting the registry and in msconfig but it just comes back i got a logfile from hijackthis just in case it might help thx a lot

Logfile of HijackThis v1.99.1
Scan saved at 10:35:48 PM, on 10/6/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\AOL\1159587704\ee\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\iolo\System Mechanic Professional 6\SysMech6.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe
C:\Documents and Settings\Alex\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hcmc.netnam.vn/weblh/andi/ndc.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\scvhost.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [Windows Update] C:\WINDOWS\scvhost.exe
O4 - HKLM\..\RunServices: [desktop] desktop
O4 - HKLM\..\RunOnce: [Windows Update] C:\WINDOWS\scvhost.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BPS Spyware Remover] C:\Program Files\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hcmc.netnam.vn/weblh/andi/ndc.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Mickwish · October 7th, 2006, 03:32 AM

svchost is a windows system app for running processes. Multiple instances are normal. As long as svchost is running in the system32 dir of the win dir, it should be legit.

http://windowsxp.mvps.org/svchost.htm

Suggest you delete any copies of svchost.exe outside of the system32 dir. Since there are only running ones from the correct dir maybe you already did this?

Cheers
Mick

BluesMan1 · October 7th, 2006, 07:44 AM

krzyazn, copy/paste your HijackThis here: www.hijackthis.de and you'll see that in fact your computer is infected.

You can use Ewido to try to clean your computer:http://www.ewido.net/en/download/

Install it and get the updates and scan your computer.

Panda online is also a great tool for your computer: http://www.pandasoftware.com/products/activescan?

Spyware Blaster can help you blocking some bad things: http://www.javacoolsoftware.com/spywareblaster.html

Ad Aware is also a great tool: http://www.download.com/3000-2144-10045910.html

and finally, in addition to ad aware, you can use Spybot Search & Destroy: http://www.spybot.info/en/download/index.html

Good Luck

krzyazn · October 7th, 2006, 12:14 PM

ok ill try that and ill post back the results and btw the problem i have is with scvhost not svchost

krzyazn · October 7th, 2006, 04:56 PM

ok ive tried all that but the registry in run keeps coming back

ShuckyD · October 7th, 2006, 10:39 PM

i will testify to seeing a virus awhile back that went under the name scvhost.exe... I had to really take a second glance at it... I dont know what it does or where its from, i just know that it made a perfectly "good" computer run like a 486.

AnakiMana · October 7th, 2006, 10:51 PM

I suggest downloading the 30-day trial of NOD32 and run a full scan. Get it at http://www.eset.com. I've been VERY impressed with NOD32. If that fails, it may be quicker to backup your PC and reinstall Windows.

Milwaukee · October 7th, 2006, 11:15 PM

wow we have 10 hack tool and unwant tool and 6 spywares in our computer

. Thank to you for gave us website to Panda activescan

Trend online scanner is slow than panda.

I use spybot, spyware blaster, and adware-se personal but got it?

krzyazn · October 8th, 2006, 01:47 AM

ive tried scanning with various programs already including those, avast, bps spyware and adware remover, ad aware, and some registry programs. but the registry for scvhost.exe still comes back right after i delete it. the weird thing is that it runs even when its not in c:\windows like it says

ddro · November 9th, 2006, 09:19 AM

try going into your registry and deleting all the lines for scvhost out of run, runonce, runonceex, and run services. I had this problem a while back and it's completely undetected by most antivirus.

if you have just restarted your computer when you go to delete it out of the registry make sure the process isn't running because it will restore the run runone runonceex and runservices keys if it isn't closed.

Hope this helps:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RUNSERVICES

might also want to delete svchost.exe out of C:\Windows