Trjoan- gen in system32

[Liquid]

Hi guys, i´ve gotten a virus today located in something called srvchk.exe and i accidentely deleted this file.

So i´m wondering if this is a part of Windows that´s necessary or if i don´t have to care about it?

I can give you more specific detalis when you reply

Thx guys!

[Liquid]

Here´s my hijackThis log if you can do anything with it

[Liquid]

Logfile of HijackThis v1.98.2
Scan saved at 13:35:30, on 2004-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\htpatch.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\ALWILS~1\Avast4\ashmaisv.exe
C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\PestPatrol\PPMemCheck.exe
C:\Program\PestPatrol\PPControl.exe
C:\Program\PestPatrol\CookiePatrol.exe
C:\Program\Mouse Driver\mouse_2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\TGTSoft\StyleXP\StyleXP.exe
C:\Program\SETI@home\SETI@home.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Winamp\Winamp.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\BitComet\BitComet.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program\Alwil Software\Avast4\ashSimpl.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\WinRAR\WinRAR.exe
C:\DOCUME~1\Liquid\LOKALA~1\Temp\Rar$EX00.328\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Program\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Program\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CreativeMouse ] C:\Program\Mouse Driver\mouse_2k.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [seticlient] C:\Program\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096629807612
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

[lee16]

Below is the only "real" problem, this should be removed.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

The two below are unnecessary because thay are missing files to run them and therefor can be removed.

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
AND
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)     

is part of windows server 2003 and lists nonhidden shares on a computer and counts the access control lists for each share.

--lee

[Liquid]

Thanx a million for the reply(fast too) you guys simply have the best support i have to say.

I also have another qestion about the smss.exe file that should only be located in the system32 folder right? But i have the same one in C:\Windows\$NtServicepackUninstall$ and C:\Windows\ServicePackFiles\i386.  I´ve put them in the bin for now but should i delete them?

[lee16]

I think they were fine where they were, it handles sessions on your system and is important for secure and stable runnig of a system, i think its best if you restore the files from your recyle bin.
Ill do a bit of research to make sure im correct though.

--lee

[Liquid]

Ok, can´t  thank you enough for the help

[lee16]

Ok, i looked into it and asked a few questions, i was correct saying smss.exe was safe in them folders.

--lee

[Liquid]

Ok thanx again buddy, but why does it say on several sites that it should only be in the system32 folder?

Am i safe now you think? Should i do something more to ensure i´m clean. I´ve run SpySweeper that detected a system monitor called Mom that came with the virus and it has been removed, i´ve also run some other spyware programs but they didn´t find anything. Should i give you another log from HijackThis?

Also the file i deleted: srvchk, do i need it? I didn´t quite understand your answer. Is it necessary for anything?

"That´s some birthday-present i got "

[lee16]

but why does it say on several sites that it should only be in the system32 folder

Hmm, ok are you using avast anti-virus?

i´ve also run some other spyware programs but they didn´t find anything

Not all spyware programs are good, look here for some info on themm

Should i give you another log from HijackThis?

OK

Also the file i deleted: srvchk, do i need it? I didn´t quite understand your answer. Is it necessary for anything?

Anless you have shares on your pc, i belive its fine deleated.

--lee

[Liquid]

Yes of course i´m using Avast(latest build, Home edition), it´s the best free product out there i think. I love it!

And by shares you mean? Like for the filesharing-programs or if i´m sharing internally? Sorry if i sound stupid now but i have to be sure about everything.

Here´s the new Hijack-log:
 
Logfile of HijackThis v1.98.2
Scan saved at 15:19:25, on 2004-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\htpatch.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\ALWILS~1\Avast4\ashmaisv.exe
C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Mouse Driver\mouse_2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\SETI@home\SETI@home.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Winamp\Winamp.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program\Alwil Software\Avast4\ashSimpl.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\WinRAR\WinRAR.exe
C:\Program\PestPatrol\ppmemcheck.exe
C:\Program\PestPatrol\cookiepatrol.exe
C:\Program\PestPatrol\ppcontrol.exe
C:\Program\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\DOCUME~1\Liquid\LOKALA~1\Temp\Rar$EX62.1500\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Program\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Program\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CreativeMouse ] C:\Program\Mouse Driver\mouse_2k.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [seticlient] C:\Program\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program\BitSpirit\bsurl.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096629807612
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

[whocares]

Srvchk.exe:

try google --> even Microsoft is not too clear about the correct filename  
->
  Srvchk.exe

&
SRVCHECK.EXE

So how should we know ?
 

1) don't delete anything, if you don't know what you're doing -> rather MOVE to chest and get information on the file/the virus
and/or test the file with other/onlinescanners

Too late now to do anything about it NOW, isn't it.. ?
Anyways: if Windows really needs it, it should complain or restore it

2) did you get an AV-alert on the file ?
by avast ?
Where exactly was it found (path/folder/filename) ?
and what was the exact virus/trojan/worm name?
-> see avast's report/log or WIN's event log for this info



More details and advice you can find in the link "VirusRemoval" below in my sig  

[lee16]

1) Ok make sure avast is up to date (vps aswell),  then run a compleate scan of your hard drives making sure its set to thorough and scan archive files.

2) Im not an exspert on this so, by shares i mean the shearing permisions between computers on a network, if you have a home network make sure you can still access it from your pc and make sure you can still share with it.

3) Your log is now clean.

--lee

[Liquid]

Ok, first of all thx again lee, you´re the man!
My avast is fully updated and i´m doing a thourough scan as we speek. And my cpu isn´t on a home network right now but i may want to use that function in the future so should i try to download that specific file? It may not work without it you say?

And "whocares": I know i was a little too quick to delete the sucker(too much coffee i think) And i got an alert from Avast. Here´s the Avast log, there were a couple of them Trojans that appeared:


2004-11-15   13:11:17   1100520677   NT INSTANS\SYSTEM   320   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\system32\srvchk.exe" file.  
2004-11-15   13:18:26   1100521106   NT INSTANS\SYSTEM   320   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Recycled\Dc2.exe" file.  
2004-11-15   13:21:32   1100521292   LIQUID-7AXJX4FA\Liquid   2472   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\WINDOWS\system32\tmp~2.exe\srvchk.exe" file.  
2004-11-15   14:50:04   1100526604   NT INSTANS\SYSTEM   320   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\system volume information\_restore{a8df8454-3a27-420c-a97b-0f71317fcb01}\rp99\a0024584.exe" file.  
 

[lee16]

but i may want to use that function in the future so should i try to download that specific file? It may not work without it you say?

Im affraid i don't know the answer to that Liquid, and can't find it either, im hoping that means that it will be fine without it.

Also if avast found the viruses you showed came up in the log, check to make sure they are not false positives by scaning them with jotti online scanner and let us know what it has to say about them.

Also you may want to run Ad-Aware scanner to make sure the trojans are fully gone.

--lee