Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS TDL4 - scvhost.exe errors


  • Please log in to reply
3 replies to this topic

#1 kmiller_wc

kmiller_wc

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 15 May 2011 - 03:18 PM

Greetings,

Got this virus 5/13. Mistakenly (I think) didn't use system restore.
I did so many things to attempt a fix I may be missing some steps or have the order wrong.

Symptoms:
1) MS Removal Tool
2) all program file menu items grayed out (empty)
3) browser hijacked
4) researched MS Removal Tool from my UBUNTU machine

My actions:
1)
a) got BSOD trying to get to safe mode - INVALID_WORK_QUEUE_ITEM
*) discovered that JGOGO.sys was causing BSOD - disconnected SATA external
c) Got to safe mode; did a chkdsk. That found errors in my ntuser.dat. I renamed it to ntuser.dat.old thinking that I didn't want it being used if it was infected/damaged.
d) got to regedit: followed instructions for removing MS Removal Tool; deleted suggested entries in registry, startup, LocalSettings, etc. per instructions
e) Still had hijacking - wanted to try MBAM; was being blocked from access
f) did an MBAM scan with existing db but ineffective.

2) Did an XP repair existing install.
a) The repair install created a new user with all the default XP background etc. User Was Kmiller, now Kmiller.ROADUNIT (machine name).
*) also ran sfc /scannow at some point

3) Started trying different antivirus apps transferring them on CD from UBUNTU machine to laptop
a) Kapersky - wouldn't install - machine infected - per instructions, used another Kapersky utility (forgot name) - no effect
*) ran GMER; found rootkit immediately - crashed machine
c) installed AVG; scanned all files (2 hours); clean. Then realized the rootkit search was separate from file scan. Used rootkit scan. It cleaned 5 of 11 found. The other six it can't remove.
d) Applied all windows updates - many updates - including SP3
e) Mostly usable but still having scvhost errors: 0x00ab0eec, then 0x00dc9eec
f) Tried many tools to attempt a fix: TDSSKiller, DrWeb, ATF-Cleaner, sophos, blacklight, etc...

4) Came here.

Any help much appreciated...
-km

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:06 AM

Posted 15 May 2011 - 08:18 PM

Looks like your in a real mess. Before this PC gets borked..
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If you have the Gmer log post it,if not skip it and move on.

Let me know if that went well.

Edited by boopme, 16 May 2011 - 12:12 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 kmiller_wc

kmiller_wc
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 15 May 2011 - 11:50 PM

I hear what your sayin'
I'm in the process of doing that now.
First I wanted to back up Docs&Set.
Couldn't tell if Acronis was working or not so I just WinRar'ed the thing. (4 hours)
I hope that archive is usable. Shipped it out to external.
I've got a 2 month old disk image. Was thinking of using that. Opinion?

Thanks, -km

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:06 AM

Posted 16 May 2011 - 12:15 PM

Probably a good idea. Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

Here's our quietman's canned reply on this. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users