svcho.exe

View previous topic View next topic Go down

svcho.exe

Post by rp4111 on Sat Mar 07, 2009 4:21 am

Yesterday I had a pop up "spywareprotect2009". Also when I open up firefox or IE it will not connect. Gives me a blank page. Also in task manager I see svcho.exe running so I killed it and it still will not let me on the internet. Only way to get on the net now is if I boot up in safemode which im in now. Any help to fix this is greatly appreciated!

-Ryan

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: svcho.exe

Post by Belahzur on Sat Mar 07, 2009 2:14 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: svcho.exe

Post by rp4111 on Sat Mar 07, 2009 7:59 pm

Great. Below is the DDS txt.

[b]
DDS (Ver_09-02-01.01) - NTFSx86
Run by Taylor at 15:56:05.97 on Sat 03/07/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1022.680 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Taylor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = sas.ne2.attbb.net:8000
uInternet Settings,ProxyOverride = *.ne2.attbb.net
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~1\mimboot.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: ebay.com\www
Trusted Zone: frame.crazywinnings.com
Trusted Zone: frame.crazywinnings.com
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {98264495-6376-443C-9340-2996038BD143} - [You must be registered and logged in to see this link.]
DPF: {99A7E374-3E8E-4C78-A054-25522DC03DA2} - [You must be registered and logged in to see this link.]
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - [You must be registered and logged in to see this link.]
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - [You must be registered and logged in to see this link.]
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - [You must be registered and logged in to see this link.]
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\taylor\applic~1\mozilla\firefox\profiles\4cvg03nq.ryan\
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-20 24652]
R3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2008-2-6 14848]
R3 vCOM;vCOM;c:\windows\system32\drivers\vCOM.sys [2005-7-9 19456]
S2 MCVSRte;McAfee.com VirusScan Online Realtime Engine; [x]
S2 PIEUsb;Single Frame Film Scanner;c:\windows\system32\drivers\usbscan.sys [2008-5-27 14208]
S3 Cviat0;Cviat0; [x]
S3 McShield;McAfee.com McShield; [x]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager; [x]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2004-12-10 23296]
S4 Asppho34am1.43;Asppho34am1.43; [x]
S4 Disydismw-da;Disydismw-da; [x]

=============== Created Last 30 ================

2009-03-06 22:27 11,254 a------- c:\windows\system32\locate.com
2009-03-06 22:25 53,471 a------- C:\MGlogs.zip
2009-03-06 22:25 --d----- C:\MGtools
2009-03-06 13:49 --d----- c:\program files\Trend Micro
2009-03-06 13:24 161,792 a------- c:\windows\SWREG.exe
2009-03-06 13:24 98,816 a------- c:\windows\sed.exe
2009-03-06 02:59 16,896 a------- c:\windows\svcho.exe
2009-03-06 02:59 16,896 a------- c:\windows\syssvc.exe
2009-03-06 01:23 94,190 a------- c:\windows\system32\drivers\b4051529.sys
2009-03-06 01:23 82,432 a------- C:\wvqn.exe
2009-03-06 01:23 2 a------- C:\-461130108
2009-03-06 01:23 8,704 a------- C:\jwfoc.exe
2009-03-06 01:23 30,208 a------- C:\evvrbny.exe
2009-03-06 01:23 41,984 a------- C:\pxiikx.exe
2009-03-06 01:23 364,560 a------- C:\PYqU.exe
2009-03-01 13:41 --d----- c:\program files\Topaz Labs

