Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

strange virus problems

Started by corrupted9 , Apr 03 2005 02:25 PM

  • This topic is locked This topic is locked

#1
corrupted9
Posted 03 April 2005 - 02:25 PM

corrupted9

    New Member

  • Member
  • Pip
  • 4 posts
hi, i came to use my computer yesterday and it was running hideously slow. when i minimised any windows they didnt go to the taskbar they either sat on top of it or vanished completely. in addition some thinks i click on on the internet just do not appear. i looked in the msnconfig startup list to find nothing really odd looking. i then checked the task manager to find that my CPU usage was at 100% even though i had no open programs. i checked the processes list and saw that i had 2 SVCHOST.EXE process. 1 of these had 00 CPU usage and one of them has 99 CPU usage. i deleted the one with all of the CPU usage and my computer simply restarted itself. i then deleted the one with 00 which created some random graphics glitches and weird random fonts in menus. i was then advised by someone on a music forum that i post on, to do a HiJack This scan. this resulted in the log at the bottom of the post. He said that the smss.exe and lsass.exe processes could be linked to the flood.f trojan or the sasser worm. i was also told that the SVCHOST.EXE problem could be linked to the welchia worm.

i am running windows XP and have tried numerous spyware programs and virus checker packages including the symantec sasser worm and welchia worm fixers but my computer is still running terribly. i would be very grateful if someone could help me get back to running normally again. my hijack this log is below. thanks.

Logfile of HijackThis v1.97.7
Scan saved at 3:17:28 PM, on 4/3/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Set Up Programs\hijack this\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab


  • 0

Advertisements

#2
corrupted9
Posted 04 April 2005 - 03:17 AM

corrupted9

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
i have since found out that this is probably the welchia worm. someone on another forum posted a very similar problem with the welchia worm disguising itself as SVCHOST.exe and eating all the processor power.
  • 0

#3
corrupted9
Posted 04 April 2005 - 09:03 AM

corrupted9

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
i have now run the symantec welchia fixer about 6 times now and it says that the welchia worm is not on my computer.

anyone have any ideas of how to stop this SVCHOST.EVE chewing up my processor power?
  • 0

#4
Crustyoldbloke
Posted 19 April 2005 - 01:30 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello and welcome to GTG

Please accept my apologies for the late reply.

If you’re still looking to resolve this issue, please run through the steps outlined in this Topic

If that doesn’t cure your problem, please post back a fresh HijackThis log when done.

If, however, you have resolved this issue please let us know.

Thank you for your co-operation and once again apologies for the late reply.
  • 0

#5
corrupted9
Posted 19 April 2005 - 08:19 AM

corrupted9

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
hi, thanks for replying.

in the end i had to resort to formatting my computer to solve the problem as i was running out of time with university work and it seemed like the easiest and quickest way.

i will read that topic you posted though, as a precaution incase i come across this bug again.

i also now have installed the necessary fixes and patches to help prevent it happening again.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP