Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Someone Please Help Me? Problem With Svchost.exe


  • This topic is locked This topic is locked
6 replies to this topic

#1 Rudi28

Rudi28

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 14 May 2008 - 11:44 AM

Hi Everyone,

I have a problem. I can't start applications like NetBeans. It seems that the problem is because those applications
need svchost.exe since they have dll that act as services and that's the way they're implemented. Things used to
work fine before, but a couple of days ago I noticed that some applications didn't open anymore. NetBeans is one
of them.

So I uninstalled and reinstalled NetBeans but it didn't work.

Then I ran a program called process from a Dos window that essentially shows the same as the Windows Task
Manager. I noticed that the svchost.exe has several instances with Error 0x5 : Access is denied next to them. I
didn't remember seeing that before so I guess that's the problem.

Can someone please help?

The log from the process and the log from Kaspersky virus scan follow:




Process.log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 14, 2008 12:12:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/05/2008
Kaspersky Anti-Virus database records: 772833
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 23226
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:20:08

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6C3E96B2-CF7A-4BED-A8F2-B906E0332A6F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ib1.tmp Object is locked skipped
C:\WINDOWS\Temp\ib2.tmp Object is locked skipped
C:\WINDOWS\Temp\ib3.tmp Object is locked skipped
C:\WINDOWS\Temp\ib4.tmp Object is locked skipped
C:\WINDOWS\Temp\ib5.tmp Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\WS2LSPX\1248.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\1332.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\1412.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\1696.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\184.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\2320.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\2864.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\3476.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\4000.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\440.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\656.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\756.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\812.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\Cookies\index.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\ExchangePerflog_8484fa31c6d7c0eccfcccd43.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\History\History.IE5\index.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\History\History.IE5\MSHist012008051420080515\index.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\Perflib_Perfdata_b30.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\Perflib_Perfdata_d94.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\~DFB3D0.tmp Object is locked skipped

Scan process completed.



Kaspersky Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 14, 2008 12:12:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/05/2008
Kaspersky Anti-Virus database records: 772833
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 23226
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:20:08

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6C3E96B2-CF7A-4BED-A8F2-B906E0332A6F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ib1.tmp Object is locked skipped
C:\WINDOWS\Temp\ib2.tmp Object is locked skipped
C:\WINDOWS\Temp\ib3.tmp Object is locked skipped
C:\WINDOWS\Temp\ib4.tmp Object is locked skipped
C:\WINDOWS\Temp\ib5.tmp Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\WS2LSPX\1248.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\1332.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\1412.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\1696.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\184.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\2320.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\2864.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\3476.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\4000.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\440.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\656.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\756.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\812.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\Cookies\index.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\ExchangePerflog_8484fa31c6d7c0eccfcccd43.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\History\History.IE5\index.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\History\History.IE5\MSHist012008051420080515\index.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\Perflib_Perfdata_b30.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\Perflib_Perfdata_d94.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\DOCUME~1\rdiaz\LOCALS~1\Temp\~DFB3D0.tmp Object is locked skipped

Scan process completed.


Thank you very much in advance for any help.

Best regards,

Rudi

BC AdBot (Login to Remove)

 


m

#2 Rudi28

Rudi28
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 14 May 2008 - 03:35 PM

Here's the Full Scan from Kaspersky scanner:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 14, 2008 4:31:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/05/2008
Kaspersky Anti-Virus database records: 772833
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 186078
Number of viruses found: 7
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 04:04:22

