Author Topic: is [Windows Firewalll] svvhost.exe a virus?  (Read 5017 times)

0 Members and 1 Guest are viewing this topic.

Omar

  • Guest
is [Windows Firewalll] svvhost.exe a virus?
« on: October 12, 2004, 09:45:12 AM »
this entry:

O4 - HKLM\..\Run: [Windows Firewalll] svvhost.exe

looks dangerous to me. I have XP and have been using avast home edition. I have ran a avast boot time scan, nothing came up.

I have ran trend micro as well, nothing found. I have also ran adaware and cws shredder.



I tried looking for:
C:\WINDOWS\System32\svvhost.exe (i enabled the option for hidden files and folders) but nothing came up for this file.

Here is my log.



Scan saved at 23:15:05, on 11/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxDslTb.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\New Folder (2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.ush.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ush.net/board
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.ush.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.ush.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.timecomputers.com/
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxDslTb.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [Windows Firewalll] svvhost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Windows Firewalll] svvhost.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/s w.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.tren dmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A860EBB1-22CD-42F1-A309-6 7ACB7E8A92D}: NameServer = 213.40.66.126 213.40.130.126


I have got hijack this to fix:

O4 - HKLM\..\Run: [Windows Firewalll] svvhost.exe

about 10 times, but it keeps showing up!

« Last Edit: October 12, 2004, 09:50:26 AM by Omar »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:is [Windows Firewalll] svvhost.exe a virus?
« Reply #1 on: October 12, 2004, 10:43:34 AM »
- Disable system restore.
- Reboot
- Run HijackThis

--------------------------------------------------------------------------------
THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :
--------------------------------------------------------------------------------
o4 - hklm\..\run: [windows firewalll] svvhost.exe
o4 - hklm\..\runservices: [windows firewalll] svvhost.exe
o16 - dpf: {166b1bca-3f9c-11cf-8075-444553540000} (shockwave activex control) - http://download.macromedia.com/pub/shockwave/cabs/director/s w.cab
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.tren dmicro.com/housecall/xscan53.cab
o16 - dpf: {80dd2229-b8e4-4c77-b72f-f22972d723ea} (avxscanonline control) - http://www.bitdefender.com/scan/msie/bitdefender.cab
o16 - dpf: {d27cdb6e-ae6d-11cf-96b8-444553540000} (shockwave flash object) - http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK
PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :
--------------------------------------------------------------------------------
o4 - hklm\..\run: [messengerplus2] "c:\program files\messenger plus! 2\msgplus.exe"
o4 - hkcu\..\run: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office\osa9.exe

- Do a search on your drive for svvhost.exe and when found remove it.
- Reboot

And please leave the line saying what version of HJT you have used in the posted log also next time.

Omar

  • Guest
Re:is [Windows Firewalll] svvhost.exe a virus?
« Reply #2 on: October 12, 2004, 12:10:55 PM »
thank you for your help so far, before i fix those things, i have a few questions.


why are these 2 harmful, they belong to trend micro and bit defender virus scans, they were active x, which they said i had to install before i could run the scans?

o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.tren dmicro.com/housecall/xscan53.cab
o16 - dpf: {80dd2229-b8e4-4c77-b72f-f22972d723ea} (avxscanonline control) - http://www.bitdefender.com/scan/msie/bitdefender.cab




you said to fix:

o4 - hklm\..\run: [messengerplus2] "c:\program files\messenger plus! 2\msgplus.exe"
o4 - hkcu\..\run: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background

these seem to belong to the msn messenger programme, do they still need to be fixed?



what about these 3 entries, are they harmful:should they be fixed

O9 - Extra button: Messenger (HKLM)
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - Global Startup: hp psc 1000 series.lnk = ?


finally i ran the hijack analyzer, it says:

C:\WINDOWS\system32\slserv.exe  (nasty)     running process. (slserv.exe)
slserv.exe  

If you have SiS Drivers installed, this entry is normal. It could also mean that you have been infected by the W32/Gaobot.CR virus. Use an Antivirus to check this.

what do i do about this




« Last Edit: October 12, 2004, 12:23:43 PM by Omar »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:is [Windows Firewalll] svvhost.exe a virus?
« Reply #3 on: October 12, 2004, 03:00:40 PM »
dpf is short for Downloaded Program File. Removing these entries is just to clean up the registry. It won't change anything else.

About msn, read what it says just above that:
Quote
THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :

slserv.exe is installed alongside Smartlink communication products and offers additional support to the modem service. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.