svchos1at.exe and similar

Dear Friends,
when surfing my computer "collects" in WINNT folder two or three files like:

svchos1at.exe, svchos11at.exe etc.

These files make my computer react by flashing a warning message and sometimes the line falls.

I have a Windows 2000 system. What can I do? I cannot find the origin of the problem, should be a Trojan somewhere, but where??

Ad-aware, Spybot, Regseeker, SpywareDoctor...give me no useful information... Help!
Thank you,

Daniel

 

Yes, those are most likely bad files. Lets start by doing a general cleanup.


First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Ok here the Hijackthis.log I got from the scan. (Attachment)

Thanks a lot for your advice.

Daniel

 

Your HJT version is WAY out dated.

Please update to Hijack This 1.99.1 and attach a new log using the new version.

 

Right, I downloaded the new version.
Here's the log...

Thanks again,
Daniel

 

Your Internet Explorer version is WAY out dated. After we get your system clean you need to install Internet Explorer 6.0 SP1.

Please look in Add or Remove Programs for the following and Uninstall them if found:

Web Window Killer or aalku


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R3 - Default URLSearchHook is missing

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKCU\..\Run: [Web Window Killer] "C:\Programmi\aalku\Web Window Killer\WebWindowKiller.exe" hidden

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24d29e460517ab909506/netzip/RdxIE601_it.cab

O20 - Winlogon Notify: f3dsl - C:\WINNT\

O23 - Service: McShield - Unknown owner - (no file)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINNT\downlo~1\ips008 ←–– Delete this whole folder if it exist!

C:\Programmi\aalku ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Ok I'll do that... but just a last question: is it necessary to unistall Web Window Killer ? I thought it was a good program to kill pop ups ... is it dangerous?

Thanks,
Daniel

 

Personally, I have never heard of it. If you like it and think its safe keep it. Its totally up to you!

 

I followed your instructions; only I left Web Killer (it is rather unknown, but it works...)

Here's my new log.
Since I connected (15 minutes) nothing unpleasant happened...

Thanks a lot.

Daniel

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iol.it:8080
(If you need this, keep it)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = internet.infostrada.it;*.infostrada.it;www.iol.it;*.iol.it;*.softcity.it;*.digil and.it;
(If you need this, keep it)

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINNT\downlo~1\ips008\ ←–– Delete this whole folder if it exist!

NEXT:
Run CCleaner


Reboot to Normal Windows

Before we got any farther, please download and install the below update.

Download Internet Explorer 6 Service Pack 1

After you install this critical update, reboot and then scan with HijackThis and attach the new log.

 

Done!
Here's the new log...

Daniel

 

Download Pocket KillBox

Now, Copy and Paste C:\WINNT\downlo~1\ips008\1jb63j.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now allow Killbox to reboot your system, after you have rebooted post a fresh HJT log.

 

Ok, done.. This is the new log

Thanks once more!

Daniel

 

Your HJT log is now clean!

Are you having any further problems?

 

Dear Bjgarrick,


I have no more problems!

Only a few last questions:

shouldn't I now fix this line?

O23 - Service: Controllo account locale (ctrlacclc) - Unknown owner - C:\WINNT\downlo~1\ips008\1jb63j.exe (file missing)


and further, what does it mean this line..


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


(with nothing after "=") can I eliminate it?


Very last one: is C:\Winnt\Web\RELATED.HTM a dangerous file? Some say yes (also Scan Spyware) but I could find it on all Windows 2000 systems..



Thank you again and greetings from Italy,

Daniel

 

Yes, have HJT fix this entry.

Just to be sure, lets do this:
Click Start > Run > type services.msc and Click OK

Locate Controllo account locale (ctrlacclc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Yes, you can remove it but it may come back, its not bad.

Its not really bad some people leave it, some remove it. SpyBot S&D will remove it when it does its scan, you can manually remove it if you like.

 

Dear BJ,

Controllo account locale (ctrlacclc) located and disabled!

I'll keep related.htm, if it is not dangerous.

Thank you very, very much indeed for the help,

Daniel

 

Now, lets remove the service!

Run HJT again, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Controllo account locale (ctrlacclc)

If the above doesnt work, try something smaller like the below.

(ctrlacclc)

 

Ok, BJ

I deleted the service... it worked with the word: ctrlacclc

I typed again services.msc in Start>Run and could not find any more:
Controllo account locale (ctrlacclc)

Against WHAT have fighted??

Daniel

 

Good!

Are you having any further problems?

 

No, BJ

no more problems!

Thanks,
Daniel

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

 

Ahi ahi, I followed the suggestions, but now I have a problem...

I Downloaded and run the MSJVM Removal Tool 1.0a

I installed Sun Java

but now the system says Java Virtual Machine is missing and I don't find any site where it is for download... What can I do?

Daniel

 

See this site and see if it helps with the Java problem.

http://java-virtual-machine.net/download.html

 

Unfortunately it doesn't.. just puts a link to a site "Deluxe menu" which is a software store.

it seems not too easy to get Java Virtual Machine again...