Infected Object Name / Virus Name / Last Action
C:\ATemp\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\ATemp\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\ATemp\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080514_Time-092221687_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080514_Time-092221687_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_ORCT60A.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_ORCT60A.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\EmailOnDeliveryLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\rdiaz\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\rdiaz\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\rdiaz\Application Data\Mozilla\Firefox\Profiles\xd3dc10q.default\cert8.db Object is locked skipped
C:\Documents and Settings\rdiaz\Application Data\Mozilla\Firefox\Profiles\xd3dc10q.default\history.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Application Data\Mozilla\Firefox\Profiles\xd3dc10q.default\key3.db Object is locked skipped
C:\Documents and Settings\rdiaz\Application Data\Mozilla\Firefox\Profiles\xd3dc10q.default\parent.lock Object is locked skipped
C:\Documents and Settings\rdiaz\Application Data\Mozilla\Firefox\Profiles\xd3dc10q.default\search.sqlite Object is locked skipped
C:\Documents and Settings\rdiaz\Application Data\Mozilla\Firefox\Profiles\xd3dc10q.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\rdiaz\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Application Data\Mozilla\Firefox\Profiles\xd3dc10q.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Application Data\Mozilla\Firefox\Profiles\xd3dc10q.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Application Data\Mozilla\Firefox\Profiles\xd3dc10q.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Application Data\Mozilla\Firefox\Profiles\xd3dc10q.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Temp\ExchangePerflog_8484fa31c6d7c0eccfcccd43.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Temp\History\History.IE5\MSHist012008051420080515\index.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Temp\Perflib_Perfdata_b30.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Temp\Perflib_Perfdata_d94.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Temp\~DFB3D0.tmp Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Temporary Internet Files\Content.Word\~WRF0001.tmp Object is locked skipped
C:\Documents and Settings\rdiaz\Local Settings\Temporary Internet Files\Content.Word\~WRS0000.tmp Object is locked skipped
C:\Documents and Settings\rdiaz\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\rdiaz\ntuser.dat.LOG Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ibdata1 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile0 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile1 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\orcT60a.err Object is locked skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Project\TechDocs\001.exe/WISE0013.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Project\TechDocs\001.exe/WISE0014.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Project\TechDocs\001.exe WiseSFX: infected - 2 skipped
C:\Project\TechDocs\001.exe WiseSFXDropper: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP225\A0029372.msi/app.cab/TclLib Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP225\A0029372.msi/app.cab/ZLib Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP225\A0029372.msi/app.cab Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP225\A0029372.msi Embedded: infected - 3 skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP225\A0029373.exe/ErrorSmart.msi/app.cab/TclLib Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP225\A0029373.exe/ErrorSmart.msi/app.cab/ZLib Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP225\A0029373.exe/ErrorSmart.msi/app.cab Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP225\A0029373.exe/ErrorSmart.msi Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP225\A0029373.exe 7-Zip: infected - 4 skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP225\A0029373.exe UPX: infected - 4 skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP225\A0029373.exe PE_Patch.UPX: infected - 4 skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP232\A0029793.rbf Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP232\A0029794.rbf Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP234\A0030205.msi/app.cab/TclLib Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bp skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP234\A0030205.msi/app.cab/ZLib Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bq skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP234\A0030205.msi/app.cab Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bq skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP234\A0030205.msi Embedded: infected - 3 skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP235\A0030213.rbf Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bp skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP235\A0030214.rbf Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bq skipped
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP238\change.log Object is locked skipped
C:\Temp\setupxv.exe/ErrorSmart.msi/app.cab/TclLib Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\Temp\setupxv.exe/ErrorSmart.msi/app.cab/ZLib Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\Temp\setupxv.exe/ErrorSmart.msi/app.cab Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\Temp\setupxv.exe/ErrorSmart.msi Infected: not-a-virus:FraudTool.Win32.AntiSpywareBot.bh skipped
C:\Temp\setupxv.exe 7-Zip: infected - 4 skipped
C:\Temp\setupxv.exe UPX: infected - 4 skipped
C:\Temp\setupxv.exe PE_Patch.UPX: infected - 4 skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6C3E96B2-CF7A-4BED-A8F2-B906E0332A6F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ib1.tmp Object is locked skipped
C:\WINDOWS\Temp\ib2.tmp Object is locked skipped
C:\WINDOWS\Temp\ib3.tmp Object is locked skipped
C:\WINDOWS\Temp\ib4.tmp Object is locked skipped
C:\WINDOWS\Temp\ib5.tmp Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\WS2LSPX\1208.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\1248.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\1332.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\1696.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\184.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\2320.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\2864.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\3476.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\4000.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\440.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\656.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\756.dat Object is locked skipped
C:\WINDOWS\WS2LSPX\812.dat Object is locked skipped

Scan process completed.

#3 Rudi28

Rudi28
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 14 May 2008 - 04:02 PM

Here's the HijackThis v2.0.2 log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:47 PM, on 5/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Temp\Print\Software\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orcworldwide.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com/welcome/thinkpad
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/welcome/thinkpad
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O10 - Unknown file in Winsock LSP: ws2lspx.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/welcome/thinkpad
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hq.orcworldwide.com
O17 - HKLM\Software\..\Telephony: DomainName = hq.orcworldwide.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1EA18DE-63B2-403C-BF8B-EABFB1866D0F}: NameServer = 100.100.100.71,100.100.100.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hq.orcworldwide.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hq.orcworldwide.com
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: SunJavaSystemAppserver9PE (AppServer9PE) - Unknown owner - C:\Sun\AppServer\lib\appservService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ManageEngine Desktop Central 6 - Remote Control - Unknown owner - C:\Program Files\DesktopCentral_Agent\\bin\dcrdservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10885 bytes

Edited by Rudi28, 14 May 2008 - 04:13 PM.


#4 Rudi28

Rudi28
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 14 May 2008 - 04:06 PM

Here's a log from Process.exe (like Task Manager):


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

ImageName PID Threads Priority CPU Owner
Idle 0 2 0 4 Error 0x6 : The handle is invalid.

System 4 84 8 0 Error 0x5 : Access is denied.

smss.exe 672 3 11 0 NT AUTHORITY\SYSTEM
csrss.exe 744 14 13 0 NT AUTHORITY\SYSTEM
winlogon.exe 772 40 13 0 NT AUTHORITY\SYSTEM
services.exe 816 20 9 0 NT AUTHORITY\SYSTEM
lsass.exe 828 27 9 0 NT AUTHORITY\SYSTEM
ibmpmsvc.exe 996 6 8 0 NT AUTHORITY\SYSTEM
ati2evxx.exe 1028 5 8 0 NT AUTHORITY\SYSTEM
svchost.exe 1072 18 8 0 NT AUTHORITY\SYSTEM
svchost.exe 1164 11 8 0 Error 0x5 : Access is denied.

svchost.exe 1264 94 8 0 NT AUTHORITY\SYSTEM
svchost.exe 1372 8 8 0 Error 0x5 : Access is denied.

svchost.exe 1448 17 8 0 Error 0x5 : Access is denied.

spoolsv.exe 1616 13 8 0 NT AUTHORITY\SYSTEM
acs.exe 1880 5 8 0 NT AUTHORITY\SYSTEM
btwdins.exe 2028 4 8 0 NT AUTHORITY\SYSTEM
FrameworkService.exe 228 11 8 0 NT AUTHORITY\SYSTEM
Mcshield.exe 324 34 13 21 NT AUTHORITY\SYSTEM
VsTskMgr.exe 356 11 8 0 NT AUTHORITY\SYSTEM
MDM.EXE 508 5 8 0 NT AUTHORITY\SYSTEM
mysqld-nt.exe 548 14 8 0 NT AUTHORITY\SYSTEM
naPrdMgr.exe 568 5 8 0 NT AUTHORITY\SYSTEM
svchost.exe 604 2 8 0 Error 0x5 : Access is denied.

svchost.exe 624 2 8 0 Error 0x5 : Access is denied.

wdfmgr.exe 736 6 8 0 Error 0x5 : Access is denied.

winvnc4.exe 1112 4 8 0 NT AUTHORITY\SYSTEM
alg.exe 2068 8 8 0 Error 0x5 : Access is denied.

ati2evxx.exe 2656 9 8 0 NT AUTHORITY\SYSTEM
wuauclt.exe 3408 8 8 0 NT AUTHORITY\SYSTEM
wmiprvse.exe 4080 9 8 0 Error 0x5 : Access is denied.

explorer.exe 216 14 8 0 IT0\rdiaz
msiexec.exe 1944 5 8 0 NT AUTHORITY\SYSTEM
SynTPLpr.exe 2968 3 8 0 IT0\rdiaz
SynTPEnh.exe 2992 6 8 0 IT0\rdiaz
TPHKMGR.exe 3008 3 10 0 IT0\rdiaz
smax4pnp.exe 3024 3 8 0 IT0\rdiaz
DLACTRLW.EXE 3060 5 8 0 IT0\rdiaz
TPONSCR.exe 3100 1 8 0 IT0\rdiaz
shstat.exe 3108 7 8 0 IT0\rdiaz
CLI.exe 3128 24 13 15 IT0\rdiaz
UpdaterUI.exe 3136 6 8 0 IT0\rdiaz
jusched.exe 3252 1 8 0 IT0\rdiaz
UNavTray.exe 3432 1 8 0 IT0\rdiaz
GoogleToolbarNotifier.exe 3496 6 8 0 IT0\rdiaz
ctfmon.exe 3592 1 8 0 IT0\rdiaz
wmiprvse.exe 4036 7 8 0 NT AUTHORITY\SYSTEM
wuauclt.exe 304 5 8 0 IT0\rdiaz
javaw.exe 540 8 8 0 IT0\rdiaz
soffice.exe 2120 1 8 0 IT0\rdiaz
soffice.bin 2416 4 8 0 IT0\rdiaz
cmd.exe 3880 1 8 0 IT0\rdiaz
Process.exe 3776 1 13 0 IT0\rdiaz


Thanks

#5 Rudi28

Rudi28
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 14 May 2008 - 05:04 PM

One thing I noticed that might share some light into the Access Denied problem of some processes is that
the settings for my account (User Account) were changed from Administrator to Debugger User.

I change it back to Administrator and rebooted, but I'm still having the same problem with the Access Denied
for files like svchost.exe and NetBeans not starting. When I try to start NetBeans it gives me the splash screen
but never gets around to showing the IDE. I guess is because it needs to start a service as a dll and needs access
to svchost.exe.

Hope that I can get some help with this item.

Thanks

#6 Rudi28

Rudi28
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 19 May 2008 - 11:28 AM

Well, no reply here.

Anyway, I found that I software that I have installed to monitor IP messages (Monitor) was preventing
access to that file. I removed that software and NetBeans is able to run.

Moderator, "please close this thread."

Thanks

Edited by Rudi28, 19 May 2008 - 11:29 AM.


#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:02 PM

Posted 05 June 2008 - 09:42 AM

Since this issue appears to be resolved ... this Topic has been closed.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users