Hi guys, i´ve gotten a virus today located in something called srvchk.exe and i accidentely deleted this file.
So i´m wondering if this is a part of Windows that´s necessary or if i don´t have to care about it?
I can give you more specific detalis when you reply
Thx guys!
Here´s my hijackThis log if you can do anything with it
Logfile of HijackThis v1.98.2
Scan saved at 13:35:30, on 2004-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\htpatch.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\ALWILS~1\Avast4\ashmaisv.exe
C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\PestPatrol\PPMemCheck.exe
C:\Program\PestPatrol\PPControl.exe
C:\Program\PestPatrol\CookiePatrol.exe
C:\Program\Mouse Driver\mouse_2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\TGTSoft\StyleXP\StyleXP.exe
C:\Program\SETI@home\SETI@home.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Winamp\Winamp.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\BitComet\BitComet.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program\Alwil Software\Avast4\ashSimpl.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\WinRAR\WinRAR.exe
C:\DOCUME~1\Liquid\LOKALA~1\Temp\Rar$EX00.328\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [PPMemCheck] C:\Program\PestPatrol\PPMemCheck.exe
O4 - HKLM..\Run: [PestPatrol Control Center] C:\Program\PestPatrol\PPControl.exe
O4 - HKLM..\Run: [CookiePatrol] C:\Program\PestPatrol\CookiePatrol.exe
O4 - HKLM..\Run: [DiskeeperSystray] “C:\Program\Executive Software\Diskeeper\DkIcon.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [CreativeMouse ] C:\Program\Mouse Driver\mouse_2k.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU..\Run: [seticlient] C:\Program\SETI@home\SETI@home.exe -min
O4 - HKCU..\Run: [SpySweeper] “C:\Program\Webroot\Spy Sweeper\SpySweeper.exe” /0
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra ‘Tools’ menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096629807612
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
Below is the only “real” problem, this should be removed.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
The two below are unnecessary because thay are missing files to run them and therefor can be removed.
O9 - Extra ‘Tools’ menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
AND
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
is part of windows server 2003 and lists nonhidden shares on a computer and counts the access control lists for each share.
–lee
Thanx a million for the reply(fast too) you guys simply have the best support i have to say.
I also have another qestion about the smss.exe file that should only be located in the system32 folder right? But i have the same one in C:\Windows$NtServicepackUninstall$ and C:\Windows\ServicePackFiles\i386. I´ve put them in the bin for now but should i delete them?
I think they were fine where they were, it handles sessions on your system and is important for secure and stable runnig of a system, i think its best if you restore the files from your recyle bin.
Ill do a bit of research to make sure im correct though.
–lee
Ok, can´t thank you enough for the help ;D
Ok, i looked into it and asked a few questions, i was correct saying smss.exe was safe in them folders.
–lee
Ok thanx again buddy, but why does it say on several sites that it should only be in the system32 folder?
Am i safe now you think? Should i do something more to ensure i´m clean. I´ve run SpySweeper that detected a system monitor called Mom that came with the virus and it has been removed, i´ve also run some other spyware programs but they didn´t find anything. Should i give you another log from HijackThis?
Also the file i deleted: srvchk, do i need it? I didn´t quite understand your answer. Is it necessary for anything?
“That´s some birthday-present i got >:(”
but why does it say on several sites that it should only be in the system32 folder
Hmm, ok are you using avast anti-virus?
i´ve also run some other spyware programs but they didn´t find anything
Not all spyware programs are good, look here for some info on themm
Should i give you another log from HijackThis?OK
Also the file i deleted: srvchk, do i need it? I didn´t quite understand your answer. Is it necessary for anything?
Anless you have shares on your pc, i belive its fine deleated.
–lee
Yes of course i´m using Avast(latest build, Home edition), it´s the best free product out there i think. I love it!
And by shares you mean? Like for the filesharing-programs or if i´m sharing internally? Sorry if i sound stupid now but i have to be sure about everything.
