On 19/02/05 I got avirus in my PC. It was in de C:/Winnt/system32 an de file was named : Svcauth.exe
I’m working with Windows 2000 Professional.
I have installed Avast.
I only found information about this virus on http://sandbox.norman.no/live_2html.logfle=100111
I deleted te file in the system32 directory and removed the Register-keys mentioned on this website.
So far so good. But the file svcauth.exe is coming back and starts automatically with windows.
I installed Spybot and Zonealarm as resident and made a full Avast virus scan on my computer.
Avast didn’t find any virus
Spybot gives a warning that “Computing Techonogie Firewall” Svcaut.exe is trying to change my registry. I denie. At that point I see the file appearing again in my system32.
How can I get rid of this virus
My hijack-file seems to be Ok
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 192.0.0.17 PP400REC
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Configuration] apphost.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\ZoneAlert\ZoneAlarm\zlclient.exe”
O4 - HKLM..\RunServices: [Configuration] apphost.exe
O4 - HKCU..\Run: [internat.exe] internat.exe
O4 - HKCU..\Run: [Configuration] apphost.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina’s - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina’s - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=168d3f0c8f5ebbd0d83ee5445ae40e55469aa3fdaf24dd3540c41ee1ea302c2d59104a57d59aa8baedc40580da1dd4eb01d54f:eeba47ee03d937f4aaa2edc6fc4885a4
O17 - HKLM\System\CCS\Services\Tcpip..{B741D489-1850-4190-9043-C63D47398F1D}: NameServer = 195.238.2.22 195.238.2.21
O17 - HKLM\System\CCS\Services\Tcpip..{BF039B70-5E06-4EC9-B4D2-365D98D96449}: NameServer = 192.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip..{E22C1CA8-8639-406D-BEAA-CD8EEE2EDA9D}: NameServer = 193.74.208.135,193.74.208.65
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Today is a new Website " www.sophos.com/virusinfo/analyses/w32sdbotvo.html" that gives infomation on “svcauth.exe” saying it is a W32/Sdbot-Vo virus.
The solution they mention is for me a little too difficult (I’m just aRookie)
Please help me !!!