onlyutkarsh
Broken In
I'm getting svohost.exe not found error in my winxp os!. is this trojan/virus? and which one u think as a best antivirus which also provides worm threat protection.
virus?
- Thread starter onlyutkarsh
- Start date
- Status
swatkat
Technomancer
svohost.exe is a virus.....
update ur Antivirus and run a complete system scan...
First get McAfee Stinger and do a scan (Stinger is not a full fledged AV, it's a removal tool for most of the viruses and it should remove svohost.exe)...
*vil.nai.com/vil/stinger/
after this post the content of HijackThis log file here (this is essential because svohost.exe adds itself to explorer shell, and we have to remove it by deleting registry editing)...
*www.spychecker.com/program/hijackthis.html
and for AntiViruses, get urself Kaspersky AntiVirus, NOD32 or if u want a Free Good AV, then go for AVG....
update ur Antivirus and run a complete system scan...
First get McAfee Stinger and do a scan (Stinger is not a full fledged AV, it's a removal tool for most of the viruses and it should remove svohost.exe)...
*vil.nai.com/vil/stinger/
after this post the content of HijackThis log file here (this is essential because svohost.exe adds itself to explorer shell, and we have to remove it by deleting registry editing)...
*www.spychecker.com/program/hijackthis.html
and for AntiViruses, get urself Kaspersky AntiVirus, NOD32 or if u want a Free Good AV, then go for AVG....
yehmeriidhain
In the zone
It might be due to presence of some Virus on ur system??
did U had some AV before Norton 2005 on ur system ...
try installing some free AV first like AVG .. do a system scan & then try & install NAV2005
did U had some AV before Norton 2005 on ur system ...
try installing some free AV first like AVG .. do a system scan & then try & install NAV2005
enoonmai
Cyborg Agent
Like swatkat said, its the Backdoor.Nibu.D (Symantec) / W32/Dumaru (McAfee) virus. You probably may not even be able to access the Symantec or Mcafee sites, so the best thing to do is to download the Stinger tool onto a floppy from somewhere else.
Run it and it will clean the W32/Dumaru infection. Once its done, search for the following files and delete them:
Rundlln.sys
Prntsvr.dll
feff35a0.htm
fe43e701.htm
fa4537ef.tmp
Click on Start>Run and type in
regedit
and press Enter to get into the Registry Editor.
Navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value,
"load32"="%System%\svohost.exe"
Then navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
and select "Shell" and then change
"explorer.exe <some other data here>"
to just plain "explorer.exe"
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\SARS and
HKEY_USERS\.DEFAULT\SOFTWARE\SARS
and delete the SARS key completely.
Close the registry editor, and then click Start>Run and type in
notepad C:\Windows\win.ini
In the [windows] section of the file, look for a line similar to:
run=%Windir%\dllreg.exe
If you find such a line, delete it completely.
Save and exit Notepad.
If you dont want to be bothered with editing the registry and all yourself manually, get the Removal Tool that will do the job for you automatically.
*securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.removal.tool.html
Chances are that your antivirus already detected and cleaned your virus infection and its trying to look for the svohost.exe file at load time and coming up blank.
Follow the steps anyway to be sure that you're not infected and make sure you run a latest, updated antivirus software at all times.
Once you're done, post your HijackThis log here anyway, so that we can be sure that you're totally squeaky clean.
Run it and it will clean the W32/Dumaru infection. Once its done, search for the following files and delete them:
Rundlln.sys
Prntsvr.dll
feff35a0.htm
fe43e701.htm
fa4537ef.tmp
Click on Start>Run and type in
regedit
and press Enter to get into the Registry Editor.
Navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value,
"load32"="%System%\svohost.exe"
Then navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
and select "Shell" and then change
"explorer.exe <some other data here>"
to just plain "explorer.exe"
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\SARS and
HKEY_USERS\.DEFAULT\SOFTWARE\SARS
and delete the SARS key completely.
Close the registry editor, and then click Start>Run and type in
notepad C:\Windows\win.ini
In the [windows] section of the file, look for a line similar to:
run=%Windir%\dllreg.exe
If you find such a line, delete it completely.
Save and exit Notepad.
If you dont want to be bothered with editing the registry and all yourself manually, get the Removal Tool that will do the job for you automatically.
*securityresponse.symantec.com/avcenter/venc/data/w32.dumaru.removal.tool.html
Chances are that your antivirus already detected and cleaned your virus infection and its trying to look for the svohost.exe file at load time and coming up blank.
Follow the steps anyway to be sure that you're not infected and make sure you run a latest, updated antivirus software at all times.Once you're done, post your HijackThis log here anyway, so that we can be sure that you're totally squeaky clean.
bharathbala2003
why need title?
hey enoomai.. i too got the same prob.. but after doin all the reg edit stuffs u said.. when i opened startup using MSCONIG.. i have sumthin sayin SVCHOST D:\Windows\svchost.exe location -> Software\microsoft\windows\currentversion\run.. but when i looked for it in the registry its not there.. also i have one thing called syslog32.exe from the same location.. also not found in regis.. are these two imp? i have deactivated them.. but no errors come in startup...
enoonmai
Cyborg Agent
If you find it in msconfig, then the calling program can exist in one of four places,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
or
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
or
C:\Documents and Settings\<your user name>\Start Menu\Programs\Startup
And svchost.exe, found in C:\Windows\System32 is a valid file necessary for the proper working of Windows. If HijackThis, Spybot, Stinger, McAfee and Norton didnt find anything bad on your computer, then it probably isn't there. syslog32.exe is also a valid Windows file (that CAN get infected) and if this is at startup, then it indicates a virus. Do a full scan for viruses either online or from a known clean disk.
