Author Topic: svchost.exe application error (Read 8506 times)

joto · « **on:** April 07, 2009, 07:03:52 PM »

I posted on here a week or so ago about the above problem, Scythe944 was helping me sort it. You asked me to post my hijackthis log on. I did this but have had no replies. I'll post it again now, if anyone can help me sort the problem I'd be really grateful

Thanks

Log as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:15:07, on 26/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe
C:\Program Files\Home Cinema\PowerCinema\PCMService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [InstantOn] "C:\Program Files\CyberLink\PowerCinema Linux\ion_install.exe /c "
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Medion-UK - {5C12033D-1BFB-426C-8D7F-B556686BA607} - http://www.medion.co.uk (file missing) (HKCU)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CDB6404-E171-4CC5-91A8-E0858D7CF603}: NameServer = 85.255.112.90,85.255.112.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D1571F7-5B1C-474A-A285-C167D0FF5821}: NameServer = 85.255.112.90,85.255.112.134
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 8970 bytes

scythe944 · « **Reply #1 on:** April 07, 2009, 07:22:55 PM »

Sorry joto, I guess I was busy...
Here you go...

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one.

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
Unnecessary (deactivated) entry that can be fixed. toolbar.dll - AOL toolbar

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Not dangerous, but unnecessary. QuickTime

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Unnecessary (deactivated) entry that can be fixed. This entry was classified from our visitors as good.

O17 - HKLM\System\CCS\Services\Tcpip\..\{2CDB6404-E171-4CC5-91A8-E0858D7CF603}: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain '85.255.112.90,85.255.112.134'? If not, fix this entry.

O17 - HKLM\System\CCS\Services\Tcpip\..\{9D1571F7-5B1C-474A-A285-C167D0FF5821}: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain '85.255.112.90,85.255.112.134'? If not, fix this entry.

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain '85.255.112.90,85.255.112.134'? If not, fix this entry.

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain '85.255.112.90,85.255.112.134'? If not, fix this entry.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain '85.255.112.90,85.255.112.134'? If not, fix this entry.

O9 - Extra button: Medion-UK - {5C12033D-1BFB-426C-8D7F-B556686BA607} - http://www.medion.co.uk (file missing) (HKCU)
To be fixed if the entry 'Medion' is unknown.
Unnecessary (deactivated) entry that can be fixed. Unknown buttons or entries in the 'Extras'-menu should be fixed.

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Safe, but possibly nasty! According to our database this process runs normally in c:\programme\common~1\x10\common\! Check if you know this process and arrange a viruscheck where required.

C:\Program Files\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
Safe, but possibly nasty! According to our database this process runs normally in c:\programme\cyberlink\shared files\clml_ntservice\! Check if you know this process and arrange a viruscheck where required. CyberLink Media Library Service

I'd check into those entries and remove them with HJT.

Other than that, you look pretty good. Nothing serious...

micky77 · « **Reply #2 on:** April 07, 2009, 08:19:11 PM »

Those 017 ip addresses belong to Ukr telegroup ( based in Ukraine ) which appears to be malicious

http://ddanchev.blogspot.com/2008/07/lazy-summer-days-at-ukrtelegroup-ltds.html

Are your internet searches been redirected ?

Also what securty programs have you scanned with ?

Also your are running HJT from G drive, you MUST install properly in program files C drive. If you fix any entries, and need to restore them, it must be installed properly

Only then should you start fixing entries

I haven't looked closely at your log yet, do you use a plug for japanese/chinese translation ?

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

DO NOT FIX

Those entries contain IMJPMIG.EXE ImScInst.exe TINTSETP.EXE

They need to be sent to virustotal fro inspection as they may be malicious

http://www.prevx.com/filenames/1250578899387157976-X1/IMSCINST.EXE.html

http://www.prevx.com/filenames/898787142291842480-X1/TINTSETP.EXE.html

http://spywarefiles.prevx.com/RRDHEA8978/IMJPMIG.EXE.html

Please upload those files and copy/paste the results

http://www.virustotal.com/

will continue looking at your log

DavidR · « **Reply #3 on:** April 07, 2009, 08:31:33 PM »

HJT just has to be in a folder of its own, it doesn't have to be in c:\program files\hijackthis, etc. Provided the G:\ drive/partition is a fixed hard disk or partition then it would need to be in its own folder, e.g. g:\HJT\hijackthis.exe, etc.

If G:\ is a usb device then HJT needs to be on a fixed drive in a folder of its own.

micky77 · « **Reply #4 on:** April 07, 2009, 09:13:54 PM »

Yes thanks David, I had aquick peek at the OP original post, and assumed it was being run from a flash drive http://forum.avast.com/index.php?topic=43702.msg365523#msg365523

Joto I have examined the log, The 017 entries with the IP addresses are certainly bad. The 04 entries could be legit files used in a plug in for internet explorer for translating asian language.However I strongly believe they are very bad files. I see from your original post that this pc has no longer got internet connectivity.So sending those files for analysis will be difficult.

So first fix the entries

O17 - HKLM\System\CCS\Services\Tcpip\..\{2CDB6404-E171-4CC5-91A8-E0858D7CF603}: NameServer = 85.255.112.90,85.255.112.134

O17 - HKLM\System\CCS\Services\Tcpip\..\{9D1571F7-5B1C-474A-A285-C167D0FF5821}: NameServer = 85.255.112.90,85.255.112.134

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain '85.255.112.90,85.255.112.134'

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain '85.255.112.90,85.255.112.134

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.90,85.255.112.134
Do you know the IP or Domain '85.255.112.90,85.255.112.134

You do this by opening HJT ( that has been installed in its own folder)
Choose 'do a scan only' then place ticks in the boxes next to the entries above, then choose fix selected.Close HJT.

Next from your other pc download 2 programs and there updates.

Transfer programs and update files to infected pc via cd ( i do not like using flash drives, as this may also become infected )
Try to install both programs, you may encounter problems,if malware prevents this ( we can get round that )
If you successfully install,exit programs,double click on the update files you also downloaded to install updates. Then run consecutive scans with both programs. I am sure ( hopefully ) we may see something found related to the 04 entries.
Copy/paste the results of the scans

Malwarebytes antimalware http://filehippo.com/download_malwarebytes_anti_malware/

Malwarebytes antimalware updates http://www.gt500.org/malwarebytes/database.jsp

SuperAntiSpyware http://www.superantispyware.com/

SuperAntiSpyware updates http://www.superantispyware.com/definitions.html

joto · « **Reply #5 on:** April 10, 2009, 06:30:58 PM »

Hi Guys. Thanks for help so far. I've fixed the 017 files using HJT as instructed. I've then downloaded malwarebytes and Superantispyware on other computer and transferred as instructed. Malwarebytes says it's installed but it won't launch and the other won't install at all. Any adivce re next steps eagerly awaited!!

Thanks x

micky77 · « **Reply #6 on:** April 10, 2009, 06:58:18 PM »

Hello again, try this first.Navigate to C/program files/malwarebyes antimalware, open that folder,you will see mbam.exe, right click on that file and choose rename,then rename to joto.exe, then double click on the renamed file to launcH

Did you manually update MBAM?

Also about those other entries IMJPMIG.EXE, ImScInst.exe, and TINTSETP.EXE do you use any translation plug in for chinese/asian languages ?

Regarding SAS rename the set up file for example to slayer.exe, then double click to install.
Did you download the manual updates for SAS ?

joto · « **Reply #7 on:** April 11, 2009, 07:37:16 PM »

Hi Micky77. I have renamed .exe files and think I can now do the scans. should I select quick scan or do I need to do full scan?

Regarding the plug-in you asked about I don't know what that would be so am not aware that I have one. Forgive me if I sound a bit stupid!!

Thanks x

micky77 · « **Reply #8 on:** April 11, 2009, 07:45:06 PM »

Do quick scans first.As for thos entries, when googled, they appear in many HJT logs,however i have yet to find anyone who actually fixed them, so they may be benign.
If i remember,Avast found a Fasec trojan in your initial post,can you tell me the name and location of the file it quarantined ?
http://forum.avast.com/index.php?topic=43702.msg365486#msg365486

joto · « **Reply #9 on:** April 11, 2009, 08:04:57 PM »

Am running the quick scan on malwarebytes now but still can't get the superantispyware one to launch. Wasn't sure which exe file to rename. can you clarify for me? Will let you know what comes up on scan I'm doing at mo.

Thanks again for help x

joto · « **Reply #10 on:** April 11, 2009, 08:09:25 PM »

Malwarebytes scan has found 5 infrected files. Two say Trojan.Agent and three say Trojan.DNSChanger. Shall I click remove these files?

micky77 · « **Reply #11 on:** April 11, 2009, 08:14:07 PM »

Can you copy/paste the log,first please

On the SAS installation/set up file ( you downloaded ) rename, then double click to install. If installation is successful exit program.Then double click on the update/definition file i told you to download. Then go to C/program files/superantispware/ open that folder, locate superantispyware.exe and rename, ( keep the extension, exe ) double click on renamed file to launch

polonus · « **Reply #12 on:** April 11, 2009, 08:20:01 PM »

Hi Yoto,

You also could try this:

# For Windows XP:

1. Press Ctrl+Alt+Delete. The Windows Task Manager appears.
2. Click the Application tab.
3. Look for an entry related to a program installation. This might include words, such as "install," "installer," or "MSI."
4. If found, highlight the entry, and then click End Task. If a second dialog box appears, then click End Task in the second box. Close the dialog box.
5. You could try the install again if it was a legit one,

polonus

joto · « **Reply #13 on:** April 11, 2009, 08:24:20 PM »

Am posting the malwarebytes log below. My husband has already clicked to remove the files so hope that is the right thing to do! Log as follows:

Malwarebytes' Anti-Malware 1.34
Database version: 1954
Windows 5.1.2600 Service Pack 3

11/04/2009 19:24:09
mbam-log-2009-04-11 (19-24-09).txt

Scan type: Quick Scan
Objects scanned: 76823
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2cdb6404-e171-4cc5-91a8-e0858d7cf603}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.90,85.255.112.134 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2cdb6404-e171-4cc5-91a8-e0858d7cf603}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.90,85.255.112.134 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2cdb6404-e171-4cc5-91a8-e0858d7cf603}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.90,85.255.112.134 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-8-2-24-100001961-100017518-100013051-7988.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

micky77 · « **Reply #14 on:** April 11, 2009, 08:36:10 PM »

Can you run another quick scan ( i have a feeling gaopdxcounter may return )

Author Topic: svchost.exe application error (Read 8506 times)

joto

svchost.exe application error

scythe944

Re: svchost.exe application error

micky77

Re: svchost.exe application error

DavidR

Re: svchost.exe application error

micky77

Re: svchost.exe application error

joto

Re: svchost.exe application error

micky77

Re: svchost.exe application error

joto

Re: svchost.exe application error

micky77

Re: svchost.exe application error

joto

Re: svchost.exe application error

joto

Re: svchost.exe application error

micky77

Re: svchost.exe application error

polonus

Re: svchost.exe application error

joto

Re: svchost.exe application error

micky77

Re: svchost.exe application error