Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A myriad of problems: svchost error, unable to connect to internet, cannot system restore


  • Please log in to reply
6 replies to this topic

#1 xphoenix87

xphoenix87

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 19 March 2009 - 01:16 AM

I've picked up something on my PC that is proving ridiculously hard to get rid of, and I'd really appreciate any help you guys can give.

I was surfing the web and had googled a few things, and some of the links I clicked on were taking me to strange search sites. I thought nothing of it at the time, since some of the google links were working, but now that I've read a few comments from people suffering a similar problem, I realize that was probably another symptom of this problem. At any rate, I restarted my computer, and that's when it all went bad.

I'm getting an error message on startup titled "svchost" which reads 'The instruction at "0x75606eb5" referenced memory at "0x00000008". The memory could not be "read". Click on OK to terminate the program.' I cannot connect to the internet. I can see wireless networks, but when I try to connect it tells me that it can't renew my IP address.

I've run Spy-Bot, Symantec, Ad-Aware, Malewarebytes and SuperAntiSpyware, but the problem persists. I wasn't able to run any of the anti-spyware software until I changed the name of the exe file. I've tried to do a system restore, but it wouldn't work. I was able to open system restore and select the day to restore, but when I hit "next" to start the restore, it did nothing.

I've tried pretty much everything I can think of, and nothing appears to work. Symantec and Walewarebytes found a few files that they fixed, but the problem persists. I'm at my wits end here, and I'd appreciate any assistance you can give. Thanks!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:31 PM

Posted 19 March 2009 - 12:30 PM

Please download and scan with Dr.Web CureIt.
Follow the instructions here for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode.
-- Post the log in your next reply.

Please post the results of your MBAM scan for review.

To retrieve the MBAM scan log information, launch MBAB.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format:
      mbam-log-2009-01-12(13-35-16).txt <- your dates will be different from this example
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 xphoenix87

xphoenix87
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 19 March 2009 - 04:54 PM

Thanks for your help. Here's the Dr.Web CureIt log

Dc157.exe\data002;C:\RECYCLER\S-1-5-21-1140671577-1635512168-1793823903-1005\Dc157.exe;BackDoor.Tdss.82;;
Dc157.exe;C:\RECYCLER\S-1-5-21-1140671577-1635512168-1793823903-1005;Archive contains infected objects;Moved.;

And here's the mbam log. I ran one scan, then updated my definitions and ran another scan, so here's both logs.

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/18/2009 2:31:16 AM
mbam-log-2009-03-18 (02-31-16).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 127737
Time elapsed: 24 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-3-3-65-100023992-100014406-100011386-7550.com (Trojan.Agent) -> Quarantined and deleted successfully.

And here's the second one

Malwarebytes' Anti-Malware 1.34
Database version: 1863
Windows 5.1.2600 Service Pack 3

3/18/2009 3:41:46 PM
mbam-log-2009-03-18 (15-41-46).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 125644
Time elapsed: 13 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

The problem still persists. I still get an error on startup and can't connect to the internet

#4 xphoenix87

xphoenix87
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 19 March 2009 - 08:01 PM

I ran another Dr.Web scan when I wasn't in safe mode, and it found something new. Here's the log.

gaopdxvsrubqaklrrotowuyqboyrduvciphonk.sys;c:\windows\system32\drivers;BackDoor.Tdss.110;Deleted.;

upon reboot, the problem appeared to be fixed. I didn't get the error message, and I'm able to connect to the internet. However, I have no sound. Also, Symantec found a file in C:\WINDOWS\system32 named gaopdxcounter, but didn't seem to do anything about it. I looked it up, saw that it appears to be a trojan, and I went in and manually deleted it. It hasn't come back when I rebooted, but I still have no sound.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:31 PM

Posted 19 March 2009 - 08:44 PM

Your MBAM log indicates you are using an outdated database version. Please update it through the program's interface (preferable way) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.Mbam-rules.exe is not updated daily. Another way to get the most current database definitions is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
IMPORTANT NOTE: One or more of the identified infections (gaopdxcounter) was related to a rootkit component which includes gaopdxserv.sys, gaopdx[random].dll and other malicious files. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 xphoenix87

xphoenix87
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 19 March 2009 - 10:48 PM

I ran MBAM again after downloading the definition updates you suggested, and it turned up nothing. So, I still have no sound.

I'll probably just reformat and reinstall. I don't use my computer for much other than school and surfing the net, but it's also a pretty new PC, so I don't have a whole lot on here that I'll need to back up.

Thanks so much for all your help.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:31 PM

Posted 20 March 2009 - 07:19 AM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instance the malware may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

Should you decide to reformat and you're not sure how to do that or need help, please review:These links include step-by-step instructions with screenshots:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.
Also see How to keep your Windows XP activation after clean install.

Reformatting a hard disk deletes all data. You can back up all your important documents, personal data files, photos to a CD, external hard drive or USB drive. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.PHP, .ASP, and .HTML) files because they may be infected by malware. Some types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media

If you need additional assistance with reformatting or have questions about multiple hard drives, you can start a new topic in the Windows XP Home and Professional forum. If you don't get a reply, please send me a PM and I will get someone to take a look.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users