Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

khvcol.exe, must be a virus.


  • Please log in to reply
1 reply to this topic

#1 pncruse

pncruse

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 12 May 2010 - 02:03 PM

My firefox was going VERY slow and I started getting popup errors about khvcol.exe not being able to start. I am sorry to say I don't remember the exact wording. I did run malwarebytes almost immediately and it found 45'ish problems which I deleted, I also saved the log. Then I left the house with my computer on and when I came back I heard my computer reboot on its own several times from the living room. When I got to my office I got more popups about khvcol.exe getting blocked by something and not being able to start and then my computer rebooted on its own. Here is the log from malwarebytes:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3976

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 7.0.6001.18000

5/10/2010 7:35:32 PM
mbam-log-2010-05-10 (19-35-32).txt

Scan type: Quick scan
Objects scanned: 123435
Time elapsed: 7 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{a9722a0d-365f-47d2-b70b-37d046316d99} (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\CscrptXt.CscrptXt (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\adhlpr.adhlpr (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\adhlpr.adhlpr.1.0 (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> No action taken.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ezLife (Adware.EzLife) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ezLife (Adware.EzLife) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
C:\Program Files\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> No action taken.
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.5.5.0 (Adware.SmartAds) -> No action taken.
C:\Program Files\ezLife (Adware.EzLife) -> No action taken.
C:\Program Files\ezLife\ezLife (Adware.EzLife) -> No action taken.
C:\Program Files\ezLife\ezLife\1.5.5.0 (Adware.EzLife) -> No action taken.

Files Infected:
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.5.5.0\uninstall.exe (Adware.SmartAds) -> No action taken.
C:\Program Files\ezLife\ezLife\1.5.5.0\uninstall.exe (Adware.EzLife) -> No action taken.
C:\Users\User\AppData\Local\Temp\iexplarer.exe (Trojan.Agent) -> No action taken.
C:\Users\User\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> No action taken.
C:\Users\User\AppData\Local\Temp\svchost.exe (Trojan.Agent) -> No action taken.
C:\Users\User\AppData\Local\Temp\taskmgr.exe (Trojan.Downloader) -> No action taken.
C:\Users\User\AppData\Local\Temp\xwaemosnrc.exe (Trojan.Downloader) -> No action taken.
C:\Windows\System32\certstore.dat (Trojan.Agent) -> No action taken.
C:\Windows\System32\cooper.mine (Trojan.FakeAlert) -> No action taken.
C:\Windows\System32\lyvtqjbk.dll (Adware.EZlife) -> No action taken.
C:\Windows\System32\net.net (Trojan.Downloader) -> No action taken.
C:\Windows\System32\nmklo.dll (Worm.MarioFev) -> No action taken.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.
C:\lsass.exe (Trojan.Agent) -> No action taken.


Is there anything else I need to do before someone can start to help me?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,069 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:08 PM

Posted 12 May 2010 - 02:24 PM

Your Malwarebytes Anti-Malware log indicates you are using an older version (1.45) of MBAM with with an outdated database. Please download and install the most current version (v1.46) from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

The database shows 3976. Last I checked it was 4093.

Update the database through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware[/color]
Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Follow these instructions: How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users