Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe Application Error / No Safe Mode


  • This topic is locked This topic is locked
4 replies to this topic

#1 nyteshaid

nyteshaid

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 04 March 2007 - 03:16 AM

I'm not sure what's what, but I have a feeling I may need to do a reinstall of XP.

The "scvhost.exe - Application Error" appears at every login..and once OK is clicked the 1minute reboot timer is activated.
I have currently have no firewall installed and cannot even install Kasp. Anti-Virus. Along with that I cannot open Control Panel, therefore I cannot activate Windoes Firewall.

Also..I've tried booting into Safe Mode numerous times without success.

For my sake, I hope I don't have to reinstall. But yeah..

Below is my fresh HijackThis Log. Thanks to all in advance.

-------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:04:57 PM, on 04/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\xampp\apache\bin\apache.exe
H:\Program Files\Promise\Utility\MsgAgt.exe
H:\Program Files\Promise\Utility\MsgSvr.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
H:\Program Files\xampp\apache\bin\apache.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\inetsrv\inetinfo.exe
H:\WINDOWS\SERVICES.EXE
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Apple Software Update\SoftwareUpdate.exe
H:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
H:\WINDOWS\system32\ezSP_Px.exe
H:\WINDOWS\system32\bcmwltry.exe
H:\WINDOWS\system32\v6.exe
H:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
H:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
H:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
H:\Program Files\DAEMON Tools\daemon.exe
H:\WINDOWS\TEMP\svchast.exe
H:\Program Files\ATI Technologies\ATI.ACE\cli.exe
H:\Program Files\ATI Technologies\ATI.ACE\cli.exe
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\vs7jit.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Internet Explorer\iexplore.exe
C:\TEMP\Spyware Removal\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
F2 - REG:system.ini: UserInit=H:\WINDOWS\system32\userinit.exe,,H:\WINDOWS\SERVICES.EXE
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://H%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (H:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\aos1goqu.slt\prefs.js)
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SiSUSBRG] H:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Jet Detection] "H:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AudioHQU] H:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
O4 - HKLM\..\Run: [WinampAgent] H:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] H:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [ATICCC] "H:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] H:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [syswin] H:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [emcwfmb.dll] H:\WINDOWS\system32\rundll32.exe "H:\Documents and Settings\Matthew\Local Settings\Application Data\emcwfmb.dll",fzbsdeb
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "H:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "H:\Program Files\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [MDDiskProtect.exe] H:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [Microsoft WPCEmail] H:\WINDOWS\inet20002\svchost.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "H:\WINDOWS\system32\busmafdp.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "H:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Firewall auto setup] H:\WINDOWS\TEMP\winlogon.exe
O4 - HKCU\..\Run: [Pentium reset] H:\WINDOWS\TEMP\svchast.exe
O4 - HKCU\..\Run: [eMuleAutoStart] H:\Program Files\eMule\emule.exe -AutoStart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {44EFB53C-C965-43CF-9F45-52242D134187} - (no file)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - H:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - H:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - H:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O10 - Unknown file in Winsock LSP: h:\windows\system32\msnetax.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{59244686-4AE1-4219-A208-7BC70CE9975C}: NameServer = 192.168.2.1,203.0.178.191
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - H:\PROGRA~1\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - AppInit_DLLs: H:\WINDOWS\system32\tmp_5.dll
O21 - SSODL: XUNNiKYBvw - {0C6B0FDE-A6C1-A574-A006-C01C4FCB8AC1} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - H:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - H:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - H:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: mysql - Unknown owner - H:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=H:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - H:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Promise RAID message server (RAIDmSvr) - Unknown owner - H:\Program Files\Promise\Utility\MsgSvr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - H:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:58 AM

Posted 04 March 2007 - 09:45 AM

Hi nyteshaid, :flowers:

We're studying your log and will be back to you a.s.a.p.

Thanks for your patience. :thumbsup:

#3 nyteshaid

nyteshaid
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 05 March 2007 - 12:14 AM

Great..Thanks Falu!

Will be patiently waiting :thumbsup:

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:58 AM

Posted 06 March 2007 - 04:09 AM

Hi nyteshaid, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

Some trojans are/have been active on your machine:

* Troj/Agent-ECM, which includes functionality to access the internet and communicate
with a remote server via HTTP.
* W32/Rbot-ALZ which is known to turn off anti-virus applications and allows others to access the computer.
* Troj/Sniffer-N which monitors network traffic for email addresses. Harvested addresses are submitted to a preconfigured server using HTTP.
* Worm Ircbot Gen malware which communicates with web sites using httpout protocols and communicates with other computers across the web.

I would counsel you to disconnect this PC from the Internet immediately until it's clean. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojans, the best course of action would be a reformat and reinstall of the OS.

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before to come to a final decision, please feel free to ask.

Visit the following sites for more information on Internet theft and When to reformat!

Please let me know your decision.

#5 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:12:58 PM

Posted 21 March 2007 - 08:56 AM

as the problem here seems to be resolved --> this topic is now closed
to get it reopened PM a staff member with the address of this thread.
this applies to the topic starter only, everyone else with similar problems start a new topic.

glad we could help :thumbsup:

thank you Falu :flowers:
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users