Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Svchost.exe


  • Please log in to reply
1 reply to this topic

#1 AVGuru

AVGuru

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Santa Rosa, CA
  • Local time:03:37 AM

Posted 11 December 2007 - 12:14 PM

The svchost.exe bug keeps me from connecting to all sorts of web pages in Explorer, Safari and Firefox. Some of these pages including any Windows update and Internet Explorer pages (I had to do an repair reinstall of XP). I also can't connect to various repair typ software pages (ie. bit defender scan page). I have spent many days trying to deal with this. Please help. Here is my hijackthis log.


StartupList report, 12/10/2007, 7:33:16 PM
StartupList version: 1.52.2
Started from : E:\Documents and Settings\Owner\Desktop\Utilities\HiJackThis_v2.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Summitsoft\SystemTechXP9\FreeRAM.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\WINDOWS\AGRSMMSG.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Program Files\palmOne\Hotsync.exe
E:\WINDOWS\system32\spoolsv.exe
e:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
E:\Program Files\a-squared Free\a2service.exe
E:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
E:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
E:\Program Files\Raxco\PerfectDisk\PDAgent.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Raxco\PerfectDisk\PDEngine.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Owner\Desktop\Utilities\HiJackThis_v2.exe
E:\Documents and Settings\Owner\Desktop\Autoruns\autoruns.exe
E:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
E:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
E:\Documents and Settings\Owner\Desktop\Autoruns\autoruns.exe
E:\WINDOWS\System32\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[E:\Documents and Settings\Owner\Start Menu\Programs\Startup]
HotSync Manager.lnk = E:\Program Files\palmOne\Hotsync.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apoint = E:\Program Files\Apoint2K\Apoint.exe
SunJavaUpdateSched = "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
IntelliPoint = "E:\Program Files\Microsoft IntelliPoint\point32.exe"
Cpqset = E:\Program Files\HPQ\Default Settings\cpqset.exe
ccApp = "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
MindSoft FreeRAM = E:\Program Files\Summitsoft\SystemTechXP9\FreeRAM.exe
RegistryMechanic =
AVG7_CC = E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
ZoneAlarm Client = "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
ATIModeChange = Ati2mdxx.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = E:\WINDOWS\System32\ctfmon.exe
WMPNSCFG = E:\Program Files\Windows Media Player\WMPNSCFG.exe
swg = E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AROReminder = E:\Program Files\Advanced Registry Optimizer\aro.exe -rem

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=E:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - E:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - e:\program files\google\googletoolbar3.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - E:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
Norton SystemWorks One Button Checkup.job
RegCure Program Check.job
RegCure.job
User_Feed_Synchronization-{EA973CD1-696A-4637-B9DD-8135DD0CA766}.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = E:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = E:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[YInstStarter Class]
InProcServer32 = E:\Program Files\Yahoo!\Common\yinsthelper.dll
CODEBASE = E:\Program Files\Yahoo!\Common\yinsthelper.dll

[Office Update Installation Engine]
InProcServer32 = E:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[WUWebControl Class]
InProcServer32 = E:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1129068182350

[Symantec Download Manager]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\symdlmgr.dll
CODEBASE = https://webdl.symantec.com/activex/symdlmgr.cab

[MUWebControl Class]
InProcServer32 = E:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdat...b?1129140655328

[DownloadManager Control]
InProcServer32 = E:\WINDOWS\DOWNLO~1\DOWNLO~1.OCX
CODEBASE = http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
CDBurn: E:\WINDOWS\system32\SHELL32.dll
WebCheck: E:\WINDOWS\System32\webcheck.dll
SysTray: E:\WINDOWS\System32\stobject.dll
WPDShServiceObj: E:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 8,255 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:04:37 AM

Posted 26 December 2007 - 10:29 PM

Welcome to BC :thumbsup:

Sorry for the delay, the forum has been extremely busy lately.

Since its been a few days, please post a fresh Hijackthis log. Thanks.
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users