And, if you disable them from msconfig, it wont signal a error (just a message that some applications are disabled because of Selective Startup, and this can be disabled) The error will come when the entry says the file should be in a location like C:\Windows and it doesnt find it there, kind of like trying to open a document on a floppy via the Recent Documents panel when you've inserted and removed it while back. Please do a full update and scan for viruses and keep your AV program updated weekly. This is a hard and fast rule that should ALWAYS be adhered to.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
or
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
or
C:\Documents and Settings\<your user name>\Start Menu\Programs\Startup
And svchost.exe, found in C:\Windows\System32 is a valid file necessary for the proper working of Windows. If HijackThis, Spybot, Stinger, McAfee and Norton didnt find anything bad on your computer, then it probably isn't there. syslog32.exe is also a valid Windows file (that CAN get infected) and if this is at startup, then it indicates a virus. Do a full scan for viruses either online or from a known clean disk.
And, if you disable them from msconfig, it wont signal a error (just a message that some applications are disabled because of Selective Startup, and this can be disabled) The error will come when the entry says the file should be in a location like C:\Windows and it doesnt find it there, kind of like trying to open a document on a floppy via the Recent Documents panel when you've inserted and removed it while back. Please do a full update and scan for viruses and keep your AV program updated weekly. This is a hard and fast rule that should ALWAYS be adhered to.
Charley
Just Do It
According to what I can find online, "svohost" is either part of spyware or some sort of virus.
The partially good news is that while Windows has instructions to look for and load svohost, it can't find it. So you either had some malware and it was partially gotten rid of or your computer is infected but it didn't get installed correctly or completely.
Do a full system scan with an up-to-date antivirus program or, if you don't have one installed, use one of the free online scans at Panda (*www.pandasoftware.com/activescan/activescan.asp?language=2&Country=63&Partner=1&Ref=EN-PR-AS-107) and Housecall (*housecall.antivirus.com/housecall/start_pcc.asp).
Then, if you haven't already, download, install, immediately update and then run Spybot (*download.com.com/3120-20-0.html?qt=SPYBOT&tg=dl-2001&search=+Go!+) and/or Ad-Aware (*www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button). Read the help files to familiarize yourself with how they work. I recommend you use them both since each tends to find things the other misses. Let them clean up any spyware found.
See if that clears things up.
The partially good news is that while Windows has instructions to look for and load svohost, it can't find it. So you either had some malware and it was partially gotten rid of or your computer is infected but it didn't get installed correctly or completely.
Do a full system scan with an up-to-date antivirus program or, if you don't have one installed, use one of the free online scans at Panda (*www.pandasoftware.com/activescan/activescan.asp?language=2&Country=63&Partner=1&Ref=EN-PR-AS-107) and Housecall (*housecall.antivirus.com/housecall/start_pcc.asp).
Then, if you haven't already, download, install, immediately update and then run Spybot (*download.com.com/3120-20-0.html?qt=SPYBOT&tg=dl-2001&search=+Go!+) and/or Ad-Aware (*www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button). Read the help files to familiarize yourself with how they work. I recommend you use them both since each tends to find things the other misses. Let them clean up any spyware found.
See if that clears things up.
bharathbala2003
why need title?
@ chacko it wld b better if u had the URL tag.. i had to copy n paste the address of the free online scan sites..
bharathbala2003
why need title?
@enoonmai.. i downloaded and spyware remover named XoftSpy 4.10 after i searched for HIJACK THIS on google.. n m8 it showed a spyware but am not able 2 remove it.. says i need to register it.. n if i scan the folder it says with spybot it doesn show any spyware.. also tried with AVG 7,MSanitspyware.. the name of the spyware.. is
i have WIN 98 in C: and XP in D:
i have WIN 98 in C: and XP in D:
bharathbala2003
why need title?
@enoonmai i tried that.. when i went to that folder there is no such file 
no folders are hidden..
no folders are hidden..
bharathbala2003
why need title?
i tried wat u said.. still its not showing that file.. n btw everytime i boot the system it says needs to check drive for consistency.. even tho it shuts down normally.. this comes even if i restart.
n btw everytime i boot the system it says needs to check drive for consistency.. even tho it shuts down normally.. this comes even if i restart. 
bharathbala2003
why need title?
either press the URL option b4 pasting the site address.. or type manually.. and end it with [/ur l] (cut out the space in
bharathbala2003
why need title?
@enoonmai here is my hijack this log..
bharathbala2003
why need title?
no no.. this is my 1st post based on hijack this.. if u can tell me the correct way i shall post it that way.. it was like 3 pages or more in a MS Word.. with font size at 10.. so tout this was the main stuff n pasted..
if u can tell me the correct way i shall post it that way.. it was like 3 pages or more in a MS Word.. with font size at 10.. so tout this was the main stuff n pasted..- Status