Daniel

 

Download the Microsoft JVM from the location below. Let me know if this doesnt fix your problem.

Java Virtual Machine (JVM) Build 3810

Alt. Download Link


After installing the above Java VM you will need to reboot, afterwards go to windows updates and get any updates for the Java VM.

 

No it doesn't work... when the installation is supposed to be over there is a warning with a big red cross and written "Microsoft for Java VM"

Then it is as though nothing had been installed, the system keeps on asking to download JVM but it is not possible to do it...



Daniel

 

ehi hold!!

I did a second time and it worked!! Now I have both the Java systems I can see applet both with IE and Firefox and also Opera!! Perfect!

Thank you again.... as always

Daniel

 

Good Deal!

Are you having any further problems?

 

Dear BJ,

no at the moment no problems, only Scan Spyware tells me that this registry key is dangerous..

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Submit URL

But I seem to remember it has always been there.... may be Scan S. is a bit too severe sometimes?
Do I have to eliminate it manually?

greetings
Daniel

 

You dont have to, but we can if you like.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

After you this it should be removed, let me know!

 

OK, it's gone!

Thanks once more!

Daniel

 

Your Welcome!

Again I would recommend your following all of the steps in the thread below.

How to Protect yourself from malware!

 

Hello BJ,

I followed your advice.. and it went better

But today I noticed a sort of "trafic" with my firewall and saved a hijackthis.log which I am sending to you.

I noticed these things I do not like:

C:\WINNT\system32\CMMON32.EXE

and:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0AFB1181-D74D-40BB-8C32-17E708D355AB}: NameServer = 193.70.152.25 193.70.192.25

O17 - HKLM\System\CS1\Services\Tcpip\..\{0AFB1181-D74D-40BB-8C32-17E708D355AB}: NameServer = 193.70.152.25 193.70.192.25


the last IP number, by the way, were the ones blocked with the firewall.

Do I have to do anything?

Greetings,
Daniel

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0AFB1181-D74D-40BB-8C32-17E708D355AB}: NameServer = 193.70.152.25 193.70.192.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AFB1181-D74D-40BB-8C32-17E708D355AB}: NameServer = 193.70.152.25 193.70.192.25

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINNT\system32\CMMON32.exe

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Dear BJ,

here is the log.

Only I had a problem. I deleted cmmon32.exe which I found in System32 but then Internet did not connect any more. I got the message: "Not possible to execute the program cmmon32.exe" and the line went down...

So I put the program (I saved in a floppy before deleting it) in System32 back and now it works...

May be there is a difference between cmmon32.exe and CMMON32.exe
(capital letters) ? Or there is some deeper trouble?

Greetings,
Daniel

 

Strange…. sometimes my firewall says that something wants me to connect to: “media.fastclick.net”

I blocked it by the moment…

Daniel

 

Yes, there is a difference in the two files. The files cmmon32.exe is part of Microsoft Connection Manager Monitor and there is one that has the same name but has the startup entry name as Cmmon32Sys which makes up the difference. In your case I think this one is ok.

 

Download Spy Sweeper 4.0.3.363 and install it.

After you install make sure you get the updated spyware definitions. Then do a full sweep removing all infections. After you remove the infections with SpySweeper, reboot and let me know things are running.

By the way, your HJT log is clean!

 

Hello BJ,

I did. Everything is going well. Spy Seeper detected and deleted a few things also about Monitor Mgr... Things are running regularly now...
I wonder if it is worth while to buy Spy Sweeper as it is a trial version expiring in 14 days..
Do you think it is good?

Thanks,
Daniel

 

Yes, I use it and I love it. Its a great program for removal and detection.

Attach a current HJT log and we will see if anything remains.

 

Right, here's my log!

Greetings,
Daniel

 

By the way, dear BJ,
just a question: should Ccleaner only be used in Safe Mode?

Thanks,
Daniel

 

Your HJT log is clean, you can run CCleaner in normal or safe mode. Personally, everytime I get off the internet I run it so my system stays clean.

Are you having any further problems?

 

No, BJ, I don't have any problem now.

Thanks,
Daniel

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

 

Hello BJ,

yesterday my antivirus detected "backdoor graybird" and I think it was eliminated. But as it is a long time since I last showed you my log, I'm sending you a copy attached now.

Would you be so kind to check if it is really clean?


Thanks a lot,

Daniel

 

Your HJT log is clean, I would like you to do something for me, first temporarily disable Norton. Now, install AVG AntiVirus, get all updates. Now do a full scan and remove anything thats found.

Afterwards reboot and uninstall one of the antivirus programs, personally I would recommend keeping AVG as it does a better job in my opionion.

 

Thank you BJ,

sorry if I didn't answer before: I was in Germay...
On Monday I will follow your advice and let you know...

All the best,
Daniel

 

Okay!