Member Avatar for Sunda

hi there! please help me too! I'm with the same problem! I noticed the problem when i saw the SEND and RECEIVE lights of my cable modem were ON forever... So I checked the all process running and foun the rpcxsys.exe... I've seached the web for its info and came to this forum! (thank god!)
I tried to use HJT to remove the file, but it failed... so i deleted it mannually... but... my modem lights are still ON !!! :eek: and now the file rpcxsys.exe appeared suddenly at drive E:\ !!! wtf ! :evil: I deleted it mannually again and... the lights are still on!!! I don't know more what to do!!!
please SAVE meeeee!!!

Another thing... at the list of the process running I've found 21 time svhost.exe !!! wtf !!! is tha normal?

My PC:
AMD Thunderbird 1.4ghz
MSI K7N2 Delta-L
256mb ddr 400
Radeon 9500pro 128mb
internet connection: 128Mbps (Cable)

"Logfile of HijackThis v1.98.2
Scan saved at 01:40:32, on 11/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe
C:\ARQUIV~1\Genius\G-09GA~1\JoyUpDrv.EXE
C:\ARQUIV~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\arquivos de programas\powerstrip\pstrip.exe
C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svhost.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\Documents and Settings\FABIO\Meus documentos\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ig.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Disc Detector] C:\Arquivos de programas\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Game Device] C:\ARQUIV~1\Genius\G-09GA~1\JoyUpDrv.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\ARQUIV~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InstantAccess] C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [PowerStrip] c:\arquivos de programas\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Intra aim] C:\ARQUIV~1\each heck dale\Peak Boob.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\Arquivos de programas\ICQ\Icq.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Arquivos de programas\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Arquivos de programas\ICQ\ICQ.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v3/vet_install_popup.pl?1&4&04.00.05.04&unknown&unknown&http://www.volkswagen.com.br/automoveis/fox/fox/vwfox_external_3d/fox_exterior3d.html
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab"

sorry for posting this BIG LOG of hjt.. but it was the only manner to you undestand what is happening!

I hope someone could help me as fast as possible!

thanks

  • 2 Contributors
  • 3 Replies
  • 147 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by crunchie
Member Avatar for crunchie

I have split your post out to your own thread. Please do not tag on to other members threads. You will not get the required assistance and it is unfair to the original poster :).

Go here to TrendMicro for an on-line scan & set it to autoclean for you.

Try this scan at Panda as well.

Post another log when done please.

Member Avatar for Sunda

Hi again! i've tried the scan, but the svhost.exe is still here... =(

I've deleted svhost.exe a lot of times... but it reapperas all the time... :sad:

the send and receive lights of my modem are ON... forever... :(

what can i do? :\

Logfile of HijackThis v1.98.2
Scan saved at 18:11:07, on 11/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe
C:\ARQUIV~1\Genius\G-09GA~1\JoyUpDrv.EXE
C:\ARQUIV~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\arquivos de programas\powerstrip\pstrip.exe
C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe
C:\WINNT\system32\svhost.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\svhost.exe
C:\Documents and Settings\FABIO\Meus documentos\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ig.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Disc Detector] C:\Arquivos de programas\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Game Device] C:\ARQUIV~1\Genius\G-09GA~1\JoyUpDrv.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\ARQUIV~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InstantAccess] C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [PowerStrip] c:\arquivos de programas\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Arquivos de programas\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Intra aim] C:\ARQUIV~1\each heck dale\Peak Boob.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Arquivos de programas\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Arquivos de programas\ICQ\ICQ.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v3/vet_install_popup.pl?1&4&04.00.05.04&unknown&unknown&http://www.volkswagen.com.br/automoveis/fox/fox/vwfox_external_3d/fox_exterior3d.html
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab27571.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

Member Avatar for crunchie

Uninstall Messenger Plus as it comes bundled with LOP, the infection you currently enjoy :). You can reinstall Messenger Plus without the sponsor.
Click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run this uninstaller:
http://members.rogers.com/rjmac/new_uninstall.exe


Download the Pocket KillBox
Unzip the file to your desktop.
Run KillBox.exe.
Select the Delete on Reboot option.
In the Full Path of File to Delete field paste this path and click the red circle with the white X in it(when it asks you to reboot, click NO.):

C:\WINNT\system32\svhost.exe

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab

Reboot your computer and post another log please.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.