Here´s the new Hijack-log:
Logfile of HijackThis v1.98.2
Scan saved at 15:19:25, on 2004-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TGTSoft\StyleXP\StyleXPService.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\htpatch.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\ALWILS~1\Avast4\ashmaisv.exe
C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Mouse Driver\mouse_2k.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\SETI@home\SETI@home.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Winamp\Winamp.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program\Alwil Software\Avast4\ashSimpl.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\WinRAR\WinRAR.exe
C:\Program\PestPatrol\ppmemcheck.exe
C:\Program\PestPatrol\cookiepatrol.exe
C:\Program\PestPatrol\ppcontrol.exe
C:\Program\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\DOCUME~1\Liquid\LOKALA~1\Temp\Rar$EX62.1500\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [PPMemCheck] C:\Program\PestPatrol\PPMemCheck.exe
O4 - HKLM..\Run: [PestPatrol Control Center] C:\Program\PestPatrol\PPControl.exe
O4 - HKLM..\Run: [CookiePatrol] C:\Program\PestPatrol\CookiePatrol.exe
O4 - HKLM..\Run: [DiskeeperSystray] “C:\Program\Executive Software\Diskeeper\DkIcon.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [CreativeMouse ] C:\Program\Mouse Driver\mouse_2k.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [STYLEXP] C:\Program\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU..\Run: [seticlient] C:\Program\SETI@home\SETI@home.exe -min
O4 - HKCU..\Run: [SpySweeper] “C:\Program\Webroot\Spy Sweeper\SpySweeper.exe” /0
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program\BitSpirit\bsurl.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096629807612
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
Srvchk.exe:
try google → even Microsoft is not too clear about the correct filename ;D ;D
→
Srvchk.exe
So how should we know ?
Too late now to do anything about it NOW, isn’t it… ?
Anyways: if Windows really needs it, it should complain or restore it
More details and advice you can find in the link “VirusRemoval” below in my sig
Ok make sure avast is up to date (vps aswell), then run a compleate scan of your hard drives making sure its set to thorough and scan archive files.
Im not an exspert on this so, by shares i mean the shearing permisions between computers on a network, if you have a home network make sure you can still access it from your pc and make sure you can still share with it.
Your log is now clean.
–lee
Ok, first of all thx again lee, you´re the man!
My avast is fully updated and i´m doing a thourough scan as we speek. And my cpu isn´t on a home network right now but i may want to use that function in the future so should i try to download that specific file? It may not work without it you say?
And “whocares”: I know i was a little too quick to delete the sucker(too much coffee i think) And i got an alert from Avast. Here´s the Avast log, there were a couple of them Trojans that appeared:
2004-11-15 13:11:17 1100520677 NT INSTANS\SYSTEM 320 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\system32\srvchk.exe” file.
2004-11-15 13:18:26 1100521106 NT INSTANS\SYSTEM 320 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Recycled\Dc2.exe” file.
2004-11-15 13:21:32 1100521292 LIQUID-7AXJX4FA\Liquid 2472 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\system32\tmp~2.exe\srvchk.exe” file.
2004-11-15 14:50:04 1100526604 NT INSTANS\SYSTEM 320 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\system volume information_restore{a8df8454-3a27-420c-a97b-0f71317fcb01}\rp99\a0024584.exe” file.
but i may want to use that function in the future so should i try to download that specific file? It may not work without it you say?
Im affraid i don’t know the answer to that Liquid, and can’t find it either, im hoping that means that it will be fine without it.
Also if avast found the viruses you showed came up in the log, check to make sure they are not false positives by scaning them with jotti online scanner and let us know what it has to say about them.
Also you may want to run Ad-Aware scanner to make sure the trojans are fully gone.
–lee
Well this does imho speak AGAINST a false alarm, especially if you have nothing to do with Windows Server or RessourceKits
maybe somebody with XP-SP2 could enlighten us, if there usually IS a srvchk.exe in System32-folder (I don’t have one on Win2000)
if all runs well after a couple of reboots:
leave it like it is and thank avast …
if you want to really know it, restore the file from System RESTORE (best extract/copy it via Xp-CD), but I’d sure advise AGAINST it, if you don’t really consider yourself proficient in such things
Ok, i got three of them in the chest, should i restore them then and do that jotti scan?
As for ad-adawre i just did a scan and found nothing
Hmm…i´m getting a little insecure about this now. When i said that i wasn´t part of a home network i may have lied a little. I´m sharing internet connection on a router with my sisters cpu BUT they´re not connected other than to the router. Does that have something to do with anything?
should i restore them then and do that jotti scan
If there already in the chest, don’t worry about it, jotti scan is just a second opinon, nothing overly important.
As for ad-adawre i just did a scan and found nothing
Did you have “scan within archives” ticked, otherwise it wont scan all files, to check open ad-aware, go to options (little metel wheel at the top just left of the padlock), then click scanning tab at the side, then make sure everything in the scanning tab is ticked (i will put a screen shot below).
–lee
Yes, i have the settings exactly like you suggest.
I´m amazed at the support one can get here for a free product so once again: lee and whocares thx a million for all your time & help, i hope i´m clean now, if not you´ll probably hear from me again. Should i make a new post in that case or just continue here?