==================== Find3M ====================

2009-01-19 15:16 129,024 a------- c:\windows\system32\yuoqhlxv.dll
2009-01-19 15:16 129,024 a------- c:\windows\system32\enundi.dll
2009-01-19 13:14 129,024 a------- c:\windows\system32\jderhgco.dll
2009-01-19 13:14 129,024 a------- c:\windows\system32\ixqrwg.dll
2009-01-19 06:24 129,024 a------- c:\windows\system32\ltcbuv.dll
2009-01-19 06:24 129,024 a------- c:\windows\system32\djakmksc.dll
2009-01-18 23:23 129,024 a------- c:\windows\system32\ocbqcx.dll
2009-01-18 23:23 129,024 a------- c:\windows\system32\bxmcsscg.dll
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 08:41 6,537,728 a------- c:\windows\system32\tliadjust26.dll
2008-08-28 15:28 3,902,784 a------- c:\documents and settings\taylor\gosetup.exe
2007-07-28 21:57 87,608 a------- c:\docume~1\taylor\applic~1\ezpinst.exe
2007-07-28 21:57 47,360 a------- c:\docume~1\taylor\applic~1\pcouffin.sys
2006-05-31 09:14 108,056 a------- c:\program files\common files\secman.dll
2006-03-11 19:09 626,176 a------- c:\program files\common files\osmax.ocx
2005-12-29 15:36 560 a------- c:\documents and settings\taylor\PCDOC.BAT
2005-01-17 16:07 523 a------- c:\documents and settings\taylor\Q584361.exe
2004-06-02 22:36 0 a------- c:\documents and settings\taylor\ub.dat
2004-01-27 15:23 3,149 a------- c:\program files\common files\remove_tools.html
1998-07-31 16:01 19,904 a------- c:\program files\_ISREG16.DLL
2005-10-06 23:59 61 ---sh--- c:\windows\cnerolf.dat
2003-12-13 15:13 523 a--sh--- c:\windows\it.bat
2003-12-13 15:13 20,480 a--sh--- c:\windows\load.exe
2005-05-27 23:32 120 a--shr-- c:\windows\Regbak.dat

============= FINISH: 15:56:59.14 ===============

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: svcho.exe

Post by Belahzur on Sat Mar 07, 2009 8:10 pm

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: svcho.exe

Post by rp4111 on Sun Mar 08, 2009 5:53 pm

Below is the Avira log file. It removed about 10 items but it did not save the log file so I had to run it again.

------------------------------------------------------------

Avira AntiVir Personal
Report file date: Saturday, March 07, 2009 22:52

Scanning for 1038808 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Boot mode: Normally booted
Username: Taylor
Computer name: D47VHT21

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 13:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 12:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 17:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 12:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:30:36
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 21:57:13
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 11/16/2008 21:16:47
ANTIVIR3.VDF : 7.1.0.97 45056 Bytes 11/17/2008 21:38:59
Engineversion : 8.2.0.31
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 15:05:56
AEscript.DLL : 8.1.1.15 332156 Bytes 11/11/2008 19:00:07
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 20:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 18:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 14:41:39
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/7/2008 20:06:41
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/7/2008 20:06:41
AEHELP.DLL : 8.1.1.3 119157 Bytes 11/7/2008 20:06:41
AEGEN.DLL : 8.1.1.0 319859 Bytes 11/7/2008 20:06:41
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 15:05:56
AECORE.DLL : 8.1.4.1 172405 Bytes 11/7/2008 20:06:41
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 15:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 13:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 14:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 17:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 16:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 13:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 17:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 22:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 17:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 17:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 18:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 18:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, J:, K:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Saturday, March 07, 2009 22:52

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wmplayer.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'ViewMgr.exe' - '1' Module(s) have been scanned
Scan process 'wcescomm.exe' - '1' Module(s) have been scanned
Scan process 'rapimgr.exe' - '1' Module(s) have been scanned
Scan process 'mim.exe' - '1' Module(s) have been scanned
Scan process 'MMDiag.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'nHancerService.exe' - '1' Module(s) have been scanned
Scan process 'Crypserv.exe' - '1' Module(s) have been scanned
Scan process 'DLLHOST.EXE' - '1' Module(s) have been scanned
Scan process 'acsd.exe' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [23]: Data error (cyclic redundancy check).
Master boot sector HD5
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD6
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'J:\'
[INFO] No virus was found!
Boot sector 'K:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\DRIVERS\b4051529.sys
[WARNING] The file could not be opened!
Begin scan in 'J:\'
Begin scan in 'K:\'


End of the scan: Sunday, March 08, 2009 01:28
Used time: 2:35:27 Hour(s)

The scan has been done completely.

17507 Scanning directories
614920 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
614917 Files not concerned
4419 Archives were scanned
6 Warnings
0 Notes

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: svcho.exe

Post by Belahzur on Sun Mar 08, 2009 7:16 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: svcho.exe

Post by rp4111 on Mon Mar 09, 2009 2:04 am

DDS (Ver_09-02-01.01) - NTFSx86
Run by Taylor at 22:02:23.46 on Sun 03/08/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1022.510 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
c:\program files\avira\antivir personaledition classic\avscan.exe
C:\WeatherLink\WeatherLink 5.8.1.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Taylor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = sas.ne2.attbb.net:8000
uInternet Settings,ProxyOverride = *.ne2.attbb.net
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~1\mimboot.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: ebay.com\www
Trusted Zone: frame.crazywinnings.com
Trusted Zone: frame.crazywinnings.com
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {98264495-6376-443C-9340-2996038BD143} - [You must be registered and logged in to see this link.]
DPF: {99A7E374-3E8E-4C78-A054-25522DC03DA2} - [You must be registered and logged in to see this link.]
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - [You must be registered and logged in to see this link.]
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - [You must be registered and logged in to see this link.]
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - [You must be registered and logged in to see this link.]
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\taylor\applic~1\mozilla\firefox\profiles\4cvg03nq.ryan\
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-3-7 22336]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-3-7 45376]
R3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2008-2-6 14848]
R3 vCOM;vCOM;c:\windows\system32\drivers\vCOM.sys [2005-7-9 19456]
S2 antivirscheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-7 68865]
S2 antivirservice;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-7 151297]
S2 MCVSRte;McAfee.com VirusScan Online Realtime Engine; [x]
S2 PIEUsb;Single Frame Film Scanner;c:\windows\system32\drivers\usbscan.sys [2008-5-27 14208]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-20 24652]
S3 Cviat0;Cviat0; [x]
S3 McShield;McAfee.com McShield; [x]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager; [x]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2004-12-10 23296]
S4 Asppho34am1.43;Asppho34am1.43; [x]
S4 Disydismw-da;Disydismw-da; [x]

=============== Created Last 30 ================

2009-03-07 16:27 --d----- c:\docume~1\alluse~1\applic~1\AntiVir PersonalEdition Classic
2009-03-07 16:23 --d----- c:\program files\Avira
2009-03-07 16:23 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-06 22:27 11,254 a------- c:\windows\system32\locate.com
2009-03-06 22:25 53,471 a------- C:\MGlogs.zip
2009-03-06 22:25 --d----- C:\MGtools
2009-03-06 13:49 --d----- c:\program files\Trend Micro
2009-03-06 13:24 161,792 a------- c:\windows\SWREG.exe
2009-03-06 13:24 98,816 a------- c:\windows\sed.exe
2009-03-06 01:23 94,190 a------- c:\windows\system32\drivers\b4051529.sys
2009-03-06 01:23 2 a------- C:\-461130108
2009-03-06 01:23 30,208 a------- C:\evvrbny.exe
2009-03-06 01:23 41,984 a------- C:\pxiikx.exe
2009-03-01 13:41 --d----- c:\program files\Topaz Labs

==================== Find3M ====================

2009-01-19 15:16 129,024 a------- c:\windows\system32\yuoqhlxv.dll
2009-01-19 15:16 129,024 a------- c:\windows\system32\enundi.dll
2009-01-19 13:14 129,024 a------- c:\windows\system32\jderhgco.dll
2009-01-19 13:14 129,024 a------- c:\windows\system32\ixqrwg.dll
2009-01-19 06:24 129,024 a------- c:\windows\system32\ltcbuv.dll
2009-01-19 06:24 129,024 a------- c:\windows\system32\djakmksc.dll
2009-01-18 23:23 129,024 a------- c:\windows\system32\ocbqcx.dll
2009-01-18 23:23 129,024 a------- c:\windows\system32\bxmcsscg.dll
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 08:41 6,537,728 a------- c:\windows\system32\tliadjust26.dll
2008-08-28 15:28 3,902,784 a------- c:\documents and settings\taylor\gosetup.exe
2007-07-28 21:57 87,608 a------- c:\docume~1\taylor\applic~1\ezpinst.exe
2007-07-28 21:57 47,360 a------- c:\docume~1\taylor\applic~1\pcouffin.sys
2006-05-31 09:14 108,056 a------- c:\program files\common files\secman.dll
2006-03-11 19:09 626,176 a------- c:\program files\common files\osmax.ocx
2005-12-29 15:36 560 a------- c:\documents and settings\taylor\PCDOC.BAT
2005-01-17 16:07 523 a------- c:\documents and settings\taylor\Q584361.exe
2004-06-02 22:36 0 a------- c:\documents and settings\taylor\ub.dat
2004-01-27 15:23 3,149 a------- c:\program files\common files\remove_tools.html
1998-07-31 16:01 19,904 a------- c:\program files\_ISREG16.DLL
2005-10-06 23:59 61 ---sh--- c:\windows\cnerolf.dat
2003-12-13 15:13 523 a--sh--- c:\windows\it.bat
2003-12-13 15:13 20,480 a--sh--- c:\windows\load.exe
2005-05-27 23:32 120 a--shr-- c:\windows\Regbak.dat

