SVChost and SVCplay?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by America|SWAT|, Oct 14, 2004.

  1. America|SWAT|

    America|SWAT| Private E-2

    I recently had a problem in which SVChost ate up a lot of my computer mem usage and slowed my computer down. I ran Sybot and AdAware and deleted all the spyware they found, but still these numerous SVChost's kept coming in my processs. Even when I clicked to end the process another came up in its place. I then ran Nortons Anti-Virus, updated the definitions and scanned my entire computer, only to find a few more spywares. Tried to delete those but got a "Delete Failed". So I restarted my computer in safe mode and scanned my computer with Nortons and still found nothing but simple Spyware. Restared the computer back in normal mode, ran Adaware and Spybot one more time, deleted the objects it found but still to no avail. Those SVCHost.exe processes were slowing my computer and weren't going away. I had close to 6 or 7, maybe even 8 scvhosts. I was referred to a Welchia.Worm or something like that, and that perhaps it is what is attacking my computer. I downloaded the Removal Tool and it said "Welchia.Worm was not found". Finally, I was told to just delete the SVChost by searching for it, and deleting it, but making sure it wasn't the important ones. So I deleted it and my SVChost has now went back to the normal 4. But then, I got a SVCPlay.EXE running processes and it started at around 20,000 K and it rose to 100,000 K and then to 200,000+ K which slowed my computer down a great deal. I found SVCPLay.exe in my Prefetch folder and deleted it, only for it to come back and still be in my running processes. It continued to rise and I had all but given up when I simply right clicked it, went to properties and click on a read-only file. It said i was unable to do so, but I clicked ignore and the SVCPlay processes is now gone. Now all I have is a SVChost.exe thats taking about 20,000 K. I'm not sure if thats normal and im not sure whats going on with my computer, if someone can help, it'll be greatly appreciated.
     
    America|SWAT|, Oct 14, 2004
    #1
  2. America|SWAT|

    America|SWAT| Private E-2

    bump
     
    America|SWAT|, Oct 14, 2004
    #2
  3. eric06

    eric06 Sergeant Major

    you don't need to bump, all the real techs who know what their talking about will be on later tonight.

    eric
     
    eric06, Oct 14, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    SVCHOST.EXE that runs from windows\system32 folder are normal windows processes. Whoever told you to delete them does not know what they are talking about. If it was not in system32 then it was most likely a baddie.

    You need to follow all the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

    Also, run the A-squared program listed in the Alternative Scans section.

    After all this come back and tell me how things are working.
     
    chaslang, Oct 14, 2004
    #4
  5. America|SWAT|

    America|SWAT| Private E-2

    Okay, here is what has been happening so far. I installed all the basic spyware, trojan and virus removal and junk. I ran everything I needed to run, Spybot, Adaware, Nortons, CWS Shredder, and a few of the other ones that I was told to install. They did removes some adward and spyware and such. SVChost has went down to 6 running processes and does get to 20,000 K once in a while and SVCplay comes on every once in a while as well, I quickly end process. Then a process called inetmc.exe came onto my running processes. It was small at first so I ignored it, and then the next day, turning on my computer was taking forever. So I checked the running processes and discovered that inetmc.exe was taking up around 50 to 60,000 K and was using up to 90% of my mem. Nortons discovered it as adware and said it was in my Service Pack Files and didn't delete it, so I had to do it manually. I looked for it and was unable to find it. I searched for it, and still it was nowhere to be found. Even when I made all hidden folders and files viewable. I believe it was Symantec that told me to delete some of the registeries and I followed it and deleted the inetmc registry that was there. Now, it comes up once in a while but still my start-up is slow as heck. And to top it off, my sound driver seems to be missing everytime I start my computer. I am able to hear CD's and use Mic Chat and everything but when I try to play a Half Life game, no sound is available. I go to my device manager and follow my HP support and I end up fixing my sound driver, but when I turn it off I have to repeat the whole process. *sigh* I think my computer has finally beat me up and spitted me out. Any suggestions or fixes?
     
