Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scvvhsot.exe File Missing


  • Please log in to reply
10 replies to this topic

#1 nakul_594

nakul_594

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 21 February 2008 - 12:05 AM

Every time I start up my PC, I get message saying that windows cannot find SCVVHSOT.exe file. What is it and how I can get rid of this message?

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:35 PM

Posted 21 February 2008 - 12:48 AM

Hello nakul_594 and welcome to BC :flowers:

Can you verify the spelling on the file in question? I want to be sure that there were no typos as a misidentification in this case could be disastrous.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 nakul_594

nakul_594
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 21 February 2008 - 01:01 PM

Hi Orange Blossom!
I am sure the name of the missing file is SCVVHSOT.exe.

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:35 PM

Posted 21 February 2008 - 01:13 PM

http://www.bleepingcomputer.com/startups/S....exe-18425.html

http://www.symantec.com/security_response/...-99&tabid=2

I'd suggest posting in the I Am Infected portion of this website, if the first link does not provide satisfaction.

Louis

Edited by hamluis, 21 February 2008 - 01:14 PM.


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:35 PM

Posted 21 February 2008 - 11:40 PM

Hello nakul_594,

Thanks for clarifying the spelling. As you can see from the links hamluis sent, that file is a bad one. However, the message you are getting is one that is the result of a registry key pointing to a file that is no longer there. The registry is saying "load this file" and the computer cannot find it, which in this case is a GOOD thing. To fix this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
That should take care of that message. My concern, however, is that such files rarely come alone. For now, let's see what SUPERAntiSpyware finds in Safe Mode. You will, of course, install it in Normal Mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:

edited to correct spelling error

Edited by Orange Blossom, 25 February 2008 - 07:35 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 lowtek_otc

lowtek_otc

  • Members
  • 280 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 22 February 2008 - 01:29 AM

You are infected with malicious software, please follow the steps that other members have laid out for you above.

#7 nakul_594

nakul_594
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 23 February 2008 - 01:45 AM

Thank You very much, Orange Blossom.

After doing what you advised, I am not getting that message again.

And the SUPERAntiSpyware found a number of threats in my system. I was totally stunned after discovering that my system is infected upto this extent. The removal information is as follows:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/23/2008 at 10:45 AM

Application Version : 3.9.1008

Core Rules Database Version : 3407
Trace Rules Database Version: 1399

Scan type : Complete Scan
Total Scan Time : 02:07:48

Memory items scanned : 332
Memory threats detected : 0
Registry items scanned : 5443
Registry threats detected : 34
File items scanned : 46020
File threats detected : 34

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\InprocServer32
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\InprocServer32#ThreadingModel
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\KeyPhrasesFileName
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\ProgID
HKCR\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}\VersionIndependentProgID
C:\PROGRAM FILES\RXTOOLBAR\SFCONT.DLL
HKLM\Software\Classes\CLSID\{4D1C4E81-A32A-416b-BCDB-33B3EF3617D3}
HKCR\CLSID\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3}
HKCR\CLSID\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3}
HKCR\CLSID\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3}\InprocServer32
HKCR\CLSID\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3}\InprocServer32#ThreadingModel
HKCR\CLSID\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3}\Programmable
HKCR\CLSID\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3}\TypeLib
C:\PROGRAM FILES\NEED2FIND\BAR\1.BIN\ND2FNBAR.DLL
HKLM\Software\Classes\CLSID\{4D1C4E89-A32A-416b-BCDB-33B3EF3617D3}
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\InprocServer32
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\InprocServer32#ThreadingModel
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\Programmable
HKCR\CLSID\{4D1C4E89-A32A-416B-BCDB-33B3EF3617D3}\TypeLib
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D1C4E81-A32A-416b-BCDB-33B3EF3617D3}
HKCR\PROTOCOLS\Filter\text/html
HKCR\PROTOCOLS\Filter\text/html#CLSID

