WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Svchost.exe

2 posters

descriptionSvchost.exe EmptySvchost.exe19th November 2009, 6:36 pm

more_horiz
My antivirus, avast keeps giving me viruses on this file in the Temp folder.

Here is my HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:17 AM, on 11/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Sanket\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Live] C:\Documents and Settings\Sanket\Application Data\WindowsLive.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CF4221C-EB5A-4E05-A515-2BC056DAE4D5}: NameServer = 203.94.227.70,203.94.243.70
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 4639 bytes

descriptionSvchost.exe EmptyRe: Svchost.exe19th November 2009, 6:47 pm

more_horiz
Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log with a fresh copy of HijackThis log.

descriptionSvchost.exe EmptyRe: Svchost.exe20th November 2009, 3:39 am

more_horiz
Malwarebytes' Anti-Malware 1.41
Database version: 3201
Windows 5.1.2600 Service Pack 2

11/20/2009 8:59:12 AM
mbam-log-2009-11-20 (08-59-12).txt

Scan type: Quick Scan
Objects scanned: 98186
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows live (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-8277269444-0004479375-269377753-7844\winsystem.exe (Worm.Autorun.One Cool Dude -> Delete on reboot.
C:\Documents and Settings\Sanket\Local Settings\Temp\B.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sanket\Local Settings\Temporary Internet Files\Content.IE5\TJFV99KE\icer[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:49 AM, on 11/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Sanket\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CF4221C-EB5A-4E05-A515-2BC056DAE4D5}: NameServer = 203.94.227.70,203.94.243.70
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 4627 bytes

descriptionSvchost.exe EmptyRe: Svchost.exe20th November 2009, 7:09 am

more_horiz
Please download ComboFix Svchost.exe Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Svchost.exe Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Svchost.exe RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionSvchost.exe EmptyRe: Svchost.exe20th November 2009, 5:35 pm

more_horiz
ComboFix 09-11-20.01 - Sanket 11/20/2009 22:48.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.516 [GMT 5.5]
Running from: c:\documents and settings\Sanket\desktop\commy.exe
Command switches used :: /stepdel
AV: avast! antivirus 4.8.1351 [VPS 091120-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-8277269444-0004479375-269377753-7844
c:\windows\system32\drivers\pciide.sys
c:\windows\system32\xuhlwql.dll
c:\recycler\S-1-5-21-8277269444-0004479375-269377753-7844\Desktop.ini
c:\windows\system32\drivers\pciide.sys
c:\windows\system32\xuhlwql.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_lqppxhth


((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 )))))))))))))))))))))))))))))))
.

2009-11-20 03:20 . 2009-11-20 03:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-20 03:19 . 2009-11-20 03:19 -------- d-----w- c:\documents and settings\Sanket\Application Data\Malwarebytes
2009-11-20 03:19 . 2009-09-10 09:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-20 03:19 . 2009-11-20 03:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-20 03:19 . 2009-11-20 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-20 03:19 . 2009-09-10 09:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-19 17:00 . 2009-11-19 17:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-19 15:27 . 2009-11-19 15:27 -------- d-----w- c:\documents and settings\Sanket\Local Settings\Application Data\Cooliris
2009-11-19 15:26 . 2009-10-20 08:03 545280 ----a-w- c:\documents and settings\Sanket\Application Data\Mozilla\Firefox\Profiles\njil2nrj.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-11-19 15:26 . 2009-10-20 08:03 103424 ----a-w- c:\documents and settings\Sanket\Application Data\Mozilla\Firefox\Profiles\njil2nrj.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-11-19 15:25 . 2009-10-20 08:03 4716544 ----a-w- c:\documents and settings\Sanket\Application Data\Mozilla\Firefox\Profiles\njil2nrj.default\extensions\piclens@cooliris.com\components\cooliris.dll
2009-11-19 15:25 . 2009-10-20 08:03 344064 ----a-w- c:\documents and settings\Sanket\Application Data\Mozilla\Firefox\Profiles\njil2nrj.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-11-19 15:25 . 2009-10-20 08:03 153600 ----a-w- c:\documents and settings\Sanket\Application Data\Mozilla\Firefox\Profiles\njil2nrj.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-11-14 17:06 . 2009-11-14 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-11-14 17:05 . 2009-11-14 17:05 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-11-14 17:04 . 2009-11-14 17:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-04 11:41 . 2005-02-01 03:22 53248 ------w- c:\windows\system32\DrvMon.exe
2009-10-24 08:21 . 2009-10-24 08:21 -------- d-----w- c:\documents and settings\Sanket\Application Data\CoffeeCup Software
2009-10-24 08:20 . 1999-03-22 06:59 233472 ----a-w- c:\windows\system32\Ilda32.dll
2009-10-24 08:20 . 1998-06-16 22:30 18944 ----a-w- c:\windows\system32\BORLNDMM.DLL
2009-10-24 08:20 . 2009-10-24 08:20 -------- d-----w- c:\program files\CoffeeCup Software
2009-10-23 18:38 . 2009-10-23 18:38 -------- d-sh--w- c:\documents and settings\Sanket\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 17:04 . 2009-09-10 12:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-12 19:51 . 2009-09-19 05:27 -------- d-----w- c:\documents and settings\Sanket\Application Data\DivX
2009-10-12 16:58 . 2009-10-12 16:57 -------- d-----w- c:\documents and settings\Sanket\Application Data\MozillaControl
2009-09-26 05:20 . 2009-09-10 12:28 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-18 16:36 . 2009-09-18 04:12 5632 ----a-w- c:\documents and settings\Sanket\Application Data\Seven Zip\Codecs\Swap.dll
2009-09-18 16:36 . 2009-09-18 04:12 129024 ----a-w- c:\documents and settings\Sanket\Application Data\Seven Zip\Formats\7z.dll
2009-09-18 16:36 . 2009-09-18 04:12 80896 ----a-w- c:\documents and settings\Sanket\Application Data\Seven Zip\Codecs\LZMA.dll
2009-09-18 16:36 . 2009-09-18 04:12 5120 ----a-w- c:\documents and settings\Sanket\Application Data\Seven Zip\Codecs\Copy.dll
2009-09-18 16:36 . 2009-09-18 04:12 32256 ----a-w- c:\documents and settings\Sanket\Application Data\Seven Zip\Codecs\Aes.dll
2009-09-18 16:36 . 2009-09-18 04:12 18944 ----a-w- c:\documents and settings\Sanket\Application Data\Seven Zip\Codecs\Branch.dll
2009-09-18 16:36 . 2009-09-18 04:12 13824 ----a-w- c:\documents and settings\Sanket\Application Data\Seven Zip\Codecs\7zAes.dll
2009-09-16 15:31 . 2009-09-10 13:28 48944 ----a-w- c:\documents and settings\Sanket\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 15:20 . 2009-09-16 15:20 0 ----a-w- c:\windows\nsreg.dat
2009-09-10 12:26 . 2009-09-10 12:26 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-04 12:14 . 2009-09-18 11:33 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 12:14 . 2009-09-18 11:33 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 12:14 . 2009-09-18 11:33 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 11:59 . 2009-09-18 11:33 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 11:59 . 2009-09-18 11:33 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 11:59 . 2009-09-18 11:33 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 11:59 . 2009-09-18 11:33 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 11:59 . 2009-09-18 11:33 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="c:\windows\system32\DrvMon.exe" [2005-02-01 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-06 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\Sanket\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-9-10 385024]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-14 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/10/2009 8:22 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/10/2009 8:22 PM 20560]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*Deregistered* - CLASSPNP_2
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {7CF4221C-EB5A-4E05-A515-2BC056DAE4D5} = 203.94.227.70,203.94.243.70
FF - ProfilePath - c:\documents and settings\Sanket\Application Data\Mozilla\Firefox\Profiles\njil2nrj.default\
FF - component: c:\documents and settings\Sanket\Application Data\Mozilla\Firefox\Profiles\njil2nrj.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\documents and settings\Sanket\Application Data\Mozilla\Firefox\Profiles\njil2nrj.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{6CC0888A-E0BA-4989-BC16-024F7773FA7F} - c:\windows\system32\xuhlwql.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 22:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866FE369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7675fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e8cb8
\Driver\atapi -> atapi.sys @ 0xf74a07b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf737fba0
PacketIndicateHandler -> NDIS.sys @ 0xf738cb21
SendHandler -> NDIS.sys @ 0xf736a87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3724)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\ATI Technologies\ATI.ACE\atiacmxx.dll
c:\windows\system32\browselc.dll
c:\windows\System32\DLA\DLASHX_W.DLL
c:\windows\system32\DLAAPI_W.DLL
c:\windows\System32\DLA\DLACResW.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\NOTEPAD.EXE
.
**************************************************************************
.
Completion time: 2009-11-20 23:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-20 17:34

