also @ TechSpot: Cookie-blocking browser plugin Ghostery feeds data to the ad industry

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

SVChost.exe trojan, memory process help!

Discussion in 'Virus and Malware Removal' started by BWashburn, Aug 3, 2012.

Page 5 of 6

Jay Pfoutz Malware Helper Posts: 4,286 +49

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems

Adobe Flash Player Update!

Please download the newest version of Adobe Flash Player from Adobe.com

Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Personal Tips on Preventing Malware

See this page for more info about malware and prevention.

Topic solved and closed. Thanks!

Jay Pfoutz, Sep 18, 2012

#81
Jay Pfoutz Malware Helper Posts: 4,286 +49

Tell me the errors reported...

Jay Pfoutz, Sep 20, 2012

#82
BWashburn TechSpot Member Posts: 58

Firewall error code 0x80070424

I have realised I cannot turn on my firewall and I get this error code. I have so far uninstalled AVG and installed microsoft security essentials and MBAM (free version) I have ran scans on both to find no sort of malware yet I still cannot turn on my firewall

BWashburn, Sep 20, 2012

#83
Jay Pfoutz Malware Helper Posts: 4,286 +49
I doubt it has anything to do with malware.

Download and save the zip file attached...extract its contents to reveal the REG file enclosed.

Once extracted, double-click on the file and merge it in to the Registry.

Reboot your computer. Let me know if the Firewall is working fine.
Attached Files:
- FIXsecCenter.zip
  
  File size:
  
  1.7 KB
  
  Views:
  
  3
Jay Pfoutz, Sep 21, 2012

#84
BWashburn TechSpot Member Posts: 58

I tried merging that registry file and it said error accessing the registry.

BWashburn, Sep 23, 2012

#85

Jay Pfoutz Malware Helper Posts: 4,286 +49

Try again in Safe Mode, and let me know if it works.

Jay Pfoutz, Sep 23, 2012

#86

BWashburn TechSpot Member Posts: 58

Cannot import C:\Users\Uer\Downloads\Fixseccenter.reg: Error accessing the registry.
Also I noticed something in MSE that ididnt notice before under my history tab for my daily scans.
Trojan;DOS/Alureon.j Action Taken:Removed
Rouge:JS/FakePAV Action Taken Quarantined (there were two of those)
Troajan:Win32/Sirefef!cfg Action Taken Quarantined

BWashburn, Sep 23, 2012

#87
Jay Pfoutz Malware Helper Posts: 4,286 +49
Back to this tool. Topic marked Active again.

ComboFix

Please download ComboFix by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.

It is important to rename ComboFix before the download.

Please do not rename ComboFix to other names, but only the one indicated.

After the download:

Close any open browsers.

Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.

If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

Double click on svchost.exe & follow the prompts.

It will attempt to install the Recovery Console:

When ComboFix finishes, it will produce a report for you.

Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
Jay Pfoutz, Sep 24, 2012

#88
BWashburn TechSpot Member Posts: 58

Here is what I got when I ran it and when it installed the recovery console:
The contents of folder C:\Windows\Erdnt\Hiv-backup could not be completely deleted.
Let it run for about an hour and a half and still the same getting stuck on stage 4. Closed it rebooted.

BWashburn, Sep 26, 2012

#89
Jay Pfoutz Malware Helper Posts: 4,286 +49

Go to Start and type in ComboFix /uninstall and hit Enter.

Then, try to download and run ComboFix again.

Jay Pfoutz, Sep 27, 2012

#90
BWashburn TechSpot Member Posts: 58

Finally got it past stage 4!!! It's at stage 27 right now have been running it for 3 hours now. Will continue to let it run overnight (going to bed work in the am) will post soon as it finishes.

BWashburn, Sep 27, 2012

#91
BWashburn TechSpot Member Posts: 58

Here is the long awaited log from ComboFix!!!!
ComboFix 12-09-27.03 - Uer 09/27/2012 15:48:18.5.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.7935.6302 [GMT -5:00]
Running from: c:\users\Uer\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Uer\Documents\~WRL0930.tmp
c:\windows\svchost.exe
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-08-28 to 2012-09-28 )))))))))))))))))))))))))))))))
.
.
2012-09-28 03:21 . 2012-09-28 03:21--------d-----w-c:\users\Mcx1-UER-HP\AppData\Local\temp
2012-09-28 03:21 . 2012-09-28 03:21--------d-----w-c:\users\Mcx1-UER-HP.Uer-HP\AppData\Local\temp
2012-09-28 03:21 . 2012-09-28 03:21--------d-----w-c:\users\Default\AppData\Local\temp
2012-09-27 08:31 . 2012-09-19 05:589308616----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D60B47B9-D3E2-4547-8642-63F082023459}\mpengine.dll
2012-09-26 22:45 . 2012-09-19 05:589308616----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-25 21:19 . 2012-08-21 21:01245760----a-w-c:\windows\system32\OxpsConverter.exe
2012-09-25 21:16 . 2012-05-05 08:36503808----a-w-c:\windows\system32\srcore.dll
2012-09-25 21:16 . 2012-05-05 07:4643008----a-w-c:\windows\SysWow64\srclient.dll
2012-09-25 21:15 . 2012-02-11 06:43751104----a-w-c:\windows\system32\win32spl.dll
2012-09-25 21:15 . 2012-02-11 06:36559104----a-w-c:\windows\system32\spoolsv.exe
2012-09-25 21:15 . 2012-02-11 06:3667072----a-w-c:\windows\splwow64.exe
2012-09-25 21:15 . 2012-02-11 05:43492032----a-w-c:\windows\SysWow64\win32spl.dll
2012-09-25 21:15 . 2012-08-22 18:12950128----a-w-c:\windows\system32\drivers\ndis.sys
2012-09-25 21:15 . 2012-07-04 20:2641472----a-w-c:\windows\system32\drivers\RNDISMP.sys
2012-09-25 21:15 . 2012-08-02 17:58574464----a-w-c:\windows\system32\d3d10level9.dll
2012-09-25 21:15 . 2012-08-02 16:57490496----a-w-c:\windows\SysWow64\d3d10level9.dll
2012-09-25 21:15 . 2012-08-22 18:121913200----a-w-c:\windows\system32\drivers\tcpip.sys
2012-09-25 21:15 . 2012-08-22 18:12376688----a-w-c:\windows\system32\drivers\netio.sys
2012-09-25 21:15 . 2012-08-22 18:12288624----a-w-c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-25 21:12 . 2012-07-04 22:1673216----a-w-c:\windows\system32\netapi32.dll
2012-09-25 21:12 . 2012-07-04 22:1359392----a-w-c:\windows\system32\browcli.dll
2012-09-25 21:12 . 2012-07-04 22:13136704----a-w-c:\windows\system32\browser.dll
2012-09-25 21:12 . 2012-07-04 21:1441984----a-w-c:\windows\SysWow64\browcli.dll
2012-09-25 21:12 . 2012-07-18 18:153148800----a-w-c:\windows\system32\win32k.sys
2012-09-25 21:12 . 2012-05-14 05:26956928----a-w-c:\windows\system32\localspl.dll
2012-09-19 22:54 . 2012-09-19 22:54--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-19 22:54 . 2012-09-07 22:0425928----a-w-c:\windows\system32\drivers\mbam.sys
2012-09-19 22:37 . 2012-02-09 19:17927800------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8FD0399C-E913-4F6A-B145-D8AAD6BB2C25}\gapaengine.dll
2012-09-19 22:25 . 2012-09-19 22:25--------d-----w-c:\program files (x86)\Microsoft Security Client
2012-09-19 22:25 . 2012-09-19 22:25--------d-----w-c:\program files\Microsoft Security Client
2012-09-19 22:15 . 2012-09-19 22:15--------d-----w-c:\windows\SysWow64\drivers\AVG
2012-09-19 00:24 . 2012-09-19 00:2473136----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-19 00:24 . 2012-09-19 00:24696240----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-19 00:14 . 2012-09-19 00:13916456----a-w-c:\windows\system32\deployJava1.dll
2012-09-19 00:14 . 2012-09-19 00:13289768----a-w-c:\windows\system32\javaws.exe
2012-09-19 00:14 . 2012-09-19 00:131034216----a-w-c:\windows\system32\npDeployJava1.dll
2012-09-19 00:14 . 2012-09-19 00:13189416----a-w-c:\windows\system32\javaw.exe
2012-09-19 00:14 . 2012-09-19 00:13188904----a-w-c:\windows\system32\java.exe
2012-09-19 00:14 . 2012-09-19 00:13108008----a-w-c:\windows\system32\WindowsAccessBridge-64.dll
2012-09-19 00:13 . 2012-09-19 00:13--------d-----w-c:\program files\Java
2012-09-07 19:43 . 2012-09-07 19:43--------d-----w-c:\users\Uer\AppData\Local\Ilivid Player
2012-09-07 19:41 . 2012-09-07 19:41--------d-----w-c:\programdata\boost_interprocess
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-25 22:23 . 2011-02-19 21:132876528----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-09-25 22:03 . 2011-02-19 21:1242776----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-09-25 08:24 . 2011-04-10 22:05737072----a-w-c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-09-25 08:24 . 2011-04-10 23:172876528----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-09-25 08:23 . 2011-04-10 23:0642776----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-09-25 08:23 . 2011-02-19 21:12539984----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-08-31 05:43 . 2010-11-20 10:5064462936----a-w-c:\windows\system32\MRT.exe
2012-08-30 20:48 . 2012-07-20 23:3331080----a-w-c:\windows\system32\drivers\avgtpx64.sys
2012-08-08 21:39 . 2011-02-19 21:13737072----a-w-c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-08-08 21:33 . 2011-04-10 22:04539984----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-08-08 16:11 . 2012-08-13 23:25460888----a-w-c:\windows\system32\drivers\72847843.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-09-28 1715768]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
"Weather"="c:\program files (x86)\AWS\WeatherBug\Weather.exe" [2010-10-29 1652736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2009-10-14 563736]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-12 102400]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2011-11-2 4577760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Online Backup]
2010-06-01 22:331155928----a-w-c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-18 136176]
R2 WSWNDA3100;WSWNDA3100;c:\program files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe [2010-08-19 272864]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-19 250288]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [2010-06-30 35840]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-18 136176]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-02 33736]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-04-25 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-20 1255736]
R4 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
R4 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-19 25312]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2012-08-30 31080]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-01-23 254528]
S1 nnfwdk;Nielsen WFP Driver;c:\program files (x86)\NetRatingsNetSight\NetSight\meter1\nnfwdk64.sys [2009-12-29 23120]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-06-30 204288]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2010-11-09 21992]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-05-04 81408]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe [2009-10-14 635416]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [2012-08-30 722528]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-06-30 9371136]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-06-30 309760]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh664.sys [2011-04-19 1254464]
S3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys [2010-01-18 4608]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-04 346144]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2009-12-22 38456]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-19 00:24]
.
2012-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-18 16:09]
.
2012-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-18 16:09]
.
2012-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2308464352-3331396735-3360041561-1000Core.job
- c:\users\Uer\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-19 21:07]
.
2012-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2308464352-3331396735-3360041561-1000UA.job
- c:\users\Uer\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-19 21:07]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-18 568888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dllink.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files (x86)\somototoolbar\vmntemplateX.dll
Toolbar-{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files (x86)\somototoolbar\vmntemplateX.dll
Toolbar-10 - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-vProt - c:\program files (x86)\AVG Secure Search\vprot.exe
Wow6432Node-HKLM-Run-ROC_roc_dec12 - c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe
Wow6432Node-HKLM-Run-ROC_ROC_JULY_P1 - c:\program files (x86)\AVG Secure Search\ROC_ROC_JULY_P1.exe
Toolbar-10 - (no file)
AddRemove-1ClickDownload - c:\program files (x86)\1ClickDownload\uninst.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-THUG1 Fix - c:\program files (x86)\Activision\Tony Hawk's Underground\Uninstall THUG1 Fix.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{C3721E85-F0AC-4B7E-AE4C-3E738011DC9D}"=hex:51,66,7a,6c,4c,1d,38,12,eb,1d,61,
c7,9e,be,10,0e,d1,5a,7d,33,85,4f,98,89
"{99079A25-328F-4BD4-BE04-00955ACAA0A7}"=hex:51,66,7a,6c,4c,1d,38,12,4b,99,14,
9d,bd,7c,ba,0e,c1,12,43,d5,5f,94,e4,b3
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=hex:51,66,7a,6c,4c,1d,38,12,11,7f,11,
d0,78,5b,08,05,de,bb,01,03,dd,4c,30,54
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9D717F81-9148-4F12-8568-69135F087DB0}"=hex:51,66,7a,6c,4c,1d,38,12,ef,7c,62,
99,7a,df,7c,0a,fa,7e,2a,53,5a,56,39,a4
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:3e,46,9f,13,57,26,cd,01
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\NetRatingsNetSight]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2012-09-27 22:26:58 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-28 03:26
.
Pre-Run: 830,936,748,032 bytes free
Post-Run: 830,410,166,272 bytes free
.
- - End Of File - - D3200A5B09B538A8BEBB680C52C81527

