Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SVChost.exe Problem - Possible Malware Issue


  • This topic is locked This topic is locked
47 replies to this topic

#31 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 PM

Posted 19 June 2012 - 11:58 PM

Greetings


there are a couple of ways to go


I would go to windows update and select a few updates at a time doing a restore point after each on


when you find the culprit I would get in touch with microsoft as they provide free support for updates



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

BC AdBot (Login to Remove)

 


#32 TravelinMan

TravelinMan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 20 June 2012 - 09:36 PM

I did as you suggested Gringo...

I selected two seemingly harmless updates...

One was an MS Office update and the other was a MS Virus removal tool...

Immediatley after I rebooted... I was experiencing behavior same as before...

Freeze up, and not opening executables...

I am stumped... I am operating now in normal mode because I have a restore point that works...

But not sure where to go from here... My laptop is about 4 years old...

Working okay physically except for a requirement to have the screen at a certain angle lest it goes dark, and the mouse freezes in place....

So to think about formatting the HD and starting over is about a two week job to get it back to normal if I go that route... and then not knowing how much longer its life will be... I truly wish I could just erradicate the bug/s and carry on until it dies... what are your thoughts... :busy:

#33 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 PM

Posted 20 June 2012 - 09:47 PM

I would wait about two weeks and try the updates again - it may just be a buggy update and if it is the virus removal tool it would have been updated by then



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#34 TravelinMan

TravelinMan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 20 June 2012 - 11:57 PM

I tried 3 updates... different ones... all security patches...
Same thing... after reboot.... no opening of any executeables.. including taskmanager or shut down... had to hold in the power button to kill the OS....

Do you have any more ideas, or strategies? I don't think we are finished as the problem still exists... the virus seems to attack after updates are downloaded... svchost.exe is the thread "so to speak" that it seems to operate in...

Are you still with me, or are you feeling we are finished??? Let me know.. thanks.... :wink:

#35 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 PM

Posted 21 June 2012 - 12:12 AM

That is the strangest thing I have heard lately - lets do some more checking to be sure



Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#36 TravelinMan

TravelinMan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 21 June 2012 - 07:09 AM

The scan went smoothly... no hiccups....

I read an article yesterday that said the svchost.exe hides in some processes with the same name, but the issue is it's origin.. if it don't say Microsoft, it is an intruder... the issue is how to discover it's origin... they mentioned a program that scans and identifies the origin of all occurences of svchost.exe.. and then you can delete them manually... I did not try that as I did not want to mess up something that you were trying to accomplish as per bleepingcomputer guidelines... just sayin.... thanks... B)
ComboFix 12-06-21.01 - Bob 06/21/2012 6:30.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1312 [GMT -5:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-21 to 2012-06-21 )))))))))))))))))))))))))))))))
.
.
2012-06-21 04:40 . 2012-06-21 04:40 -------- d-----w- c:\windows\LastGood
2012-06-21 04:32 . 2012-06-21 04:32 -------- d-----w- c:\windows\system32\wbem\Repository
2012-06-19 04:46 . 2012-06-19 04:46 -------- d-----w- c:\program files\ESET
2012-06-19 03:27 . 2012-06-21 04:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-04 20:10 . 2012-06-04 20:10 -------- d-----w- c:\program files\Dropbox
2012-06-01 17:16 . 2012-06-01 17:16 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2012-06-01 17:16 . 2012-02-15 16:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-06-01 17:16 . 2012-02-15 16:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-06-01 17:16 . 2012-06-01 17:16 -------- d-----w- c:\program files\Bonjour
2012-05-26 03:23 . 2012-05-26 03:23 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Sun
2012-05-26 03:13 . 2012-05-26 03:13 -------- d-----w- c:\program files\Common Files\Java
2012-05-26 03:11 . 2012-05-26 03:11 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-26 03:11 . 2012-05-26 03:11 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-22 19:51 . 2012-05-22 19:51 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Copernic
2012-05-22 19:51 . 2012-05-22 19:51 -------- d-----w- c:\documents and settings\Bob\Application Data\Copernic
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-19 13:15 . 2011-03-15 02:11 5280 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-06-02 20:19 . 2008-07-02 17:16 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2008-07-02 17:16 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2008-07-02 16:38 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2008-07-02 16:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2008-07-02 16:38 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2008-07-02 17:16 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2008-07-02 16:38 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2008-07-02 16:20 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2008-07-02 17:16 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2008-07-02 16:38 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2008-07-02 16:38 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2008-11-04 12:28 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2008-11-04 12:28 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 20:18 . 2008-07-19 03:07 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2008-07-02 16:20 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-26 03:11 . 2010-04-22 03:17 687560 -c--a-w- c:\windows\system32\deployJava1.dll
2012-05-21 22:13 . 2012-05-21 22:13 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2012-05-21 22:12 . 2012-05-21 22:12 3038 ----a-w- C:\fix_svchost.bat
2012-05-21 22:08 . 2012-05-21 22:08 6216032 ----a-w- C:\windowsupdateagent30-x86.exe
2012-05-20 04:26 . 2012-05-20 04:26 77312 ----a-w- c:\windows\ua2.dll
2012-05-18 05:00 . 2012-05-18 05:00 389 ----a-w- c:\documents and settings\Bob\GenericHostErrorProblem.bat
2012-05-15 13:20 . 2008-07-02 16:21 1863168 ----a-w- c:\windows\system32\win32k(2)(2).sys
2012-04-11 13:14 . 2004-08-03 23:18 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2008-07-02 16:21 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-22 22:08 . 2011-08-22 22:08 21073936 -c--a-w- c:\program files\vlc-1.1.11-win32.exe
2012-05-08 15:50 . 2011-03-11 15:50 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-06-05_14.51.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-21 04:36 . 2012-06-21 04:36 16384 c:\windows\temp\Perflib_Perfdata_860.dat
+ 2012-06-21 04:40 . 2012-06-02 20:19 45080 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.6.7600.256\wups2.dll
+ 2012-06-21 04:40 . 2012-06-02 20:19 35864 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.6.7600.256\wups.dll
+ 2008-07-02 16:38 . 2012-06-02 20:19 53784 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-07-02 16:20 . 2012-06-02 20:19 97304 c:\windows\system32\dllcache\cdm.dll
+ 2012-06-21 04:40 . 2009-08-06 23:24 44768 c:\windows\LastGood\system32\wups2.dll
+ 2012-06-21 04:40 . 2009-08-06 23:24 35552 c:\windows\LastGood\system32\wups.dll
+ 2012-06-21 04:40 . 2009-08-06 23:24 53472 c:\windows\LastGood\system32\wuauclt.exe
+ 2012-06-21 04:40 . 2009-08-06 23:24 96480 c:\windows\LastGood\system32\cdm.dll
+ 2008-07-02 16:21 . 2012-03-01 01:25 832512 c:\windows\system32\wininet(3)(2).dll
+ 2008-07-02 16:21 . 2012-03-01 01:25 832512 c:\windows\system32\wininet(2).dll
+ 2008-07-02 16:21 . 2012-03-01 01:25 233472 c:\windows\system32\webcheck(2).dll
+ 2008-07-02 16:21 . 2012-03-01 01:25 106496 c:\windows\system32\url(3)(2).dll
+ 2008-07-02 16:21 . 2012-03-01 01:25 106496 c:\windows\system32\url(2).dll
+ 2007-08-13 22:34 . 2012-03-01 01:25 268288 c:\windows\system32\iertutil(2)(2).dll
- 2008-07-02 12:29 . 2012-05-10 20:10 381632 c:\windows\system32\FNTCACHE.DAT
+ 2008-07-02 12:29 . 2012-06-21 04:34 381632 c:\windows\system32\FNTCACHE.DAT
+ 2008-07-02 16:38 . 2012-06-02 20:19 210968 c:\windows\system32\dllcache\wuweb.dll
+ 2008-07-02 16:38 . 2012-06-02 20:19 329240 c:\windows\system32\dllcache\wucltui.dll
+ 2008-07-02 16:38 . 2012-06-02 20:19 577048 c:\windows\system32\dllcache\wuapi.dll
+ 2008-07-02 16:20 . 2012-03-01 01:25 124928 c:\windows\system32\advpack(2).dll
- 2012-01-30 19:38 . 2012-01-30 19:38 630784 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2012-04-21 12:15 . 2012-01-30 19:38 630784 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2012-06-21 04:40 . 2009-08-06 23:24 209632 c:\windows\LastGood\system32\wuweb.dll
+ 2012-06-21 04:40 . 2009-08-06 23:24 327896 c:\windows\LastGood\system32\wucltui.dll
+ 2012-06-21 04:40 . 2009-08-06 23:23 575704 c:\windows\LastGood\system32\wuapi.dll
+ 2012-06-21 04:40 . 2009-08-06 23:23 215920 c:\windows\LastGood\system32\muweb.dll
+ 2012-06-21 04:40 . 2009-08-06 23:23 274288 c:\windows\LastGood\system32\mucltui.dll
+ 2012-04-22 02:55 . 2012-04-22 02:55 980480 c:\windows\Installer\2a72dbf.msp
+ 2008-07-02 16:21 . 2012-03-01 01:25 1168896 c:\windows\system32\urlmon(3)(2).dll
+ 2008-07-02 16:21 . 2012-03-01 01:25 1168896 c:\windows\system32\urlmon(2).dll
+ 2008-09-07 22:25 . 2012-06-21 04:33 8548812 c:\windows\system32\Restore\rstrlog.dat
+ 2008-07-02 16:38 . 2012-06-02 20:19 1933848 c:\windows\system32\dllcache\wuaueng.dll
- 2011-12-25 08:50 . 2011-12-25 08:50 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2012-03-20 10:23 . 2011-12-25 08:50 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2012-03-20 10:23 . 2008-07-25 15:17 5062656 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 5062656 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
+ 2012-06-21 04:40 . 2009-08-06 23:23 1929952 c:\windows\LastGood\system32\wuaueng.dll
+ 2012-05-30 12:17 . 2012-05-30 12:17 5010432 c:\windows\Installer\2a72dd6.msp
+ 2012-03-21 04:57 . 2012-03-21 04:57 6188544 c:\windows\Installer\2a72db7.msp
+ 2012-05-30 12:17 . 2012-05-30 12:17 5010432 c:\windows\Installer\134ef3.msp
+ 2008-07-04 12:58 . 2012-06-04 04:35 56731752 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 18:58 333192 -c--a-w- c:\program files\AskBarDis\bar\bin\askbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\COSDriveIconOverlay]
@="{5FDACB62-6B7B-4116-9403-C5E0D3852A57}"
[HKEY_CLASSES_ROOT\CLSID\{5FDACB62-6B7B-4116-9403-C5E0D3852A57}]
2012-03-22 06:09 5131056 ----a-w- c:\program files\COMODO\COMMON\ShellExtension.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\COSSyncItemInSyncIconOverlay]
@="{68F287EF-DA6D-4595-AF52-90FF6CE52AFE}"
[HKEY_CLASSES_ROOT\CLSID\{68F287EF-DA6D-4595-AF52-90FF6CE52AFE}]
2012-03-22 06:09 5131056 ----a-w- c:\program files\COMODO\COMMON\ShellExtension.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\COSSyncItemModifiedIconOverlay]
@="{AE67D273-7253-4236-B55E-D40055B305D6}"
[HKEY_CLASSES_ROOT\CLSID\{AE67D273-7253-4236-B55E-D40055B305D6}]
2012-03-22 06:09 5131056 ----a-w- c:\program files\COMODO\COMMON\ShellExtension.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\COSSyncItemNewIconOverlay]
@="{022F23E9-DA0F-4A86-A728-CAF6150C0B63}"
[HKEY_CLASSES_ROOT\CLSID\{022F23E9-DA0F-4A86-A728-CAF6150C0B63}]
2012-03-22 06:09 5131056 ----a-w- c:\program files\COMODO\COMMON\ShellExtension.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Bob\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Bob\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Bob\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Bob\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoshopElements8SyncAgent"="c:\program files\Adobe\Elements 9 Organizer\ElementsOrganizerSyncAgent.exe" [2010-09-30 1945536]
"Start Magic 2.0"="c:\program files\Start Magic\start magic.exe" [2008-12-24 86016]
"Copernic Desktop Search - Home"="c:\program files\Copernic Desktop Search - Home\DesktopSearchService.exe" [2011-11-22 1648600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"nwiz"="nwiz.exe" [2007-08-23 1626112]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-23 8478720]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"SmAudio"="c:\program files\Conexant\SmartAudio\SmAudio.exe" [2010-12-01 3495240]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\documents and settings\Bob\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Bob\Application Data\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Win7Keys.lnk - c:\program files\Win7Keys\Win7Keys.exe [2010-5-6 40960]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\common files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-7-8 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcods]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-07-29 06:25 497648 -c--a-w- c:\program files\common files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-01-04 20:17 1937408 -c----w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Bob\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Documents and Settings\\Bob\\Local Settings\\Application Data\\CrossLoop\\tvnserver.exe"=
"c:\\Program Files\\common files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
"5910:TCP"= 5910:TCP:vnc5910
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 cbvd;Comodo Encrypted Virtual Disk;c:\windows\system32\drivers\CBVD.sys [3/22/2012 1:09 He's Coming 474472]
R0 clbstor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [7/24/2008 8:50 He's Coming 10368]
R0 reparse;Reparse;c:\windows\system32\drivers\cbreparse.sys [3/22/2012 1:09 He's Coming 464672]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/20/2012 10:00 He's Coming 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/20/2012 10:00 He's Coming 337880]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/30/2010 3:06 He's Coming 169408]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/20/2012 10:00 He's Coming 20696]
R2 COSService.exe;Comodo Online Storage Service;c:\program files\COMODO\COMMON\COSService.exe [10/25/2011 12:03 He's Coming 3837744]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [7/2/2008 11:21 He's Coming 14336]
R2 SynchronizationService.exe;Comodo BackUp Service;c:\program files\COMODO\COMMON\SynchronizationService.exe [10/25/2011 12:03 He's Coming 3454768]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [11/29/2010 10:32 He's Coming 193840]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 e0e9d137;e0e9d137;c:\windows\system32\drivers\e0e9d137.sys --> c:\windows\system32\drivers\e0e9d137.sys [?]
S2 CrossLoopService;CrossLoop Service;c:\documents and settings\Bob\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [9/8/2011 9:23 He's Coming 563216]
S2 gupdate1c951e5929dad5c;Google Update Service (gupdate1c951e5929dad5c);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2008 12:44 He's Coming 133104]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [5/8/2011 8:29 He's Coming 20032]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/29/2008 12:44 He's Coming 133104]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/8/2012 10:50 He's Coming 129976]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [11/24/2009 8:38 He's Coming 47360]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [4/12/2009 7:09 He's Coming 23096]
S3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [4/12/2009 7:09 He's Coming 3768]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [1/20/2012 10:56 He's Coming 121192]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [1/20/2012 10:56 He's Coming 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [1/20/2012 10:56 He's Coming 136680]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [3/25/2009 3:51 He's Coming 18432]
S3 tvnserver;TightVNC Server;c:\documents and settings\Bob\Local Settings\Application Data\CrossLoop\tvnserver.exe [9/8/2011 9:23 He's Coming 814080]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 37983246
*Deregistered* - 37983246
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-09-16 19:11 451872 -c--a-w- c:\program files\common files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-18 c:\windows\Tasks\AdobeAAMUpdater-1.0 Fallback-HP-Bob.job
- c:\program files\common files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe [2010-07-29 06:40]
.
2011-05-30 c:\windows\Tasks\AdobeAAMUpdater-1.0-HP-Bob.job
- c:\program files\common files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 06:25]
.
2012-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2010-03-17 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-01-08 17:09]
.
2012-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cd0ad3907004d0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-29 05:44]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-879983540-682003330-1003Core1cc8f46421cb6c4.job
- c:\documents and settings\Bob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-11 14:11]
.
2008-11-15 c:\windows\Tasks\User_Feed_Synchronization-{439D3F61-4239-4B30-84DB-CFE7528829A1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
2009-05-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 03:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\ox3biacj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://freedomquestinternational.org/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=100&systemid=102&sr=0&q=
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-21 06:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3540)
c:\windows\system32\WININET.dll
c:\program files\COMODO\COMMON\ShellExtension.dll
c:\documents and settings\Bob\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-06-21 06:47:32
ComboFix-quarantined-files.txt 2012-06-21 11:47
ComboFix2.txt 2012-06-18 04:28
ComboFix3.txt 2012-06-05 19:27
ComboFix4.txt 2012-06-05 14:57
ComboFix5.txt 2012-06-21 11:29
.
Pre-Run: 20,982,288,384 bytes free
Post-Run: 21,282,787,328 bytes free
.
- - End Of File - - 10BFB0549995EBAD3BFE327E56E106AB

#37 TravelinMan

TravelinMan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 22 June 2012 - 05:55 PM

I do still have a small residue from our working...

1. Upon boot up.. my machine thinks it has found new hardware... and it says "unknown"... how do I get rid of that?

2. I occasionally still get a message saying "trying to write to 000000000000 and was stopped at 0000000000000... how can I eliminate that??? I thought to run chkdsk....????

Thanks...

#38 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 PM

Posted 22 June 2012 - 06:33 PM

Greetings


1st item is in device manager - look for something that says unknown and uninstall it

2nd worth a try but don't really know



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#39 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 PM

Posted 24 June 2012 - 11:20 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#40 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 PM

Posted 27 June 2012 - 11:27 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#41 TravelinMan

TravelinMan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 29 June 2012 - 01:57 PM

I had to buy a new laptop because I had work to do, and on my new Win7 machine, I cannot get on bleepingcomputer.com even though I type in the correct pw and log in info... too weird... I am in safe mode now from my old machine... I don't even see where I can change my password at... I believe I will format this hard drive and reinstall XP and then try to sell it for $100 to help pay for my new laptop... this one is 4 years old... HP Pavillion dv9000 series....

#42 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 PM

Posted 29 June 2012 - 10:57 PM

what happens when you try to get to our site on the new laptop?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#43 TravelinMan

TravelinMan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 30 June 2012 - 09:44 PM

It didn't like my login info...

I am on it now...

Thanks...

#44 TravelinMan

TravelinMan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 30 June 2012 - 09:49 PM

On my old machine with the svchost.exe issues... it is exactly where it was before... it seems to get better after all the scans, and apparently the embedded bug recreates and multiplies itself until I am froze up again and have to go to safe mode... makes me want to use it for target practice, but I think I will reformat the hard drive now that I have transferred all my files etc... :woot:

#45 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:29 PM

Posted 30 June 2012 - 09:58 PM

the way it is acting that may be best and the surest way to get it fixed - it will even fix it if it is not something malware related


If you need help with that just let me know


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users