Adware.RX Toolbar
HKLM\Software\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}\InprocServer32
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}\InprocServer32#ThreadingModel
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}\ProgID
HKCR\CLSID\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDBBFCD3-C4CF-4FAB-AFCA-CACDE7948B83}\RP54\A0018172.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{DDBBFCD3-C4CF-4FAB-AFCA-CACDE7948B83}\RP54\A0018173.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Nakul\Cookies\nakul@adultadworld[1].txt
C:\Documents and Settings\Nakul\Cookies\nakul@fastclick[1].txt
C:\Documents and Settings\Nakul\Cookies\nakul@need2find[1].txt
C:\Documents and Settings\Nakul\Cookies\nakul@ads.addynamix[2].txt
C:\Documents and Settings\Nakul\Cookies\nakul@ehg-sgi.hitbox[2].txt
C:\Documents and Settings\Nakul\Cookies\nakul@ad.yieldmanager[1].txt
C:\Documents and Settings\Nakul\Cookies\nakul@www.pornhub[2].txt
C:\Documents and Settings\Nakul\Cookies\nakul@www.sexytimez[1].txt
C:\Documents and Settings\Nakul\Cookies\nakul@2278.stats.misstrends[2].txt
C:\Documents and Settings\Nakul\Cookies\nakul@ads.crakmedia[2].txt
C:\Documents and Settings\Nakul\Cookies\nakul@hitbox[2].txt
C:\Documents and Settings\Nakul\Cookies\nakul@sexytimez[1].txt
C:\Documents and Settings\Nakul\Cookies\nakul@apmebf[2].txt
C:\Documents and Settings\Nakul\Cookies\nakul@statcounter[2].txt
C:\Documents and Settings\Nakul\Cookies\nakul@clicksor[2].txt
C:\Documents and Settings\Nakul\Local Settings\Temp\Cookies\nakul@ad.yieldmanager[1].txt
C:\Documents and Settings\Nakul\Local Settings\Temp\Cookies\nakul@adbrite[2].txt
C:\Documents and Settings\Nakul\Local Settings\Temp\Cookies\nakul@ads.adbrite[1].txt
C:\Documents and Settings\Nakul\Local Settings\Temp\Cookies\nakul@adultadworld[1].txt
C:\Documents and Settings\Nakul\Local Settings\Temp\Cookies\nakul@atdmt[2].txt
C:\Documents and Settings\Nakul\Local Settings\Temp\Cookies\nakul@bleepzilla[2].txt
C:\Documents and Settings\Nakul\Local Settings\Temp\Cookies\nakul@image.masterstats[1].txt
C:\Documents and Settings\Nakul\Local Settings\Temp\Cookies\nakul@statcounter[1].txt
C:\Documents and Settings\Nakul\Local Settings\Temp\Cookies\nakul@www.babes2sexy[1].txt
C:\Documents and Settings\Nakul\Local Settings\Temp\Cookies\nakul@www.bleepzilla[2].txt
C:\Documents and Settings\Nakul\Local Settings\Temp\Cookies\nakul@xiti[1].txt

Trojan.Media-Codec/V4
C:\Program Files\Online Video Add-on
HKU\S-1-5-21-776561741-57989841-725345543-1003\Software\Online Add-on

Adware.PointsManager-Uninstaller
C:\PROGRAM FILES\ALTNET\DOWNLOAD MANAGER\ALTNETUNINSTALL.EXE

Adware.Need2Find
C:\PROGRAM FILES\NEED2FIND\BAR\1.BIN\N2PLUGIN.DLL
C:\PROGRAM FILES\NEED2FIND\BAR\1.BIN\NPND2FN.DLL

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:35 PM

Posted 23 February 2008 - 01:57 AM

Hello nakul_594,

I'm glad the File Not Found message is now gone. Thanks for posting the SAS log. At this point, I'm going to turn this thread over to someone with more experience than I.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:35 PM

Posted 23 February 2008 - 08:52 AM

I'm going to move this over to the Am I Infected forum due to the results of the Super AntiSpyware scan.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:35 PM

Posted 23 February 2008 - 11:45 AM

So how is your machine running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:35 PM

Posted 23 February 2008 - 12:05 PM

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.

IMPORTANT NOTE: One or more of the identified infections was a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users