Pre-Run: 130,402,779,136 bytes free
Post-Run: 130,630,664,192 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A88CC13CA03E91BCB9DF56969019F58F


Edit: This whole thing has screwed up my computer. It no more starts & gives this error
Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run HKDSK /F to check for hard drive corruption and then restart your computer.

Technical Information:

** STOP: 0x0000007B (0XF7A34524,0xC0000034,0x00000000,0x00000000)


Can't run the system even in Safe Mode. What am i supposed to do ? Let me think

descriptionSvchost.exe EmptyRe: Svchost.exe20th November 2009, 6:47 pm

more_horiz
Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

descriptionSvchost.exe EmptyRe: Svchost.exe20th November 2009, 6:59 pm

more_horiz
Problem is, i cannot start my computer even in the safe mode. Can't Believe It
That blue screen keeps popping up whenever i try to start. Safe mode it shows as _ ? on a blue screen.

I am currently using my desktop.

descriptionSvchost.exe EmptyRe: Svchost.exe20th November 2009, 7:17 pm

more_horiz
Please save the following instructions into Notepad and print it out as this webpage would not be available when you're carrying out the process.

1.Please reboot into Recovery Console.

2.You must enter which Windows installation to log onto. Type 1 and press Enter.

3.At the C:\Windows prompt, type the following bolded command, and press Enter:

set allowallpaths = true

4.At the next prompt type without the quotes "cd erdnt\subs" and hit Enter.

5.At the next prompt, please type in the following without the quotes: "batch erdnt.con" and hit Enter.

The erunt backups should begin copying backup files. At the next prompt after it is complete, Type exit.

kindly reboot your pc and tell me if Windows is loading now

descriptionSvchost.exe EmptyRe: Svchost.exe20th November 2009, 7:24 pm

more_horiz
Its still not starting up. It showed that some files were copied or something.

descriptionSvchost.exe EmptyRe: Svchost.exe21st November 2009, 12:29 am

more_horiz
Ok. Let me talk to a few corresponding experts, then I will return.

descriptionSvchost.exe EmptyRe: Svchost.exe21st November 2009, 3:16 am

more_horiz
Sure, awaiting for your reply.

descriptionSvchost.exe EmptyRe: Svchost.exe21st November 2009, 4:19 am

more_horiz
We have suggested for you to do a Windows XP in-place upgrade.

Reason phrase: "You must apply default (file and registry) permissions to your Windows XP installation. This condition can occur if program files are missing or damaged after you make changes or updates to your computer or programs."

Tutorial: http://support.microsoft.com/kb/315341

descriptionSvchost.exe EmptyRe: Svchost.exe21st November 2009, 12:30 pm

more_horiz
Nevermind, I have formatted my computer.
It all looks good now. Thanks for your time. Wink

descriptionSvchost.exe EmptyRe: Svchost.exe21st November 2009, 2:38 pm

more_horiz
You are welcome. Smile...

=>Solved

descriptionSvchost.exe EmptyRe: Svchost.exe

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum