Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Your infection is related to a rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots


  • This topic is locked This topic is locked
2 replies to this topic

#1 Slinquer

Slinquer

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 14 March 2009 - 05:47 PM

Referred here from: http://www.bleepingcomputer.com/forums/t/210808/svchostexe-app-error/ ~ OB

after going through "am i infected" forum, was recommended to post here. Ran malwarebytes, ATF cleaner, and Superantispyware. Still getting svchost error application error 0x7560eb5@0x00000008. unable to run .exe extension programs. sound card not found, lost dial up connection and can not re set up. following is DDs file. have Attach file too.
DS (Ver_09-02-01.01) - NTFSx86
Run by John at 16:14:35.60 on Sat 03/14/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.81 [GMT -6:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\John\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vcn.com/
uWindow Title = Microsoft Internet Explorer provided by Visionary
mDefault_Page_URL = hxxp://www.vcn.com
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uInternet Settings,ProxyOverride =
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [lxamsp32.exe] lxamsp32.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DIAGENT] c:\program files\creative\sblive\creative diagnostics 2.0\DIAGENT.EXE startup
mRun: [ThrustTSR] c:\program files\thrustmaster\thrustmapper\TMTMTSR.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\norton~1.lnk - c:\program files\norton systemworks\norton goback\GBTray.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\PowerReg Scheduler.exe
uPolicies-explorer: =
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175100313477
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: NVDESK32.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\7ogawk4z.default\
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~2\norton~2\NPROTECT.EXE [2005-11-3 95832]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-3-9 1245064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-1 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090305.002\NAVENG.SYS [2009-3-5 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090305.002\NAVEX15.SYS [2009-3-5 876144]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-03-14 08:21 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-14 08:17 --d----- c:\program files\SUPERAntiSpyware
2009-03-14 08:17 --d----- c:\docume~1\john\applic~1\SUPERAntiSpyware.com
2009-03-14 00:04 --d----- c:\documents and settings\all users\New Folder
2009-03-13 15:57 --d----- c:\docume~1\john\applic~1\Malwarebytes
2009-03-13 15:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-13 15:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-13 15:15 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 15:15 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-12 17:53 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-12 17:44 --d----- c:\program files\Spybot - Search & Destroy

==================== Find3M ====================

2009-01-15 18:52 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-15 18:52 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-15 18:52 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-01-15 18:52 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-27 13:49 78,059 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-20 17:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 16:15:16.18 ===============
I hope you can help, thanks

Edited by Orange Blossom, 14 March 2009 - 09:51 PM.


BC AdBot (Login to Remove)

 


#2 Slinquer

Slinquer
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 15 March 2009 - 08:52 PM

the computer with the problem is my neighbors'. I will be gone for the next week. when i get home i'll run the spyware cleaners and submit a new DDS file under a new topic. go ahead and close this thread, Thanks

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:08:48 AM

Posted 15 March 2009 - 09:08 PM

Thanks for informing us.

This thread is closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users