SVCHOST.EXE AVG resident shield alert

mugambodeva · Jan 6, 2010

Hello all,

two days ago i downloaded a program(Single file abt 100 kb) and executed it. After execution the program's icon simply disappeared from my desktop!!

After that I have been getting resident shield pop-ups which tell me about a new file being created in TEMP directory

eg: FILE NAME: C:\windows\temp\cvnp.tmp\svchost.exe
THREAT NAME: Trojan Horse Clicker.AEIO
Detect on open.

PROCESS NAME: C:\windows\system32\svchost.exe

-----------
My OS is Vista Home Basic
RAM 2 Gb
AVG 8.5
-----------
I've scanned my system again and again using AVG but it came out clean. Somehow it detects the infection when it executes but when I scan the system nothing happens.
I've run Spyware Doctor, Spybot, registry cleaners etc. It didnt help at all. No software detected any infection

Please help!!!!

mitchell · Jan 6, 2010

Hello Mugambodeva, It seems strange that none of your scanners are picking it up but your resident protection is
Unless it is your heuristics scan (in other words it is not a known definition, but displaying the behaviour one.)

To be on the safe side i would download Malwarebytes free scanner, update it & run a scan. Malwarebytes has a high detection rate of Polymorphic malware & will play nicely with the security apps you already have.

If it does detect anything can you please post back your results. (For my own curiositys sake as well as it may help others)

Best wishes :D

http://www.malwarebytes.org/

whs · Jan 6, 2010

Have a look at this too: WikiAnswers - What is Trojan horse clicker LMJ and how do you remove it

The svchost.exe file is located in the folder C:\Windows\System32. In other cases, svchost.exe is a virus, spyware, trojan or worm!

mugambodeva · Jan 7, 2010

I did a full Scan with Malwarebyte. It didnt detect anything.

Here is the log

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18865
1/7/2010 4:49:33 PM
mbam-log-2010-01-07 (16-49-28).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 359260
Time elapsed: 3 hour(s), 21 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

mitchell · Jan 7, 2010

Hello M, The fact that none of the on demand scanners have detected anything really makes me think it could be a false positive.

You could do a bit of google on; "FILE NAME: C:\windows\temp\cvnp.tmp\svchost.exe
THREAT NAME: Trojan Horse Clicker.AEIO
Detect on open."
and see what others say about it.

Also you could disable AVG & run an online scan, this one is often recommended by our members;

Free ESET Online Antivirus Scanner

jp07764 · Jan 7, 2010

You can always try a scan with Malwarebytes in safe mode.
Also superantispware has an online scan too SUPERAntiSpyware.com - Online Scanner
Also you can read this What is svchost.exe And Why Is It Running? - the How-To Geek

mugambodeva · Jan 8, 2010

This certainly is not a fake alert because this never happened earlier. It started precisely after i ran that program.

damian77 · Jan 8, 2010

Hello mugambodeva,

I've the same problem since lastnight. Have you solved? How?

Regards,
Damian.

mugambodeva · Jan 8, 2010

You can always try a scan with Malwarebytes in safe mode.
Also superantispware has an online scan too SUPERAntiSpyware.com - Online Scanner

I ran the SUPERAntispyware.com online scan... Guess what! It deleted a system file and now my laptop doesn't even boot.

The missing file is igdkmdnt.sys . No information is available on the internet.
PLZ HELP!!!!

jp07764 · Jan 8, 2010

Now you are going to have to use your vista disc to do a repair.
http://www.vistax64.com/tutorials/88236-repair-install-vista.html?ltr=R
If you have a vista disc.
If you do not then you are going to have to use your restore partion by hitting f11
during start up. This will WIPE YOU DRIVE AND RESTORE THE COMPUTER TO FACTORY
DEFAULTS. I wrote it big because I wanted you to know there is no going back once you do it. You will lose everything.

Jimmy

mugambodeva · Jan 9, 2010

I have NEVER formatted my system. And I will try my best that I resolve the issue without a format.

And this time too I did it successfully. I asked a friend to mail me the missing file from her system and then used the command prompt and a USB drive to copy it in the 'drivers' folder.

My system is up and running, but the resident shield alert still is ON.

Any other suggestions on how to removing this Trojan???

jp07764 · Jan 9, 2010

I am glad you got it up and running.
Did you run Malwarebytes in safemode?
AVG: Resident Shield Alert Help Needed. - Tech Support Forum
That is the best I can do for you.
Do not want to crash your system again.

Jimmy

mugambodeva · Jan 10, 2010

Scans in Safe Mode too are clean.. I have run bothe AVG and Malwarebytes.

Somebody help me plz!

mugambodeva · Jan 10, 2010

Another information... AVG Resident Shield also shows the PID of the process which has executed the program. I traced it in the Task Manager and there are 2 process with that PID: DcomLaunch and PlugPlay

Any suggestions now?

mugambodeva · Jan 11, 2010

I am posting the link to the file which started the chaos. If anybody can get someone to analyze it and suggest a remedy.

ShareCash.Org - Make Money Uploading Files! - working hack.zip

Thank you!

jp07764 · Jan 11, 2010

Security Cleanup forum - dslreports.com broadband community
This is a forum where you post a hijackthis log
and somebody helps you.
This is the best I can do for you.
Sorry I can not be more help to you.
I would have taken the easy way and wiped the drive and reinstall.

Jimmy

jp07764 · Jan 11, 2010

Sorry I will not download that file. It sounds like a scam to me.

damian77 · Jan 12, 2010

mugambodeva,

i've the same problem, and after a few days of trying everything but reinstall the SO, finally found the solution...

take a look at this post

Fake svchost.exe trojan created in windows temp folder

and follow the instructions of "homersimpson"

in my case, when I ran hijackthis it found a few more entries that make no sense to me, so i've fixed them too.

follow those steps and let me know if you have success.good luck!

SVCHOST.EXE AVG resident shield alert

New Member

My Computer

Ngai Tahu/Tau Iwi

My Computer

My Computer

New Member

My Computer

Ngai Tahu/Tau Iwi

My Computer

My Computer

New Member

My Computer

New Member

My Computer

New Member

My Computer

My Computer

New Member

My Computer

My Computer

New Member

My Computer

New Member

My Computer

New Member

My Computer

My Computer

My Computer

New Member

My Computer