Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bloodhound 196 Exploit, Malware and SVCHOST.exe problem please help me...


  • This topic is locked This topic is locked
1 reply to this topic

#1 simonellis

simonellis

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:49 AM

Posted 26 January 2009 - 08:37 PM

Bloodhound 196 Exploit, Generic Host process Win32 Services, Malware and SVCHOST.exe problem pleasehelp me...


HELP! I have been using my girlfriends computer after mine was repossessed by my former employer after I lost my job...now the boot process is taking much longer, i get some application errors referencing svchost.exe and the location 0x597016e2, i get some .dll problems once in a while, i am getting frequent problems with office and firefox being unresponsive and also my symantec is detecting a bloodhound exploit 196.

Generic Host Process Win32 Services Problem
I keep getting the message when i startup the pc.
"Generic host process for Win32 Services. Data execution prevention. Generic host process encountered a problem and needed to close."
My laptop is also frequently becoming nonresponsive with Office and acrobat programs.


I usually know how to fix my problems on the PC but I dont know what to do i ve tried to run malwarebyte's antimalware and symantec and adaware but im not making any progress and i dont want my benevolent girlfriend to now kill me because i broke the only computer we have in the house....

HELP! somebody...PLEASE HELP!!

Thank you to whomever reviews this and considers how to help....I really need help.





DDS (Ver_09-01-19.01) - NTFSx86
Run by removed at 20:25:35.29 on Mon 01/26/2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.371 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\YouSendIt\Express\YouSendIt.exe
C:\blp\API\OFFICE~1\Bloomberg.UIServer.exe
C:\blp\API\OFFICE~1\Bloomberg.RtdServer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\removed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CLRHost] c:\blp\api\office~1\bbxlcmd.exe
uRun: [EPSON WorkForce 600 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieka.exe /fu "c:\windows\temp\E_S7F3.tmp" /EF "HKCU"
uRun: [Aim6]
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [YouSendIt.exe] c:\program files\yousendit\express\YouSendIt.exe -ui none
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232115745781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL zarzbr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\removed~1\applic~1\mozilla\firefox\profiles\e1jgc27t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-12-20 87936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090126.004\naveng.sys [2009-1-26 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090126.004\navex15.sys [2009-1-26 876112]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-6 1715952]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2005-12-20 29744]
S3 NANMp50;NANMp50 NDIS Protocol Driver;c:\windows\system32\drivers\NANMp50.sys [2008-11-6 28224]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-6 124656]

=============== Created Last 30 ================

2009-01-21 23:27 <DIR> --d----- c:\docume~1\removed~1\applic~1\AVS4YOU
2009-01-21 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-01-21 23:24 <DIR> --d----- c:\program files\common files\AVSMedia
2009-01-21 23:24 1,700,352 a------- c:\windows\system32\GdiPlus.dll
2009-01-21 23:24 24,576 a------- c:\windows\system32\msxml3a.dll
2009-01-21 23:24 <DIR> --d----- c:\program files\AVS4YOU
2009-01-21 23:16 <DIR> --d----- c:\program files\Webcam and Screen Recorder
2009-01-18 11:47 168,448 a------- c:\windows\system32\unrar.dll
2009-01-18 11:47 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-01-18 11:34 <DIR> --d----- c:\program files\DivX
2009-01-13 18:56 <DIR> --d----- c:\docume~1\removed~1\applic~1\YouSendIt
2009-01-13 18:56 <DIR> --d----- c:\program files\YouSendIt
2008-12-30 23:49 <DIR> --d----- c:\windows\system32-Save
2008-12-30 23:28 <DIR> --d----- c:\program files\Roxio
2008-12-30 23:28 <DIR> --d----- c:\program files\common files\Sonic Shared
2008-12-30 23:06 <DIR> --d----- c:\program files\MSXML 6.0
2008-12-30 14:52 <DIR> --d----- c:\docume~1\removed~1\applic~1\Malwarebytes
2008-12-30 14:52 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-30 14:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-30 14:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-30 14:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-30 14:45 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-30 14:39 <DIR> --d----- c:\documents and settings\removed\.SunDownloadManager
2008-12-29 19:48 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2008-12-23 14:58 124,612 a------- c:\windows\system32\ukwqxutj.dll
2008-11-18 08:57 256 a------- c:\documents and settings\removed\pool.bin
2008-11-06 11:35 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-06 11:35 200,704 a------- c:\windows\system32\ssldivx.dll
2008-04-12 10:42 4,918,270 a------- c:\documents and settings\removed\internet.exe
2004-01-19 14:31 153,600 a------- c:\program files\ltfil13n.DLL
2004-01-19 13:31 27,648 a------- c:\program files\lfiff13n.dll
2004-01-19 13:31 20,480 a------- c:\program files\lfCUT13n.dll
2004-01-19 12:33 206,848 a------- c:\program files\ltefx13n.dll
2004-01-19 12:31 453,120 a------- c:\program files\ltkrn13n.dll
2004-01-19 12:12 89,600 a------- c:\program files\Lfcgm13n.dll
2004-01-19 11:49 278,016 a------- c:\program files\LFJ2K13n.dll
2004-01-19 11:49 180,736 a------- c:\program files\Lfpng13n.dll
2004-01-19 11:47 76,800 a------- c:\program files\Lfwmf13n.dll
2004-01-19 11:47 509,440 a------- c:\program files\LFCMW13n.dll
2004-01-19 11:45 420,352 a------- c:\program files\LFCMP13n.DLL
2004-01-19 11:44 143,872 a------- c:\program files\lftif13n.dll
2004-01-19 11:36 56,832 a------- c:\program files\lfpsd13n.dll
2004-01-19 11:36 19,968 a------- c:\program files\lfpcd13n.dll
2004-01-19 11:36 26,624 a------- c:\program files\lfpcx13n.dll
2004-01-19 11:36 65,536 a------- c:\program files\Lfpct13n.dll
2004-01-19 11:36 18,944 a------- c:\program files\lfmsp13n.dll
2004-01-19 11:35 18,944 a------- c:\program files\lfmac13n.dll
2004-01-19 11:35 20,992 a------- c:\program files\lfimg13n.dll
2004-01-19 11:34 31,744 a------- c:\program files\lfclp13n.dll
2004-01-19 11:34 30,208 a------- c:\program files\lfbmp13n.dll
2004-01-19 11:33 444,928 a------- c:\program files\ltimg13n.dll
2004-01-19 11:32 265,216 a------- c:\program files\LTDIS13n.dll
2000-05-02 04:17 212,480 a------- c:\program files\PCDLIB32.DLL
1999-11-18 23:00 284,032 a------- c:\program files\XceedZip.dll

============= FINISH: 20:26:16.18 ===============

Attached Files


Edited by Orange Blossom, 26 January 2010 - 11:30 PM.
edited out personal information. ~ OB


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 06 February 2009 - 06:43 PM

Hello.

Since you are already recieving help elsewhere, this topic is now Closed.

Link to log currently taking place: http://forums.techguy.org/malware-removal-...re-svchost.html

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users