    America|SWAT|, Oct 19, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have followed ALL the steps of the READ ME FIRST thread I gave to you then you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder or choose run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Oct 19, 2004
    #6
  7. America|SWAT|

    America|SWAT| Private E-2

    here is my hjt log. please help!!!!
     

    Attached Files:

    • log.txt
      File size:
      8.8 KB
      Views:
      6
    America|SWAT|, Oct 19, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please remember to shut down unrequired applications before scanning with HijackThis. Especially browsers (any browser). The below three items should have been closed before scanning.
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe


    Make sure you have system restore disabled and viewing of hidden files enabled.

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them (if found):
    wuamgrd.exe
    windates.exe
    id53.exe
    ZhpxsNcWG.exe
    inetmc.exe
    bkinst.exe


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\Owner\LOCALS~1\Temp\dmc3pm.dat (file missing)
    O2 - BHO: CATLEvents Object - {6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B} - C:\DOCUME~1\Owner\LOCALS~1\Temp\itnasm.dat
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\Run: [Microsoft Windows Updater] windates.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [ZhpxsNcWG] C:\documents and settings\owner\local settings\temp\ZhpxsNcWG.exe
    O4 - HKLM\..\Run: [*inetmc] C:\WINDOWS\ServicePackFiles\inetmc.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows Updater] windates.exe
    O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKCU\..\Run: [Microsoft Windows Updater] windates.exe
    O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\system32\bkinst.exe ren time:1097958717
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13bacb158ae27a4d5b17/netzip/RdxIE601.cab

    Boot into safe mode and use Windows Explorer to delete:
    c:\windows\wuamgrd.exe or c:\windows\system32\wuamgrd.exe
    c:\windows\windates.exe or c:\windows\system32\windates.exe
    C:\WINDOWS\ServicePackFiles\inetmc.exe
    c:\installer <--- the whole directory
    C:\documents and settings\owner\local settings\temp <--- delete all files in this directory
    C:\WINDOWS\system32\bkinst.exe


    No reboot in normal mode and post a new HJT log. And tell us how things are working.


    The below three lines are questionable. Do you know what this msanti.exe program is?
    C:\WINDOWS\Driver Cache\msanti.exe
    O4 - HKLM\..\Run: [*msanti] C:\WINDOWS\Driver Cache\msanti.exe
    O4 - HKLM\..\RunOnce: [*msanti] C:\WINDOWS\Driver Cache\msanti.exe rerun
     
    chaslang, Oct 19, 2004
    #8
  9. PhilliePhan

    PhilliePhan Guest

    Hi Chas,

    These are most likely my old buddy, STOPGUARD. They certainly fit the patterns I've seen before:

    O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\Owner\LOCALS~1\Temp\dmc3pm.dat (file missing)
    O2 - BHO: CATLEvents Object - {6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B} - C:\DOCUME~1\Owner\LOCALS~1\Temp\itnasm.dat

    O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\system32\bkinst.exe ren time:1097958717
    O4 - HKLM\..\Run: [*msanti] C:\WINDOWS\Driver Cache\msanti.exe
    O4 - HKLM\..\RunOnce: [*msanti] C:\WINDOWS\Driver Cache\msanti.exe rerun

    C:\WINDOWS\Driver Cache\msanti.exe

    Best,
    PP
     
    PhilliePhan, Oct 19, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks PP,

    Yes I recognize the lines with CATLEvents Object but the files were missing so I figure just fix the lines with HJT. The O4 lines with msanti.exe did not ring a bell though until you reminded me. msanti is itnasm backwards.

    So America,

    Fix these two additional lines in HijackThis also:
    O4 - HKLM\..\Run: [*msanti] C:\WINDOWS\Driver Cache\msanti.exe
    O4 - HKLM\..\RunOnce: [*msanti] C:\WINDOWS\Driver Cache\msanti.exe rerun

    And delete the C:\WINDOWS\Driver Cache\msanti.exe file from safe mode.
     
    chaslang, Oct 19, 2004
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds