Problem:Windows firewall

[joey_182]

guys help me out with this..

i dont know wat happened..i saw my sent data was constantly increasing..
i checked windows firewall but it didnt open it says windows canot open firewall settings...then i sacnned my pc with bitdefender found the virus and moved...but again i was not able to open windows firewall....
so now i m using bitdefender firweall...
but i want my windows firewall back...

help me

[anandk]

rescan ur pc with ur av and as in safe mode. then use ccleaner. reboot.
then apply the reg patch from here and reboot.

[joey_182]

i wanted u too reply...and yes u r here...
thnx buddy...not only for this problem but also ur work on digit...
gr8..

ok..after scanning and log file says that my svchost.exe is infected with virus and is deleted..so whenever i restart my pc it prompt four times and says that "bla bla cannot start"..."windows was unable to find svchost.exe"

well in startup i have removed this thing to prompt but where is my svchost.exe file ?how to solve this

[anandk]

cud u pls post ur hjt logfile here ?

[abhijangda]

Hey joey, the file which is deleted named svchost.exe is a system file. Go to run type "sfc /scannow" without quotes. Insert your xp cd without when prompted then this file will be copied to your windows/system32 folder.

[joey_182]

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 4:00:35 PM, on 4/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Opera\Opera.exe
M:\all softwares\antivirus and spy's\HijackThis_v1.99.1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - E:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {0F01FF26-18F5-4613-BFD6-14DE2FBA24C3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - E:\Program Files\eSnips\SnipBar.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download All Links with IDM - E:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - E:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Snip to my eSnips account - E:\Program Files\eSnips\res\SnipIt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{065D88B2-35CE-424F-88DB-67A105DBF75B}: NameServer = 218.248.240.79 218.248.240.135
O17 - HKLM\System\CCS\Services\Tcpip\..\{F351888C-EA52-4B97-A63A-11934D0E3A86}: NameServer = 61.1.96.69,61.1.96.71
O17 - HKLM\System\CS1\Services\Tcpip\..\{065D88B2-35CE-424F-88DB-67A105DBF75B}: NameServer = 218.248.240.79 218.248.240.135
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: qomnmnm - qomnmnm.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: hirtellous - {fa19bd7e-50bc-4203-80ac-c4edc81ca9a3} - (no file)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

log file..

@abhi...rite now i dont have the cd

[anandk]

malware can b named anything inclu svchost.exe ! whats imp is the location !
ur logfile shows that u have been infected with scvhost.exe !!! its located in C:\WINDOWS\system32\scvhost.exe and is also called SDBOT.N TROJAN. there r also some smtitfraud remnants.

download and use delete doctor to remove the first. then use SmitFraudFix. finally clean up ur residual pc junk with ccleaner.

in future u can always get ur logfile auto-analysed at www,hijackthis.de it givs a lot of info about ur pc state

[joey_182]

u mean i have to delete this file(C:\WINDOWS\system32\scvhost.exe)....using delete doctor...???

[anandk]

C:\WINDOWS\system32\svchost.exe is the legit MS process

C:\WINDOWS\system32\scvhost.exe is the malware/trojaner
just to put u at ease check out at http://www.neuber.com/taskmanager/pr...vhost.exe.html or
http://www.liutilities.com/products/...brary/scvhost/
u may also rt click on it to check its props.
go ahead and delete this file !
just make sure u r deleting this scvhost.exe !

if u r still feeling worried, get the file checked online with multiple scan engines at http://www.virustotal.com/en/virustotalf.html and http://virusscan.jotti.org/
u will c that it indeed is malware

[joey_182]

ok thnx...buddy..u r genius...