Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost accessing infected file on web randomly


  • This topic is locked This topic is locked
2 replies to this topic

#1 longtermproject

longtermproject

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 15 June 2010 - 11:03 PM

Recently I have been having AVG pop up and tell me that it blocked svchost.exe from accessing "new.exe" from various outside web addresses that usually look like an ip address. I have opened process explorer and watched svchost pop up and then disappear and immediately after I get the AVG pop up. The good news is, AVG is blocking the download of a Trojan virus, but its not getting to the route cause which is why I need help.
attached is a printscreen of the AVG pop up that I get every couple of minutes



DDS (Ver_10-03-17.01) - NTFSx86
Run by Jeff Joyce at 23:35:05.89 on Tue 06/15/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3327.1974 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Users\Jeff Joyce\AppData\Local\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Users\Jeff Joyce\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jeff Joyce\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jeff Joyce\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jeff Joyce\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\AUDIODG.EXE
C:\Users\Jeff Joyce\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Google Update] "c:\users\jeff joyce\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\jeffjo~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\users\jeffjo~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: c:\progra~1\google\google~3\GO36F4~1.DLL
mASetup: {31D9B4A9-6FCC-4698-A092-C4C28D017B36} - rundll32 jbwonjm.dll,laspi
mASetup: {33E00BF6-D344-4362-838B-2F9790234042} - rundll32 qfoneu71.dll,laspi
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\jeffjo~1\appdata\roaming\mozilla\firefox\profiles\714a4ebx.default\
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\jeff joyce\appdata\roaming\mozilla\firefox\profiles\714a4ebx.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google updater\2.4.1908.5032\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\jeff joyce\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\jeff joyce\appdata\local\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-2-21 52872]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-6-15 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-5-24 207792]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-21 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-21 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-21 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-5 916760]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-5 308064]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-28 1153368]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-5-24 359624]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-5-24 1141712]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-24 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-5-24 30192]
S3 WatAdminSvc;WatAdminSvc;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-25 1343400]

=============== Created Last 30 ================

2010-06-16 03:32:04 0 ----a-w- c:\users\jeff joyce\defogger_reenable
2010-06-15 23:02:23 0 d-----w- c:\users\jeffjo~1\appdata\roaming\SUPERAntiSpyware.com
2010-06-15 23:02:23 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-06-15 23:02:17 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-15 23:00:00 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-15 22:59:58 0 d-----w- c:\program files\Panda Security
2010-06-15 22:42:37 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-11 21:46:49 0 d-----w- c:\program files\Trend Micro
2010-06-01 19:51:25 7106 ----a-w- c:\windows\system32\thqvmk
2010-05-28 19:48:22 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-28 19:48:22 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-28 02:48:26 2030673 ----a-w- c:\windows\system32\AdobeFnt10.lst
2010-05-25 13:57:54 0 d-----w- c:\users\jeffjo~1\appdata\roaming\Malwarebytes
2010-05-25 13:57:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 13:57:44 0 d-----w- c:\programdata\Malwarebytes
2010-05-25 13:57:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-25 13:57:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 22:29:14 64512 ----a-w- c:\windows\system32\klgd.bmp
2010-05-24 22:29:14 10218 ----a-w- c:\windows\system32\rof
2010-05-24 11:35:17 98600 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-05-24 11:35:17 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-05-24 11:35:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-24 11:35:07 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-24 11:35:07 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-05-24 11:35:07 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-05-24 11:35:07 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-24 11:35:00 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-05-24 11:35:00 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-24 11:34:49 0 d-----w- c:\users\jeffjo~1\appdata\roaming\PC Tools
2010-05-24 11:34:49 0 d-----w- c:\programdata\PC Tools
2010-05-24 11:34:49 0 d-----w- c:\program files\Spyware Doctor
2010-05-24 11:34:49 0 d-----w- c:\program files\common files\PC Tools
2010-05-24 11:34:46 0 d---a-w- c:\programdata\TEMP
2010-05-24 11:32:33 0 d-----w- c:\programdata\Google
2010-05-24 11:31:59 0 d-----w- c:\programdata\Google Updater
2010-05-23 15:13:40 12243968 ----a-w- c:\windows\system32\alanwake.scr
2010-05-23 14:37:22 528 --sh--r- c:\windows\egirllic15
2010-05-23 14:35:50 98304 ----a-w- c:\windows\EGirl_v15.scr
2010-05-20 21:01:58 0 d-----w- c:\program files\DVD Decrypter
2010-05-20 21:01:31 87608 ----a-w- c:\users\jeffjo~1\appdata\roaming\inst.exe
2010-05-20 21:01:31 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-05-20 21:01:31 47360 ----a-w- c:\users\jeffjo~1\appdata\roaming\pcouffin.sys
2010-05-20 21:01:28 65602 ----a-w- c:\windows\system32\cook3260.dll
2010-05-20 21:01:28 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2010-05-20 21:01:28 217127 ----a-w- c:\windows\system32\drv43260.dll
2010-05-20 21:01:28 208935 ----a-w- c:\windows\system32\drv33260.dll
2010-05-20 21:01:28 176165 ----a-w- c:\windows\system32\drv23260.dll
2010-05-20 21:01:28 1645320 ----a-w- c:\windows\gdiplus.dll
2010-05-20 21:01:28 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2010-05-20 21:01:27 0 d-----w- c:\program files\VSO

==================== Find3M ====================

2010-06-01 13:33:32 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-30 15:17:21 21854720 ----a-w- c:\windows\system32\SplinterCellC.scr
2010-04-28 11:27:44 27980 ----a-w- c:\users\jeffjo~1\appdata\roaming\settings.dat
2010-03-24 04:20:16 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-03-24 04:20:16 13824 ----a-w- c:\windows\system32\slwga.dll
2010-03-24 04:20:15 811520 ----a-w- c:\windows\system32\user32.dll
2010-03-22 18:38:00 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-03-18 20:47:22 17760 ----a-w- c:\windows\system32\aspnet_counters.dll
2010-03-18 17:16:28 771424 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-02-23 00:34:43 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 23:35:42.48 ===============

Attached Files


Edited by longtermproject, 16 June 2010 - 01:33 PM.


BC AdBot (Login to Remove)

 


#2 longtermproject

longtermproject
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 17 June 2010 - 09:30 AM

you can close this.... I figured it out on my own.... kapersky had a tool, TDSkiller or something like that, found the problem, and been clean ever since

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:32 PM

Posted 21 June 2010 - 12:59 AM

Topic closed at member's request.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users