Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

new problem, winscv.exe, a virus?

2051 Views 3 Replies 2 Participants Last post by  dvk01
A
Hello

I have a computer in our lab that has a virus (at least thats what our schools security team tells us), it is now unplugged making getting the hijackthis log from it tough.

I ran HJT on it and another computer similar to it and the only real difference was a process called winscv.exe. It was using up 100% of the cpu. I stopped the process, and the computer seems healthy, but the winscv.exe is in windows/system32/ and does not look like the last virus I removed (I cant find any other files)

The regkey only has it as a process to start and no hidden files.

My questions are, is this a virus? where are the rest of the files?

cheers
alvar

ps oh, I was able to get the HJT file...

Logfile of HijackThis v1.97.7
Scan saved at 3:31:26 PM, on 3/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winscv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\UWCDS\uwcdsvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NavNT\vpc32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\William\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Windows Networking] winscv.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Cyber-Defender 2003] C:\Program Files\UWCDS\uwcdsvr.exe
O4 - HKLM\..\RunServices: [Windows Networking] winscv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38037.5251736111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
See less See more
Save
Like
Status
Not open for further replies.
1 - 2 of 4 Posts
dvk01
it's a virus/trojan

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O4 - HKLM\..\Run: [Windows Networking] winscv.exe
O4 - HKLM\..\RunServices: [Windows Networking] winscv.exe

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files
C:\WINDOWS\System32\winscv.exe

if you send me the winsvc file I will check it out and and let you know which virus it is,

the address is on the spykiller site in my signature
See less See more
Save
Like
dvk01
the file that arrived was a 1kb .dat file that has nothing in it except the words inbox and application octet stream base 64 which doesn't help at all
Save
Like
1 - 2 of 4 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top