Suspected Virus

[XtremeKirby]

Hello,

When I checked my computer today with Hijack This, and also the Hijackthis.de website, I got something called O4 - HKLM\..\Run: [] C:\WINDOWS\system32\SVCH0ST.EXE. I searched the internet for SVCH0ST (The O is actually a zero, so this file cannot be the original svchost.exe.) and most of the websites reported it as a virus. I also checked WINDOWS/system32 and I found no such file. I scanned the system32 folder with avast! and found nothing.

Should I be concerned?

Thanks.

P.S. I also included the Hijack This log file.

[Lisandro]

If you show Hidden and System files into Windows Explorer, won't this file appear?

[XtremeKirby]

Hello Tech,

I tried show Hidden and System files into Windows Explorer and it doesn't appear. I also tried to search the folder for SCVH0ST.EXE with Including Hidden Files, System Folders, and subfolders checked and found no such file.

Should I still be concerned? Is there something wrong with Hijack This or am I just overlooking it? Any additional help would be appreciated.

Thanks.

[DavidR]

Obviously you found this in hijackthis, if you tick the fix option it should get rid of the file and the run command in registry. Did you tick the fix box alongside the 04 Run entry, otherwise HJT won't do anything.

HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

This google result indicates sever things drop the scvh0st.exe and gives some things to look for in the Startup section of msconfig (start button, Run, type msconfig, click the startup tab and see if there is anything like the examples given.
http://startup.iamnotageek.com/srch-svch0st.exe.html

Is you XP up to date, e.g. SP2 with the latest updates?
Do you have a firewall, if so what?

[Lisandro]

If you find a virus keeps coming back after you delete it, it's most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. After all, run a full avast! scanning. System Restore cannot be disabled on Windows 9x  and it's not available in Windows 2k.

Enable/Disable System restore on Windows ME: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887
Enable/Disable System restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

Anyway, can't you scan at boot time with avast and scan with other antispyware applications too?

[DavidR]

System Restore itself doesn't get infected rather a restore point in the system volume information folder in XP contains the virus deleted from a system folder, it is a simple repository for data.

I don't believe System Restore brings things back automatically, otherwise everything would be restored. Something has to retrieve it and restore it, either a user initiated selection of a restore point or something that knows what location of which restore point that infected file. So that something has to be running and should be able to be found by something like HJT.

For me that can really only be System Restore as the restore point names are generated by SR, so how could a piece of third party software know which restore point contains the virus so it can be retrieved.

My belief is the virus is getting back in the same way it arrivrd previously (so the exploits, etc. have to be closed), because it is the same virus it is likely it will have the same name and will be stored in the same location. So yes it comes back but I don't believe it is because of system restore, but yes disabling system restore will clear old restore points so it can't be manually restored.