Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svohost.exe Removal In Hjt Log, Winxp Sp1


  • Please log in to reply
4 replies to this topic

#1 RTW DC2

RTW DC2

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 10 December 2005 - 06:58 PM

Did some research on the svohost.exe file, appears to be related to a few different trojans out there, Smitfraud being one of them. When running HJT, this entry shows up like this:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\svohost.exe

I was not able to delete the file in Safe Mode, but was able to delete it on reboot with Killbox. Now after rebooting and getting to desktop, get message that the file cant be found. Obviously, because I deleted it.

Now, how do I go about removing this entry or cleaning it from the registry without ruining Explorer.exe? I had a similar issue, actually it might be the same exact issue before (posted in here not too long ago), and I believe I removed the entry using HJT and it ended up killing Explorer.exe and making the desktop unusable and eventually had to reinstall. Im assuming it changed System.ini judging by the HJT entry, but if I just delete it I think it will make Explorer.exe not load at startup.

any suggestions?

BC AdBot (Login to Remove)

 


#2 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:12:52 PM

Posted 10 December 2005 - 09:35 PM

You could post a HiJackthis log in our HijackThis Logs and Analysis forum.
Before you do, please read and follow the instructions in the Preparation Guide for use before posting a HijackThis Log

Good-luck.

:thumbsup:
JC

#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:52 PM

Posted 12 December 2005 - 11:53 AM

HJT only fixes the entry that it points to in the HJT log - it does not fix the cause of the problem. That requires the skill of one of the HJT Log experts - they can zero in on the problem and give you specific instructions on how to remove the source of this problem.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:52 PM

Posted 12 December 2005 - 02:07 PM

I believe I removed the entry using HJT and it ended up killing Explorer.exe and making the desktop unusable

Most of the entries in a Hijackthis log are required to run a computer and removing essential ones can potentially cause serious damage such as your Internet no longer working or problems with running windows itself. Follow the good advice you have been provided here. If you attempt to fix anything yourself using HJT without knowing specifically what you are doing you may make your entire computer unusable.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 RTW DC2

RTW DC2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 14 December 2005 - 03:08 PM

For what its worth, here is the "fix" I used and it works fine now.

I basically searched the registry for "svohost.exe" and it showed up in the HKLM\Software\Microsoft\Windows NT\Winlogon\Shell key like this: "explorer.exe C:\windows\system32\svohost.exe". I checked another computer and it only showed "explorer.exe" without the reference to the svohost.exe file. I modified the entry, removing "C:\windows\system32\svohost.exe" and it seems to work fine now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users