============= FINISH: 22:03:28.57 ===============

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: svcho.exe

Post by Belahzur on Mon Mar 09, 2009 2:17 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\locate.com
    C:\MGlogs.zip
    C:\MGtools
    c:\windows\system32\drivers\b4051529.sys
    C:\-461130108
    C:\evvrbny.exe
    C:\pxiikx.exe
    c:\windows\system32\yuoqhlxv.dll
    c:\windows\system32\enundi.dll
    c:\windows\system32\jderhgco.dll
    c:\windows\system32\ixqrwg.dll
    c:\windows\system32\ltcbuv.dll
    c:\windows\system32\djakmksc.dll
    c:\windows\system32\ocbqcx.dll
    c:\windows\system32\bxmcsscg.dll


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: svcho.exe

Post by rp4111 on Mon Mar 09, 2009 3:58 am

========== FILES ==========
c:\windows\system32\locate.com moved successfully.
C:\MGlogs.zip moved successfully.
C:\MGtools\temp moved successfully.
C:\MGtools moved successfully.
File move failed. c:\windows\system32\drivers\b4051529.sys scheduled to be moved on reboot.
C:\-461130108 moved successfully.
C:\evvrbny.exe moved successfully.
C:\pxiikx.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\yuoqhlxv.dll
c:\windows\system32\yuoqhlxv.dll NOT unregistered.
c:\windows\system32\yuoqhlxv.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\enundi.dll
c:\windows\system32\enundi.dll NOT unregistered.
c:\windows\system32\enundi.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\jderhgco.dll
c:\windows\system32\jderhgco.dll NOT unregistered.
c:\windows\system32\jderhgco.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\ixqrwg.dll
c:\windows\system32\ixqrwg.dll NOT unregistered.
c:\windows\system32\ixqrwg.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\ltcbuv.dll
c:\windows\system32\ltcbuv.dll NOT unregistered.
c:\windows\system32\ltcbuv.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\djakmksc.dll
c:\windows\system32\djakmksc.dll NOT unregistered.
c:\windows\system32\djakmksc.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\ocbqcx.dll
c:\windows\system32\ocbqcx.dll NOT unregistered.
c:\windows\system32\ocbqcx.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\bxmcsscg.dll
c:\windows\system32\bxmcsscg.dll NOT unregistered.
c:\windows\system32\bxmcsscg.dll moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03082009_235325

Files moved on Reboot...
File move failed. c:\windows\system32\drivers\b4051529.sys scheduled to be moved on reboot.

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: svcho.exe

Post by Belahzur on Mon Mar 09, 2009 3:00 pm

Hello.
That one file is persistent.
Please run DDS again and post the new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: svcho.exe

Post by rp4111 on Tue Mar 10, 2009 12:34 am

DDS (Ver_09-02-01.01) - NTFSx86
Run by Taylor at 20:32:35.25 on Mon 03/09/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1022.482 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AIM95\aim.exe
C:\WeatherLink\WeatherLink 5.8.1.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Taylor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = sas.ne2.attbb.net:8000
uInternet Settings,ProxyOverride = *.ne2.attbb.net
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~1\mimboot.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: ebay.com\www
Trusted Zone: frame.crazywinnings.com
Trusted Zone: frame.crazywinnings.com
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {98264495-6376-443C-9340-2996038BD143} - [You must be registered and logged in to see this link.]
DPF: {99A7E374-3E8E-4C78-A054-25522DC03DA2} - [You must be registered and logged in to see this link.]
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - [You must be registered and logged in to see this link.]
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - [You must be registered and logged in to see this link.]
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - [You must be registered and logged in to see this link.]
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\taylor\applic~1\mozilla\firefox\profiles\4cvg03nq.ryan\
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-3-7 22336]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-3-7 45376]
R3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2008-2-6 14848]
R3 vCOM;vCOM;c:\windows\system32\drivers\vCOM.sys [2005-7-9 19456]
S2 antivirscheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-7 68865]
S2 antivirservice;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-7 151297]
S2 MCVSRte;McAfee.com VirusScan Online Realtime Engine; [x]
S2 PIEUsb;Single Frame Film Scanner;c:\windows\system32\drivers\usbscan.sys [2008-5-27 14208]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-20 24652]
S3 Cviat0;Cviat0; [x]
S3 McShield;McAfee.com McShield; [x]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager; [x]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2004-12-10 23296]
S4 Asppho34am1.43;Asppho34am1.43; [x]
S4 Disydismw-da;Disydismw-da; [x]

=============== Created Last 30 ================

2009-03-08 23:53 --d----- C:\_OTMoveIt
2009-03-07 16:27 --d----- c:\docume~1\alluse~1\applic~1\AntiVir PersonalEdition Classic
2009-03-07 16:23 --d----- c:\program files\Avira
2009-03-07 16:23 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-06 13:49 --d----- c:\program files\Trend Micro
2009-03-06 13:24 161,792 a------- c:\windows\SWREG.exe
2009-03-06 13:24 98,816 a------- c:\windows\sed.exe
2009-03-06 01:23 94,190 a------- c:\windows\system32\drivers\b4051529.sys
2009-03-01 13:41 --d----- c:\program files\Topaz Labs

==================== Find3M ====================

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 08:41 6,537,728 a------- c:\windows\system32\tliadjust26.dll
2008-08-28 15:28 3,902,784 a------- c:\documents and settings\taylor\gosetup.exe
2007-07-28 21:57 87,608 a------- c:\docume~1\taylor\applic~1\ezpinst.exe
2007-07-28 21:57 47,360 a------- c:\docume~1\taylor\applic~1\pcouffin.sys
2006-05-31 09:14 108,056 a------- c:\program files\common files\secman.dll
2006-03-11 19:09 626,176 a------- c:\program files\common files\osmax.ocx
2005-12-29 15:36 560 a------- c:\documents and settings\taylor\PCDOC.BAT
2005-01-17 16:07 523 a------- c:\documents and settings\taylor\Q584361.exe
2004-06-02 22:36 0 a------- c:\documents and settings\taylor\ub.dat
2004-01-27 15:23 3,149 a------- c:\program files\common files\remove_tools.html
1998-07-31 16:01 19,904 a------- c:\program files\_ISREG16.DLL
2005-10-06 23:59 61 ---sh--- c:\windows\cnerolf.dat
2003-12-13 15:13 523 a--sh--- c:\windows\it.bat
2003-12-13 15:13 20,480 a--sh--- c:\windows\load.exe
2005-05-27 23:32 120 a--shr-- c:\windows\Regbak.dat

============= FINISH: 20:33:35.92 ===============

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: svcho.exe

Post by Belahzur on Tue Mar 10, 2009 12:37 am

Hello.
Please go to this site
[You must be registered and logged in to see this link.]
and upload this file in bold for a scan.
c:\windows\load.exe
Copy and paste the results back here.

Next,

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
c:\windows\system32\drivers\b4051529.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: svcho.exe

Post by rp4111 on Tue Mar 10, 2009 12:45 am

Here is the results from virusscan.jotti.org I will post results from Avenger shortly.

Scan taken on 10 Mar 2009 00:40:02 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: svcho.exe

Post by rp4111 on Tue Mar 10, 2009 12:49 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\drivers\b4051529.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: svcho.exe

Post by Belahzur on Tue Mar 10, 2009 12:53 am

The file is gone now.
How's the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: svcho.exe

Post by rp4111 on Tue Mar 10, 2009 12:55 am

Much faster. I have been able to connect to the internet without having to go in to safe mode and no pop ups from that spyware protect 2009. Seems like the computer is fairly clean now? There is a DLLhost.exe running in task manager. Is that a trojan?

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28305
# Likes # Likes : 0

View user profile

Back to top Go down

Re: svcho.exe

Post by Belahzur on Tue Mar 10, 2009 1:02 am

No, dllhost is legit, do not stop it from running.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: svcho.exe

Post by rp4111 on Tue Mar 10, 2009 1:10 am

Thank you very much for your time and help! Much appreciated. Computer is running like new and virus free. Your instructions were very easy to follow. I will recommend this site to anyone looking for help with there PC. Thanks again,

Ryan

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28305
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum