McAfee & Generic.dx - svchost.exe.

Posted on 2008-10-13
Last Modified: 2013-12-06
Hello guys.

I came in this morning and one of my users has a virus alert from McAfee Enterprise Edition.

This is the log from McAfee
13/10/2008    08:12:14    Deleted     NT AUTHORITY\SYSTEM    C:\WINDOWS\svchost.exe    Generic.dx
13/10/2008      08:12:54      Deleted       NT AUTHORITY\SYSTEM      C:\WINDOWS\svchost.exe      Generic.dx
 [/code]Now, the log indicates that it does indeed keep deleting the file, however the message box keeps reappearing and therefore it keeps trying to remove the virus in a loop.

Here is the Hijack-This log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:41:14, on 13/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Mouse Driver\KMWDSrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mouse Driver\StartAutorun.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Trust\Trust R-series Mouse And Keyboard\MouseDrv.exe
C:\Program Files\Mouse Driver\KMConfig.exe
C:\Program Files\Mouse Driver\KMProcess.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SRVSBS01:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = prometheus.local
O17 - HKLM\Software\..\Telephony: DomainName = prometheus.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = prometheus.local
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Mouse Driver\KMWDSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

End of file - 6305 bytes
[/code]Can't see anything here, can you? Thanks.

Now I understand, after searching, that some people have had this trojan and have gotten rid of it with mixed results. Some people have had to reinstall Windows, IE. I cannot therefore take the risk of stopping this particular user (a company Director!) from working, or take the risk of losing any Data - it's more than my job is worth, lol. So using Kaplinsky online is a no-no, I would have to disable the whole Network's Virus Scanner, which could invite more infections.

Have you any idea what to do? This is a new job, and I'm relatively new to sorting out viruses from a networked setup - course I have fixed my PC's at home, but I have to think of possible problems now...

Thank you very much.

PS: The user in question does seem to be able to work as normal at present, it's just the alert that will not go.
Question by:SpencerKarnovski
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
LVL 47

Expert Comment

ID: 22701127
Run either SDFix or MalwareBytes, then combofix if problem persists.(when using Combofix ,antivirus needs to be disabled though)
1.  Download SDFix and save it to your desktop.(either one below) 
Double click SDFix and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.
*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and attach the "Report.txt" back

OR: Download Malwarebytes' Anti-Malware to your desktop. check for Updates before scanning.

2.  Please download ComboFix by sUBs:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Author Comment

ID: 22701148
Hello rpggamergirl.

Thanks for the suggestions.  I will try them, and get back you when I can.  Will not be able to do them today, as the user is very busy - as seems to be able to function correctly, even with the alert there.

But will try soon, and report back here with my findings.


Expert Comment

ID: 22703958
I had to download and run SDfix and then combofix to get this off,, but its gone now ... thanks guys
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.


Author Comment

ID: 22709386

Ok, so I tried running Maleware Bytes - it did not find anything, ie - Mcafee is still show the Alert.  Furthermore McAfee even noted that application as a virus.

I am going to try steps 1, 2 later on.  However, can we be assured that this will not cause system instability?  This is a company directors PC and I cannot afford anything going wrong.

Thanks again, great help.

LVL 47

Expert Comment

ID: 22711143
Hi Spencer,

>>> Furthermore McAfee even noted that application as a virus.<<<
It's normal for McAfee to flag SDFix, Combofix or other anti-spyware tools as a risk tool or a virus.

the above that mcafee flags is variant of SDBot so maybe try SDFix first.

>>>However, can we be assured that this will not cause system instability?<<<
Combofix is a safe tool and has more safety nets than any other tools, but I can not guarantee that nothing can go wrong. There are rare cases where a presence of new malware where combofix doesn't have updates yet can interfer the scan and things can go wrong, it happens.

if it helps to know, Combofix does create 2 ERUNT backups when you run it. One taken after the user has agreed to the disclaimer, and another one taken just before combofix reboots the pc.

You need to follow exactly the directions for running combofix, e.g. disabling antivirus/security shields as they can interfer the scan, do not mouseclick while it's running as that can cause CF to stall etc.

Author Comment

ID: 22711398
Hello rpggamergirl (what game? :) )

Ok, have followed all the listed steps (see attached reports) and... nope, soon as the user boots up the Alert message is still there.   This is the worst Virus I have ever come across, it just will not be removed.  

The only thing I can do now is get in touch with McAfee and ask them.  I mean, the actual software is located on the Server, would I have to go in there and do anything?  Even though I have searched for svchost.exe and found only the one in windows/system32.

Anyway, have a look at the files for me, thank you very much indeed for your help.
[b]SDFix: Version 1.235 [/b]
Run by Administrator on 14/10/2008 at 14:35
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
Restoring Default Security Values
Restoring Default Hosts File
[b]Checking Files [/b]: 
Trojan Files Found:
C:\svchost.exe - Deleted
C:\WINDOWS\svchost.exe - Deleted
Removing Temp Files
[b]ADS Check [/b]:
                                 [b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-10-14 14:41:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[b]Remaining Files [/b]:
File Backups: - C:\SDFix\backups\
[b]Files with Hidden Attributes [/b]:
Mon  7 Jul 2008     1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon  7 Jul 2008     4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon  7 Jul 2008     2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 20 Mar 1998         1,048 A.SH. --- "C:\WINDOWS\system32\fnmode.sys"
Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Assets\My Asset Reports\rpt.sys"
Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Bank\My Bank Reports\rpt.sys"
Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Customer\My Customer Reports\rpt.sys"
Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Finance\My Finance Reports\rpt.sys"
Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Invoice\My Invoice Reports\rpt.sys"
Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Nominal\My Nominal Reports\rpt.sys"
Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\POP\My POP Reports\rpt.sys"
Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Products\My Products Reports\rpt.sys"
Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\SOP\My SOP Reports\rpt.sys"
Fri  9 Aug 2002             0 A..H. --- "C:\Program Files\Sage\Accounts\REPORTS\Supplier\My Supplier Reports\rpt.sys"
ComboFix 08-10-11.04 - rogerl 2008-10-14 14:50:40.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2102 [GMT 1:00]
Running from: C:\Documents and Settings\rogerl\Desktop\Virus_apps\ComboFix.exe
 * Created a new restore point
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\IE4 Error Log.txt
(((((((((((((((((((((((((   Files Created from 2008-09-14 to 2008-10-14  )))))))))))))))))))))))))))))))
2008-10-14 14:33 . 2008-10-14 14:33	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-10-14 14:03 . 2008-10-14 14:43	<DIR>	d--------	C:\SDFix
2008-10-14 13:43 . 2008-10-14 13:43	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy
2008-10-14 13:43 . 2008-10-14 13:43	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-14 13:40 . 2008-10-14 13:42	<DIR>	d--------	C:\WINDOWS\system32\NtmsData
2008-10-14 08:20 . 2008-10-14 14:52	<DIR>	d--------	C:\quarantine
2008-10-14 08:19 . 2008-10-14 08:19	<DIR>	d--------	C:\Program Files\Malwarebytes' Anti-Malware
2008-10-14 08:19 . 2008-10-14 08:19	<DIR>	d--------	C:\Documents and Settings\rogerl\Application Data\Malwarebytes
2008-10-14 08:19 . 2008-10-14 08:19	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-14 08:19 . 2008-09-10 00:04	38,528	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-14 08:19 . 2008-09-10 00:03	17,200	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-10-13 08:41 . 2008-10-13 08:41	<DIR>	d--------	C:\Program Files\Trend Micro
2008-10-13 07:12 . 2008-10-13 07:26	<DIR>	d--------	C:\WINDOWS\system32\CatRoot_bak
2008-10-10 07:09 . 2008-10-10 07:09	102,400	--a------	C:\WINDOWS\system32\atlcom763_530.dll
2008-10-10 07:09 . 2008-10-10 07:09	20	--a------	C:\WINDOWS\syscheck
2008-10-03 14:12 . 2008-10-03 14:14	<DIR>	d--------	C:\Program Files\RegScrubXP
2008-10-01 14:44 . 2008-10-01 14:44	<DIR>	d--------	C:\Program Files\Mouse Driver
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-07-18 21:10	94,920	----a-w	C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 21:10	94,920	----a-w	C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10	53,448	----a-w	C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10	53,448	----a-w	C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 21:10	45,768	----a-w	C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10	36,552	----a-w	C:\WINDOWS\system32\wups.dll
2008-07-18 21:10	36,552	----a-w	C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 21:09	563,912	----a-w	C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09	563,912	----a-w	C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 21:09	325,832	----a-w	C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09	325,832	----a-w	C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 21:09	205,000	----a-w	C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09	205,000	----a-w	C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 21:09	1,811,656	----a-w	C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:09	1,811,656	----a-w	C:\WINDOWS\system32\dllcache\wuaueng.dll
2006-05-05 07:39	21,344	------w	C:\Documents and Settings\rogerl\Application Data\GDIPFONTCACHEV1.DAT
1998-03-20 00:00	1,048	-csha-w	C:\WINDOWS\system32\fnmode.sys
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown 
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"WireLessMouse"="C:\Program Files\Trust\Trust R-series Mouse And Keyboard\StartAutorun.exe" [2007-03-06 212992]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-15 180269]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 286720]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2003-09-10 135251]
"KMCONFIG"="C:\Program Files\Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 118784]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 19:36 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
--a------ 2003-09-29 08:10 81990 C:\Program Files\Network Associates\VirusScan\shstat.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-05-11 13:53 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;C:\Program Files\Mouse Driver\KMWDSrv.exe [2008-03-28 208896]
R2 wowsystem;Remote TCP/IPv6;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
*Newly Created Service* - PROCEXP90
Contents of the 'Scheduled Tasks' folder
2008-10-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
------- Supplementary Scan -------
R0 -: HKCU-Main,Start Page = hxxp://
R0 -: HKLM-Main,Start Page = hxxp://
R0 -: HKLM-Main,Search Bar = hxxp://
R1 -: HKCU-Internet Settings,ProxyServer = hxxp://SRVSBS01:8080
R1 -: HKCU-Internet Settings,ProxyOverride = ;<local>
R1 -: HKCU-SearchURL,(Default) = hxxp://
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 -: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} - hxxps://
C:\WINDOWS\Downloaded Program Files\FsPlugin.inf
C:\WINDOWS\Downloaded Program Files\dwnlgui.dll
C:\WINDOWS\Downloaded Program Files\opndlg32.dll
C:\WINDOWS\Downloaded Program Files\trxsc.dll
C:\WINDOWS\Downloaded Program Files\fsplugin.dll
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-10-14 14:53:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ...
scanning hidden files ... 
scan completed successfully
hidden files: 0
Completion time: 2008-10-14 14:53:55
ComboFix-quarantined-files.txt  2008-10-14 13:53:53
Pre-Run: 64,134,406,144 bytes free
Post-Run: 64,584,749,056 bytes free
124	--- E O F ---	2008-09-10 18:21:52

Open in new window

LVL 47

Accepted Solution

rpggamergirl earned 500 total points
ID: 22711740
SDFix deleted 2 bad svchost.exe there.
Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


Author Comment

ID: 22711883

Yeh - I did notice that it removed both the files.  I did copy then svchost.exe file to the C:\ drive, just to see if it would make any difference.

But I will try what you have suggested, many many thanks.

I do have a question though.  The svchost.exe is a critical Windows file yes, when Windows loads it checks the list of available processes or something like that using this app.  So, does it mean that the actual Windows svchost.exe file is corrupted with a trojan?  Or is this Trojan masking as a copy of this file.

Thanks for helping, your experience is most welcome and needed :)
LVL 47

Expert Comment

ID: 22718933
>>>The svchost.exe is a critical Windows file yes, <<<

Yes, the legit svchost.exe which is located in the system32 folder.

>>>Or is this Trojan masking as a copy of this file.<<<
C:\WINDOWS\svchost.exe <-- this one is a trojan and it is just using the legit system filename for camouflage.

>>>So, does it mean that the actual Windows svchost.exe file is corrupted with a trojan? <<<

No, that doesn't mean the legit svchost.exe is infected. Although a file infector can infect svchost.exe or other system files but you would've noticed the symptoms e.g services, programs not working etc.
>>>I did copy then svchost.exe file to the C:\ drive, just to see if it would make any difference.<<<

that wouldn't make any difference, when scanners see svchost.exe in the wrong location it will just be deleted, and that's exactly what SDFix did, it deleted the svchost.exe trojan from the windows folder and also deleted the svchost.exe that you put in the C:\

Author Comment

ID: 22720632
Thank you so much for explaining that rpggirl.  I am currently waiting for my director to give me access to his PC.

Will let you know how things go.

Your information and help has been great, lets hope this gets rid of the virus once and for all.

Author Comment

ID: 22739464
Problem solved.  That script worked wonders, thank you very much rpggirl.

May I ask, what it did?  Your answer could be as brief as you want.

Thank you again.
LVL 47

Expert Comment

ID: 22740160
>>>May I ask, what it did?  Your answer could be as brief as you want.<<<

The script deleted the 2 files below:

C:\WINDOWS\syscheck <-- and the script also deleted this folder.
Now that you're done with Combofix, you can then uninstall it.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

One  more thing, the version of java on that pc is vulnerable to infections(expecially vundo infection) I suggest updating to the later or latest version.

Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.

Then Download and install the newest version from here:


Author Comment

ID: 22740292
Hey there!

Well, you have really, really, helped me out here.  I cannot thank you enough.  One day maybe I'll be able to replicate the help that you have given here to someone else.

Thanks rpggirl - may you get triple the amount of XP on your next 100 kills.

LVL 47

Expert Comment

ID: 22740633
Hi Spencer,

No problem, glad it's resolved.

>>>may you get triple the amount of XP on your next 100 kills.<<<

I haven't played in a long time because once I started a game I couldn't stopped, lol.

Thanks for the points and the excellent grade!


Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question