Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost error


  • This topic is locked This topic is locked
2 replies to this topic

#1 JBU524

JBU524

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 13 December 2010 - 02:09 PM

Need help with above error. Causing a lot of problems. Thanks in advance. Tried to upload ARk.txt but says it's to big. over quata

DDS (Ver_10-12-12.01) - NTFSx86
Run by Michael Harris at 12:32:08.62 on Mon 12/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2279 [GMT -5:00]

AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Michael Harris\Application Data\Dropbox\bin\Dropbox.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\Michael Harris\Desktop\virus protections\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wmur.com/index.html
uInternet Settings,ProxyOverride = <local>;*.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Comcast Toolbar: {79ceea4e-c231-4614-9e3b-53b2a02f39b7} - c:\program files\comcasttb\comcastdx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\michae~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\michael harris\application data\dropbox\bin\Dropbox.exe
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: tube8.com\www
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152123240421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michae~1\applic~1\mozilla\firefox\profiles\e5u5eqer.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wmur.com/news/index.html|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\michael harris\application data\move networks\plugins\npqmp071706000001.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_17\bin\NPJPI150_17.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\symds.sys [2010-12-9 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\symefa.sys [2010-12-9 652336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20101123.003\BHDrvx86.sys [2010-11-22 691248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys [2010-12-9 136312]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-27 54752]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccsvchst.exe [2010-12-9 130000]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 ICam7fil;Intel® CS431 Audio Filter Driver;c:\windows\system32\drivers\icam7fil.sys [2009-11-27 19640]
R3 Icam7USB;Intel® PC Camera CS431;c:\windows\system32\drivers\ICAM7D2.SYS [2009-11-27 158848]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20101210.001\IDSXpx86.sys [2010-12-11 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20101212.002\NAVENG.SYS [2010-12-12 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20101212.002\NAVEX15.SYS [2010-12-12 1360248]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
S4 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]

=============== Created Last 30 ================

2010-12-13 15:22:12 81920 ----a-w- c:\windows\eSellerateControl350.dll
2010-12-13 15:22:12 -------- d-----w- c:\program files\Svchost Fix Wizard
2010-12-13 14:44:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-12-13 04:05:34 62852 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\acallv1-x-uninst.exe
2010-12-13 04:05:10 60986 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\acallv2-x-uninst.exe
2010-12-11 20:52:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-12-09 20:39:46 652336 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symefa.sys
2010-12-09 20:39:46 509560 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtsp.sys
2010-12-09 20:39:46 50168 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\srtspx.sys
2010-12-09 20:39:46 368248 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symtdi.sys
2010-12-09 20:39:46 340016 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symds.sys
2010-12-09 20:39:46 330360 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys
2010-12-09 20:39:46 295032 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\symnets.sys
2010-12-09 20:39:45 136312 ----a-w- c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys
2010-12-09 20:39:28 -------- d-----w- c:\windows\system32\drivers\nis\1205000.07D
2010-12-01 06:24:16 2269184 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\fsdreamteam\couatl\couatl.exe
2010-12-01 06:24:16 1748992 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\bglmanx.dll
2010-12-01 06:22:11 6905856 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\fsdreamteam\couatl\wx\wxmsw28uh_vc.dll
2010-12-01 06:22:11 53248 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\fsdreamteam\couatl\wx\wxmsw28uh_gl_vc.dll
2010-12-01 06:22:11 27136 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\fsdreamteam\couatl\pythonw.exe
2010-12-01 06:22:11 26112 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\fsdreamteam\couatl\python.exe
2010-12-01 06:22:11 2322432 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\fsdreamteam\couatl\python25.dll
2010-12-01 06:22:10 807258 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\unins000.exe
2010-12-01 05:53:16 6144 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\modules\gps_export.dll
2010-12-01 05:13:49 115925 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\Uninstal_Airbus1X_wilco.exe
2010-12-01 01:37:34 117371 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\Uninstal-ftejetsx2.exe
2010-12-01 00:20:48 99120 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\RCB_Groundhandling5_Sound.dll
2010-11-28 23:18:07 -------- d-----w- c:\docume~1\michae~1\applic~1\Virtuali
2010-11-28 22:44:18 360580 ----a-w- c:\windows\eSellerateEngine.dll
2010-11-25 15:20:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-11-23 02:23:02 2436096 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\fsnd_fsx_md83\panel\Alrot.dll

==================== Find3M ====================

2010-10-17 21:58:06 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-15 03:45:38 737280 ----a-w- c:\windows\iun6002.exe
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2009-11-07 03:43:08 82619 ----a-w- c:\program files\Uninstal.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500YS-01SHB0 rev.20.06C03 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-16

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AEB1555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8aeb77b0]; MOV EAX, [0x8aeb782c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AF0AAB8]
3 CLASSPNP[0xBA188FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000b5[0x8AF77760]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AEFAD98]
\Driver\atapi[0x8AED6828] -> IRP_MJ_CREATE -> 0x8AEB1555
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-16 -> \??\IDE#DiskWDC_WD2500YS-01SHB0_____________________20.06C03#5&3b16d7a5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AEB139B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:34:09.48 ===============

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:30 AM

Posted 13 December 2010 - 03:33 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs.*

  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste it into your next reply.
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console so, should you choose not to allow the installation, you may not get the results you hoped for.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for either.

So long, and thanks for all the fish.

 

 


#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:30 AM

Posted 17 December 2010 - 07:03 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users