Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ad Aware Setup Wont Open And Too Many Svchost Process And No Hidden Files Viewable And Flashy!


  • Please log in to reply
21 replies to this topic

#1 canatan

canatan

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 22 February 2008 - 04:58 PM

okay so i guess the title pretty much sums it up!!!
ad aware wont install and i figured it was cuz my windows was 32 bit... but i looked for the 32 bit version and it still didnt open... and then i looked thru the processes list to find that i had like 6 svchosts processes running and i dont know wat to do with those... did an autorun thingi and well that didnt make much sense to me so i just let it be... and then there was prevx which detected flashy and then there was spyware doctor which detected like a million things.... course none of em were fixed cuz they were all free scans!!!
and yeah i guess thats about it...
i need help.. currently running a trend micro scan ... i hate flashy and bla!!!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:21 PM

Posted 22 February 2008 - 09:54 PM

Hello I'm going with XP system here. First uninstall adAware from the control panel,Add/remove programs. here is a free tool that does work.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt
.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 canatan

canatan
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 23 February 2008 - 02:46 PM

the scan didnt detect anything... i did make sure that c was checked.. and i unchecked all but the 3 options u said... and with the atf cleaner thingi... i use firefox but i dont think it detected firefox.. is it cuz my firefox is in E instead of C??

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/23/2008 at 06:10 PM

Application Version : 3.9.1008

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 02:29:17

Memory items scanned : 185
Memory threats detected : 0
Registry items scanned : 5777
Registry threats detected : 0
File items scanned : 73609
File threats detected : 0

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:21 PM

Posted 23 February 2008 - 08:29 PM

yes also run 'E'. Is windows installed to C or E ?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 canatan

canatan
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 24 February 2008 - 09:56 AM

windows is installed to C but firefox is installed to E... so wat exactly should i do?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,594 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 24 February 2008 - 11:31 AM

i looked thru the processes list to find that i had like 6 svchosts processes running and i dont know wat to do with those..

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.

It is not unusual for multiple instances of Svchost.exe running at the same time in Task manager in order to optimise the running of the various services. Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

Other legitimate copies can be found in the following folders:
C:\I386
C:\WINDOWS\ServicePackFiles\i386\
C:\WINDOWS\$NtServicePackUninstall$\
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure the spelling is correct. If it is scvhost.exe], then your dealing with a Trojan.

There are several ways to investigate svchost.exe and related processes. First, see "How to determine what services are running under a Svchost.exe process".

You can download and use Proces Explorer or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

Note: Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

Although it has a new look, Ad-aware 2007 does not seem to offer much in major improvements with its scanning. mvps.org is no longer recommending Ad-Aware due to the ever increasing amount of problems. See here. (scroll down to the note). IMO SAS is more effective so I would not worry about installing Ad-aware. Use SAS to scan all your drives, primarily C:\ because malware likes to hide in the root and in your Windows folders.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 canatan

canatan
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 25 February 2008 - 12:29 PM

i checked the svchost proccesses they all seemed legitimate.. they were all verified... but there's still flashy that prevx detected.. and i think spyware doctor detected that my firefox was infected.. but i did the superantispyware scan thing again in safe mode and once again it was clear... so um... should i just delete flashy??

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,594 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 25 February 2008 - 01:39 PM

but there's still flashy that prevx detected

Did it provide the full file path where located at on your system?

If so, get a second opinion.

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 canatan

canatan
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 26 February 2008 - 09:56 AM

k virus total scan results

File Flashy.exe received on 02.26.2008 15:30:09 (CET)

Result: 25/32 (78.13%)


Antivirus Version Last Update Result
AhnLab-V3 2008.2.22.0 2008.02.26 -
AntiVir 7.6.0.67 2008.02.26 W32/Dzan.a
Authentium 4.93.8 2008.02.26 -
Avast 4.7.1098.0 2008.02.26 Win32:Nimda
AVG 7.5.0.516 2008.02.26 -
BitDefender 7.2 2008.02.26 Win32.Virtob.X
CAT-QuickHeal 9.50 2008.02.26 W32.Virut.F
ClamAV 0.92.1 2008.02.26 W32.Virut.Gen.C-16
DrWeb 4.44.0.09170 2008.02.26 Trojan.Flashy
eSafe 7.0.15.0 2008.02.26 Win32.Virut.q
eTrust-Vet 31.3.5564 2008.02.26 Win32/Virut.10639.B
Ewido 4.0 2008.02.26 -
FileAdvisor 1 2008.02.26 -
Fortinet 3.14.0.0 2008.02.26 W32/Virut.fam
F-Prot 4.4.2.54 2008.02.25 W32/Virut.10640.A
F-Secure 6.70.13260.0 2008.02.26 W32/Virut.P
Ikarus T3.1.1.20 2008.02.26 Email-Worm.Win32.Brontok.N
Kaspersky 7.0.0.125 2008.02.26 Virus.Win32.Virut.q
McAfee 5237 2008.02.25 W32/Virut.gen
Microsoft 1.3204 2008.02.26 Virus:Win32/Virut.gen!AE
NOD32v2 2902 2008.02.26 probably unknown NewHeur_PE virus
Norman 5.80.02 2008.02.26 W32/Virut.P
Panda 9.0.0.4 2008.02.25 W32/Virutas.gen
Prevx1 V2 2008.02.26 Generic.Malware
Rising 20.33.12.00 2008.02.26 Win32.Virut.GEN
Sophos 4.27.0 2008.02.26 W32/Chir-B
Sunbelt 3.0.893.0 2008.02.23 VIPRE.Suspicious
Symantec 10 2008.02.26 -
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.26 Virus.Win32.Virut.q
VirusBuster 4.3.26:9 2008.02.25 Win32.Dzan.A
Webwasher-Gateway 6.6.2 2008.02.26 Win32.Dzan.a
Additional information
File size: 203776 bytes
MD5: c95794b07cf6c04f213f0f83211a0a53
SHA1: 70cd39e5be1a4e5f42215358c810f75d5f94572b
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp...63F34006F2702B5


i didnt know how to save spyware doctor scan results so i sorta wrote em down roughly before i removed it...

worm.im.sohanad 4
two registery keys, two registery values

trojan-pws.tanspy 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control panel\load


adware.advertising 1
browser cookie aa002 .atdmt.com


o and i cant view hidden files even wen i change the options in the explorer... i usually go to cmd and then look at hidden files from there... flashy was a hidden file...

Edited by canatan, 26 February 2008 - 09:59 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,594 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 26 February 2008 - 10:49 AM

Those results are not good. They indicate that Flashy.exe is a malware variant related to Win32.Virut. Virut/Virtob is a file infector virus with IRC bot functionality which infects all .exe and .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. When disinfection is attempted, the files become corrupted and the system may become irreparable.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Virut/Virtob is contracted and spread by visiting remote, crack and keygen sites. Those who attempt to get software for free may end up with a computer system so badly damaged that recovery is not possible and a Repair Install will NOT help! Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over, reformatting the drive and performing a clean install removes everything.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?". Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 canatan

canatan
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 27 February 2008 - 05:11 PM

i'm not very sure if i want to reformat the computer just yet.. not great at decision making.. i'm the only one who uses the pc but i've got uni right now which means using a pc a lot, i use it for music and movies and stuff too .. but i got the viruses from computers at the university...
i installed avira antivir and it detected flashy.exe and quarantined it... should i delete the file?? or just reformat the entire pc?
and i have an external harddisk connected to the pc most of the times, it has all entertainment stuff.. and though it doesnt seem to have the flashy.exe virus... um... i'm still confused...

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,594 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 27 February 2008 - 05:55 PM

Your decision as to what action to take should be made by asking yourself the questions presented in the "When should I re-format?" link. Reformatting and doing a clean install of the OS is the safest action but I cannot make that decision for you.

When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive". If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be bad, you can delete it at any time. So go ahead and delete that file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 canatan

canatan
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 28 February 2008 - 03:26 PM

okay deleted... one thing or the other shows up after every few scans... i still cant view hidden files... y?
and is antivir and avg a good combination or should i avg and avast or avast and antivir?

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,594 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:21 PM

Posted 28 February 2008 - 03:42 PM

Using more than one anti-virus program is not advisable regardless if the second is used as a stand-alone on demand scanner. Even when one of them is disabled, it can affect the other. Issues can arise when the active anti-virus detects the non-active one's definitions or quarantined files.

The primary concern with using more than one anti-virus program is due to conflicts that can arise when both are running in real-time mode simultaneously. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to a "False Positive". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

Anti-virus scanners use virus definitions to check for viruses and these can include a fragment of the virus code which may be recognised by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. However, some anti-virus vendors do not encrypt their definitions and will trigger false alarms if used while another resident anti-virus program is active.

To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. When you have done that, rescan and let me know what you find.

FYI: Most anti-virus vendors recommend that you install and run only one anti-virus program at a time:
Symantec's statement.
Avast's statement.
AVG's statement.
Dell Support advises the same for their systems.

When necessary, you can always get another opinion by performing an Online Virus Scan.

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start Run and type: regedit
  • Click OK.
  • On the left side, click to highlight My Computer at the top.
  • Go up to File Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File Exit.
Or you can download and use ERUNT which is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #368 and click "Folder Options/View Empty - Restore Now" in the left column. Go to File, choose "Save page as" All Files and save viewfolderrestore.reg to your desktop. Double-click on that file and choose "Yes" to merge it into the registry when prompted. Once you get a successful message delete the file and reboot.

If that does not work, download RatsCheddar.zip and save it to your desktop. It is a Policy Controller program written by Rathat to remove certain restrictions on XP systems often disabled by malware. This program was developed for Windows XP ONLY. Do not run this program in any other Operating System.
  • Extract (unzip) the file to the desktop. (Click here for information on how to do this if not sure.)
  • Double-click on RatsCheddar.exe to launch the tool.
  • Select Enable for everything listed, then click Exit.
  • Restart your computer.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 canatan

canatan
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 01 March 2008 - 03:36 AM

thanks the registry thing worked... i unistalled avg ... wats the best antivirus? i know none can detect all but... free and otherwise... and you can run two antispywares right? i got spybot and spyware terminator running side by side... or is that not right as well?
and thankyou so much for ur help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users