BWashburn, Sep 27, 2012

#92
Jay Pfoutz Malware Helper Posts: 4,286 +49
Still same issue? I need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

Slow computer

Error messages

Fake antivirus alerts or the icon in the system tray

svchost.exe running at 100%

System crashes or blue screen of death
Jay Pfoutz, Sep 28, 2012

#93
BWashburn TechSpot Member Posts: 58

I still was not able to turn on my firewall. I don't get the error message anymore but when I click turn on firewall nothing happens.

BWashburn, Sep 28, 2012

#94
Jay Pfoutz Malware Helper Posts: 4,286 +49

Method 1: Diagnose and fix Windows Firewall service problems automatically

Method 2: How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7
Note: It may ask for windows DVD to fix and to enable SFC to make more than minor repairs. Some files saved on your computer might get deleted when fixing corrupted files.

You can use the Windows Repair Tool to automate it.

Method 3: Fix: Windows 7 or Vista Firewall Fails To Start At Startup

Method 4: Please run "services.msc", stop "Windows Event Controller" service first, then make sure "Base Filtering Engine" service is started.
In the Start Menu type devmgmt.msc, and open Device Manager. On the View tab, choose "Devices by connection" and put a check next to "Show hidden devices". Look for Windows Firewall Authorization Driver (it will have a gold gear icon).Double-click that, and on the Driver tab, make sure the Startup type is set to "Demand".
Then start "Windows Firewall" service, and check if the issue gets resolved.

Let me know if any of the above methods worked, and if you can start Windows Firewall.

Jay Pfoutz, Sep 29, 2012

#95
BWashburn TechSpot Member Posts: 58

Method 1 did not work. Method 2 did not work, it said:Cannot repair member file [l:24{12}]"services.exe" of Microsoft-Windows-Services-ServiceController, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-09-30 15:17:57, Info CSI 000002ea [SR] Repaired file \SystemRoot\WinSxS\Manifests\\[ml:28{14},l:24{12}]"services.exe" by copying from backup
Method 3 was of no help because I cannot stop the service Windows Event Log..it said access is denied Error 5.I tried starting windows firewall again and the same thing happens...which is nothing.No errors just a loading symbol on my cursor then nothing.

BWashburn, Sep 30, 2012

#96
Jay Pfoutz Malware Helper Posts: 4,286 +49
Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Copy the following code and under the Custom Scans/Fixes box paste this in :

/md5start
volsnap.sys
services.exe
/md5stop

Click the None button and then the Run Scan button. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time

Note: in the event that OTL fails to run, please use alternate download links to try again:

http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr
Jay Pfoutz, Oct 1, 2012

#97
BWashburn TechSpot Member Posts: 58

OTL log...there was not a log for extras.
OTL logfile created on: 10/2/2012 3:21:26 PM - Run 1
OTL by OldTimer - Version 3.2.70.1 Folder = C:\Users\Uer\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.75 Gb Total Physical Memory | 5.94 Gb Available Physical Memory | 76.66% Memory free
15.50 Gb Paging File | 13.51 Gb Available in Paging File | 87.17% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 919.35 Gb Total Space | 774.11 Gb Free Space | 84.20% Space Free | Partition Type: NTFS
Drive D: | 12.07 Gb Total Space | 1.47 Gb Free Space | 12.21% Space Free | Partition Type: NTFS
Drive E: | 2.50 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: UER-HP | User Name: Uer | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< MD5 for: SERVICES.EXE >
[2009/07/13 20:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\erdnt\cache64\services.exe
[2009/07/13 20:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\SysNative\services.exe
[2012/09/30 15:17:57 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

< MD5 for: VOLSNAP.SYS >
[2010/11/20 08:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\SysNative\drivers\volsnap.sys
[2010/11/20 08:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\SysNative\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\volsnap.sys
[2010/11/20 08:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_73dcbcf012b4850e\volsnap.sys
[2009/07/13 20:45:55 | 000,294,992 | ---- | M] (Microsoft Corporation) MD5=58F82EED8CA24B461441F9C3E4F0BF5C -- C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_71aba92815c60174\volsnap.sys

< End of report >

BWashburn, Oct 2, 2012

#98
Jay Pfoutz Malware Helper Posts: 4,286 +49

Please use the following tool and let me know if it fixes problem (I think it's a repeat solution, but keep hammering it): http://www.majorgeeks.com/Tweaking.com_-_Windows_Repair_Portable_d7222.html

Jay Pfoutz, Oct 2, 2012

#99
BWashburn TechSpot Member Posts: 58

Pleased to say my firewall is working now all thanks to you DragonMaster. Ran a scan with MSE and MBAM and so far so good! I really appreciate everything you have helped me with sir. May you have a blessed day.

BWashburn, Oct 4, 2012

#100

Page 5 of 6

Topic Status:: Not open for further replies.

Add New Comment

	TechSpot Members Login or sign up for free, it takes about 30 seconds.			You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.