Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware? svchost error? Help!


  • This topic is locked This topic is locked
2 replies to this topic

#1 red626

red626

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 10 March 2009 - 06:41 AM

hello to all,
sorry i dont know what type of infection i have, but within the past week, i have had a lot of problems with my computer. im running windows xp. i started getting errors like 0x48349584 referenced memory at 0x00000008 (not these exact numbers, but several different errors). also, windows display mode changes to classic view everytime i log in after restarting my computer. when i try to run windows update i am taken to the google main page. i tried installing windows sp3 and internet explorer 7, and then 8, but that made things worse, now my computer barely functions. help would be greatly appreciated


DDS (Ver_09-02-01.01) - NTFSx86
Run by Compaq_Owner at 6:17:44.78 on Tue 03/10/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.89 [GMT -5:00]

AV: Anti-Virus - SBC Yahoo! Online Protection *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.myspace.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,acciher.exe
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - AIM Toolbar Loader
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
{0bf43445-2f28-4351-9252-17fe6e806aa0}
{40d41a8b-d79b-43d7-99a7-9ee0f344c385}
{2318c2b1-4965-11d4-9b18-009027a5cd4f}
{42cdd1bf-3ffb-4238-8ad1-7859df00b1d6}
{cbcc61fa-0221-4ccc-b409-cee865caca3a}
{55faf0f2-44d4-425f-b5f5-6b275b621eab}
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [System Support] system32.exe
uRun: [ulptx] c:\windows\system32\ywebwy.exe reg_run
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [WinPatrol] c:\progra~1\billps~1\winpat~1\winpatrol.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AlcxMonitor] ALCXMNTR.EXE
uExplorerRun: [{D86F2953-07D1-1033-0902-040804030001}] "c:\program files\common files\{d86f2953-07d1-1033-0902-040804030001}\Update.exe" mc-110-12-0000140
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\SOFTWARE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\SOFTWARE\Classes
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\SOFTWARE\Classes\CLSID
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ProgID
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\SOFTWARE
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\SOFTWARE\Classes
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\SOFTWARE\Classes\CLSID
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ProgID
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}\SOFTWARE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}\SOFTWARE\Classes
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}\SOFTWARE\Classes\CLSID
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}\ProgID
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
LSP: c:\windows\system32\VetRedir.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153164173187
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4509/mcfscan.cab
TCP: NameServer = 85.255.112.199,85.255.112.181
TCP: {A4EADD8D-1C25-4493-A46D-87AF68920B57} = 85.255.112.199,85.255.112.181
Notify: OemStartMenuData - c:\windows\system32\iaaksie.dll
Notify: pmnlm - c:\windows\system32\pmnlm.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\0c63tjak.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);

============= SERVICES / DRIVERS ===============

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2005-6-27 21031]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2005-6-27 15478]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2005-6-27 590190]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2005-6-27 15735]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2006-2-27 26099]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 CAISafe;CAISafe;c:\program files\yahoo!\antivirus\iSafe.exe [2005-6-27 259184]
R2 VETMSGNT;VET Message Service;c:\program files\yahoo!\antivirus\VetMsg.exe [2005-6-27 201840]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2005-6-27 102398]

=============== Created Last 30 ================

2009-03-10 00:59 <DIR> --dsh--- c:\documents and settings\compaq_owner\IECompatCache
2009-03-10 00:58 <DIR> --dsh--- c:\documents and settings\compaq_owner\PrivacIE
2009-03-09 23:44 <DIR> --dsh--- c:\documents and settings\compaq_owner\IETldCache
2009-03-09 23:38 <DIR> -cd-h--- c:\windows\ie8
2009-03-06 07:44 156,672 -------- c:\windows\system32\RtlCPAPI.dll
2009-03-06 07:44 69,632 -------- c:\windows\soundman.exe
2009-03-06 07:44 40,448 -------- c:\windows\system32\ChCfg.exe
2009-03-06 07:44 9,196,032 -------- c:\windows\system32\RTLCPL.exe
2009-03-06 07:44 208,896 -------- c:\windows\alcupd.exe
2009-03-06 07:44 141,016 -------- c:\windows\system32\alsndmgr.wav
2009-03-06 07:44 139,264 -------- c:\windows\alcrmv.exe
2009-03-06 04:48 <DIR> --d----- c:\program files\F-Group
2009-03-06 03:54 <DIR> --d----- c:\docume~1\compaq~1\applic~1\SiteAdvisor
2009-03-06 02:54 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-03-06 02:49 <DIR> --d----- c:\windows\system32\CatRoot2
2009-03-06 01:31 6,216,032 a------- C:\windowsupdateagent30-x86.exe
2009-03-06 00:42 385 a------- C:\windowsxpsp3hack.cmd
2009-03-02 00:52 389 ---shr-- C:\autorun.inf
2009-02-15 23:10 68,268 -------- c:\windows\hpoins05.dat.temp
2009-02-15 23:10 19,696 -------- c:\windows\hpomdl05.dat.temp
2009-02-15 20:32 393,216 a------- c:\windows\system32\hpzcon12.dll
2009-02-15 20:32 196,608 a------- c:\windows\system32\hpzcoi12.dll
2009-02-15 20:31 <DIR> --d----- c:\temp\HP_WebRelease
2009-02-15 17:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\espionServerData
2009-02-15 17:00 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-02-15 16:52 129,784 -------- c:\windows\system32\pxafs.dll
2009-02-15 16:52 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-02-15 16:52 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-02-15 16:52 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-02-15 16:52 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys

==================== Find3M ====================

2009-02-15 16:52 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-01-15 17:07 43,168 a------- c:\windows\system32\drivers\tbhsd.sys
2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 02:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 02:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 02:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll
2008-12-22 19:46 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-07-25 23:39 63,033 a------- c:\program files\iPod Software License.rtf
2007-02-16 22:10 359,112 a------- c:\program files\LimeWireWin.exe
2005-09-20 18:05 422,414 ---sh--- c:\windows\system32\mlnmp.bak1
2005-10-24 20:23 375,655 ---sh--- c:\windows\system32\mlnmp.bak2
2005-10-25 16:43 422,529 ---sh--- c:\windows\system32\mlnmp.ini2

============= FINISH: 6:18:17.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:36 AM

Posted 18 March 2009 - 01:50 PM

Hello red626,

Internet Explorer 8 is beta software and loaded with bugs. :thumbup2:

Uninstall Internet Explorer 8 RC1 and go back to Internet Explorer 7.

Uninstall instructions for Internet Explorer 8 RC1 can be found at the support page for Internet Explorer 8 RC1.
http://www.microsoft.com/windows/internet-...faq.aspx#faq1_1


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
    You want the 32-bit version, not the 64 bit version :!:
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 12".
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language, then press Continue Selecting Windows give you the 32 bit version.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u12-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.

    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java™ 6 Update

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Edited by SifuMike, 18 March 2009 - 01:53 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:36 AM

Posted 28 March 2009 - 10:45 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users