+- Support Forums (https://www.supportforums.net)
+-- Forum: Categories (https://www.supportforums.net/forumdisplay.php?fid=87)
+--- Forum: Virus Protection, Removals, and HJT Team (https://www.supportforums.net/forumdisplay.php?fid=56)
+---- Forum: Virus Removal, Hijack This Logs, and Support (https://www.supportforums.net/forumdisplay.php?fid=48)
+---- Thread: Svchost.exe acting weird (/showthread.php?tid=15182)
Svchost.exe acting weird - |Z3R0| - 12-30-2010
I noticed that my malwarebytes program kept blocking an IP to a varying array of addresses, but after tracing all of them with a whois lookup they seem to all be coming from China, which set off the alarm for me. I think one of my svchost.exe files is infected but am not sure if it is or not. They show up as being blocked in the logs but when I try to do a scan, Full, quick and flash scan, all come up empty. That's why I'm posting here but I wouldn't be surprised if another instance of a virus/trojan whatever was found as well. My computer has been acting weird lately...
HijackThis Results
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:31:47 AM, on 12/30/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [EEventManager] "C:\Program Files\Epson Software\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Mega Manager] C:\Program Files\Megaupload\Mega Manager\MegaManager.exe /Tray
O4 - HKCU\..\Run: [WorkForce 520(Network)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIGIA.EXE /FU "C:\Windows\TEMP\E_SEFD6.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Stardock\Fences\FencesMenu.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
--
End of file - 5942 bytes
DDS
DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 0:17:24.54 on Thu 12/30/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3070.2182 [GMT -8:00]
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\msiexec.exe
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Administrator\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
uRun: [Mega Manager] c:\program files\megaupload\mega manager\MegaManager.exe /Tray
uRun: [WorkForce 520(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatigia.exe /fu "c:\windows\temp\E_SEFD6.tmp" /EF "HKCU"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\stardock\object desktop\iconpackager\iprepair.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\2dgukkm7.default\
FF - component: c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\2dgukkm7.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: KeyScrambler: keyscrambler@qfx.software.corporation - %profile%\extensions\keyscrambler@qfx.software.corporation
============= SERVICES / DRIVERS ===============
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-1 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-1 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-1 61960]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-1 363344]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2010-11-22 114952]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-1 20952]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-10-17 124648]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-21 136176]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2010-12-25 30312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2010-12-25 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2010-12-25 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2010-12-25 121576]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-12 1343400]
=============== Created Last 30 ================
2010-12-30 07:30:24 -------- d-----w- c:\users\admini~1\appdata\roaming\Uniblue
2010-12-30 07:30:12 -------- dc-h--w- c:\progra~2\~0
2010-12-28 21:41:56 -------- d-----w- c:\program files\Defraggler
2010-12-28 17:57:31 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{18ee6264-8b6b-4df2-906f-eebe11ee889b}\mpengine.dll
2010-12-25 08:41:12 -------- d-----w- c:\users\admini~1\appdata\roaming\Samsung
2010-12-25 08:40:38 96488 ----a-w- c:\windows\system32\drivers\ssadbus.sys
2010-12-25 08:40:38 30312 ----a-w- c:\windows\system32\drivers\ssadadb.sys
2010-12-25 08:40:38 1416680 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll
2010-12-25 08:40:38 1416680 ----a-w- c:\windows\system32\drivers\WdfCoInstaller01005.dll
2010-12-25 08:40:38 12776 ----a-w- c:\windows\system32\drivers\ssadmdfl.sys
2010-12-25 08:40:38 121576 ----a-w- c:\windows\system32\drivers\ssadmdm.sys
2010-12-25 08:40:38 10344 ----a-w- c:\windows\system32\drivers\ssadcmnt.sys
2010-12-25 08:40:38 10344 ----a-w- c:\windows\system32\drivers\ssadcm.sys
2010-12-25 08:40:38 10216 ----a-w- c:\windows\system32\drivers\ssadwhnt.sys
2010-12-25 08:40:38 10216 ----a-w- c:\windows\system32\drivers\ssadwh.sys
2010-12-25 08:39:58 -------- d-----w- c:\progra~2\Samsung
2010-12-25 08:39:38 -------- d-----w- c:\program files\Samsung
2010-12-25 08:37:55 -------- d-----w- c:\users\admini~1\appdata\local\Downloaded Installations
2010-12-20 08:22:00 -------- d-----w- c:\users\admini~1\appdata\local\Bossland GmbH
2010-12-13 06:33:17 -------- d-----w- c:\progra~2\UDL
2010-12-13 06:30:35 77824 ----a-w- c:\windows\system32\EBAPI.dll
2010-12-13 06:30:35 65536 ----a-w- c:\windows\system32\EEBUtil.dll
2010-12-13 06:30:35 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2010-12-13 06:30:35 135168 ----a-w- c:\windows\system32\EEBAPI.dll
2010-12-13 06:30:35 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2010-12-13 06:28:01 457611 ----a-w- c:\windows\system32\ensppui.dll
2010-12-13 06:28:00 474892 ----a-w- c:\windows\system32\ensppmon.dll
2010-12-13 06:28:00 474892 ----a-w- c:\windows\system32\enppmon.dll
2010-12-13 06:28:00 457611 ----a-w- c:\windows\system32\enppui.dll
2010-12-13 06:28:00 249344 ----a-w- c:\windows\system32\enspres.dll
2010-12-13 06:28:00 249344 ----a-w- c:\windows\system32\enpres.dll
2010-12-13 06:28:00 -------- d-----w- c:\program files\EpsonNet
2010-12-13 06:27:36 -------- d-----w- c:\program files\common files\EPSON
2010-12-13 06:27:35 80024 ----a-w- c:\windows\system32\PICSDK.dll
2010-12-13 06:27:35 51360 ----a-w- c:\windows\system32\EpPicPrt.dll
2010-12-13 06:27:35 51360 ----a-w- c:\windows\system32\EpPicMgr.dll
2010-12-13 06:27:35 501912 ----a-w- c:\windows\system32\PICSDK2.dll
2010-12-13 06:27:35 108704 ----a-w- c:\windows\system32\PICEntry.dll
2010-12-13 06:27:09 93696 ----a-w- c:\windows\system32\E_FLBGIA.DLL
2010-12-13 06:27:07 63488 ----a-w- c:\windows\system32\E_FD4BGIA.DLL
2010-12-13 06:26:55 -------- d-----w- c:\progra~2\EPSON
2010-12-13 06:26:36 -------- d-----w- c:\program files\Epson Software
2010-12-13 06:25:41 341504 ----a-w- c:\windows\system32\esw2ud.dll
2010-12-13 06:25:41 15872 ----a-w- c:\windows\system32\escdev.dll
2010-12-13 06:25:41 128392 ----a-w- c:\windows\system32\esdevapp.exe
2010-12-13 06:25:39 -------- d-----w- c:\program files\epson
2010-12-12 22:20:59 -------- d-----w- c:\users\admini~1\appdata\local\Logitech
2010-12-12 22:18:03 -------- d-----w- c:\program files\Ventrilo
2010-12-11 01:00:09 -------- d-----w- c:\users\admini~1\appdata\roaming\Megaupload
2010-12-11 00:59:43 -------- d-----w- c:\program files\Megaupload
2010-12-08 07:20:07 2661368 ----a-w- c:\windows\system32\drivers\BCMWL6.SYS
2010-12-08 07:19:28 -------- d-----w- c:\progra~2\Broadcom
2010-12-08 01:25:55 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-12-06 00:45:15 -------- d-----w- c:\users\admini~1\appdata\roaming\Datel
2010-12-06 00:29:24 -------- d-----w- c:\users\admini~1\appdata\local\Team_Aversion
2010-12-03 04:06:36 -------- d-----w- c:\users\admini~1\appdata\roaming\Avira
2010-12-02 08:05:32 -------- d-----w- c:\windows\pss
2010-12-02 05:24:54 -------- d-----w- c:\users\admini~1\appdata\roaming\DeviceDoctorSoftware
2010-12-02 05:15:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-02 05:15:36 -------- d-----w- c:\program files\Avira
2010-12-02 05:15:36 -------- d-----w- c:\progra~2\Avira
2010-12-02 05:09:12 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2010-12-02 05:09:12 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-12-02 05:09:12 -------- d-----w- c:\program files\SpywareBlaster
2010-12-02 05:07:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-02 05:07:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-02 05:07:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-02 04:43:40 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
==================== Find3M ====================
2010-11-22 20:49:04 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2010-11-20 06:36:24 1228416 ----a-w- c:\users\administrator\MasterCollection_CS5_LS1.exe
2010-11-13 02:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41:12 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40:36 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39:32 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34:44 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-10-27 04:32:36 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-22 11:43:18 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-22 11:43:18 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-10-20 04:54:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-20 03:00:24 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-10-20 02:58:41 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-16 04:41:02 101760 ----a-w- c:\windows\system32\consent.exe
2010-10-16 04:36:10 314368 ----a-w- c:\windows\system32\webio.dll
============= FINISH: 0:18:16.38 ===============
Thanks,
|Z3R0|
EDIT:
Here's what the malwarebytes log looks like for today...
00:04:11 Administrator MESSAGE Protection started successfully
00:04:16 Administrator MESSAGE IP Protection started successfully
01:04:51 Administrator IP-BLOCK 58.218.199.147 (Type: incoming, Port: 3246, Process: svchost.exe)
01:04:51 Administrator IP-BLOCK 58.218.199.147 (Type: incoming, Port: 3128, Process: svchost.exe)
01:20:06 Administrator IP-BLOCK 222.186.13.212 (Type: incoming, Port: 3246, Process: svchost.exe)
02:15:42 Administrator IP-BLOCK 221.192.199.49 (Type: incoming, Port: 3246, Process: svchost.exe)
02:15:42 Administrator IP-BLOCK 221.192.199.49 (Type: incoming, Port: 3128, Process: svchost.exe)
03:18:37 Administrator IP-BLOCK 222.186.13.212 (Type: incoming, Port: 3246, Process: svchost.exe)
04:20:56 Administrator IP-BLOCK 222.186.13.212 (Type: incoming, Port: 3246, Process: svchost.exe)
07:49:11 Administrator IP-BLOCK 222.186.13.212 (Type: incoming, Port: 3246, Process: svchost.exe)
08:16:04 Administrator IP-BLOCK 222.186.13.212 (Type: incoming, Port: 3246, Process: svchost.exe)
10:34:14 Administrator IP-BLOCK 125.45.109.166 (Type: incoming, Port: 3246, Process: svchost.exe)
10:34:14 Administrator IP-BLOCK 125.45.109.166 (Type: incoming, Port: 3128, Process: svchost.exe)
10:48:57 Administrator IP-BLOCK 222.186.13.212 (Type: incoming, Port: 3246, Process: svchost.exe)
That's why I'm suspicious.
RE: Svchost.exe acting weird - Quintus - 12-31-2010
Greetings,
Whilst I am in the process of scrutinizing your complete set of provided logs for any possible infections or problems, I ask for your forbearance. Understand that the process of analysis requires time and careful examination hence the need for a cautious response. Accuracy is of the essence. Once I come across infections, I shall present the finest methods of removal for your convenience.
In return for this service, I propose to you two conditions:
- You are not to create any new threads regarding the similar topic as it will waste another helper's time.
- You are not to install any new software in your system, as it may hinder our process thus making this futile.
- You are not to modify the logs in any way. Failure to do so will instantly deprive you of this service.
- You are to paste each log separately at PasteBin as it is. That is correct, no syntax highlighting, no editing - just the log purely. Post back the links for each log. You shall not hide them under spoiler codes.
- You are to provide the complete set of requested logs.
- You are to keep all your trusted tools that the scanners may detect in a password protected archive. This is to prevent them from being deleted as we've had complaints or refusal to use the scanner for this reason.
- You are to respond to every step I ask you to do using the format provided at the end of my post.
- You agree that I have the right to discontinue the analysis at any time, upon a violation of a single rule.
Thank you.
Genuinely yours,
Quintus
- Optional Pre-Step
With regard to my fourth condition, here are the steps on how to password protect your trusted tools momentarily. Do note that I would advise you to remove all the infections present in your system as I am not certain of the sources of these programs thereby I will not be able to verify whether they are backdoored or not.
You are doing this at your own risk.
- Create a new folder with the name of your choice.
- Gather all of your tools into that folder.
- If you do not have a file compressor, download '7-Zip' and install it.
- After doing so, navigate to the said folder and right-click.
- You are now presented with options.
- Please chose 7-Zip > Add to Archive.
- Under the Archive Name, enter any name you wish.
- Set the Archive Format to 7z.
- Set the Compression Level to Ultra.
- Under Encryption fill in the Password field twice. You can tick Show Password if you desire.
- When everything is done, click OK.
- You are now presented with options.
- Wait for some time. The waiting time is determined by the size of your files.
- 7-Zip will have produced the file for you.
- Now we test the file by Right-click > 7-Zip > Extract Here.
- A prompt asking you for the password should appear.
- Select Cancel as this is for testing purposes only.
- Now delete the other folder, empty your Recycle Bin and proceed with the instructions.
- Create a new folder with the name of your choice.
- Pre-Step
Click 'here' to download Temp File Cleaner by OldTimer. Save it to your Desktop.
- Close any open windows.
- Double-click TFC.exe and select 'Run' when prompted to execute the program. It will close all open programs itself in order to run.
- Click the Start button to begin the cleaning process.
- Please let the program run uninterruptedly.
- Once the cleaning has been done, your computer should automatically reboot. Otherwise, please do so when it does not.
- Close any open windows.
- Prerequisite
If you are having a problem running HijackThis as Administrator, please follow the steps below.
- Go to My Computer and navigate to your default disc drive (C: is the most common).
- Go to Program Files > Trend Micro > HijackThis.
- Right-click HiJackThis.exe and run it as Administrator.
- Go to My Computer and navigate to your default disc drive (C: is the most common).
- Step 1
Please run a free online scan with ESET Online Scanner by downloading ESET Smart Installer 'here'. Save it to your Desktop.
- Double-click esetsmartinstaller_enu.exe to execute the program.
- Tick 'YES, I accept the Terms of Use'.
- Click 'Start'.
- If this is your first time installing the scanner, allow the 'ActiveX Control' to install.
- Database download may take some time.
- When done, make sure that the option 'Remove found threats' is ticked. Under the and 'Advanced Settings', please put a check on the following options:
- Scan for potentially unwanted applications
- Enable Anti-Stealth Technology
- Scan for potentially unwanted applications
- Click 'Start'.
- Wait for the scan to finish.
- Once it is finished, use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt.
- Copy and paste that log as a reply to this topic.
- Double-click esetsmartinstaller_enu.exe to execute the program.
- In your next post, please provide the following:
- A Fresh HijackThis (HJT) Log
- Deckard's System Scanner (DDS) Logs
- DDS.txt
- Attach.txt
- DDS.txt
- A Fresh HijackThis (HJT) Log
- ESET Scan Log
- Format of Response
As part of my service terms, you are to fill this up every time you respond to your log. Copy and paste the content inside the code box and write directly after the closing tags. Do not add spaces as they are already provided. An exception applies to the numbers, as they are to be written after the # sign.
Step #1: Change the number accordingly.
Problems Encountered: Put N/A if the operation went smoothly.
Link To Requested Logs: Post the links to the logs I have asked you to produce.
Example: (Click to View)
- Code:
[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Link To Requested Logs:[/b][/color]
RE: Svchost.exe acting weird - |Z3R0| - 12-31-2010
Step #1
Problems Encountered: Unexpected Error 2002
It still made a log.txt but all it had in there was this...
Code:
ESETSmartInstaller@High as downloader log:
all okLink To Requested Logs:
HijackThis Log
DDS.txt Log
Attach.txt
Thanks,
|Z3R0|
---
EDIT: I reran the ESET program and it seems to be working now. I'll update my post again soon with the log it gives.
---
EDIT2: Here's the updated log from ESET...
ESETLog.txt
RE: Svchost.exe acting weird - Quintus - 01-01-2011
- Step 2
System Restore maintains a backup of your programs however it may also backup infections therefore constant flushing is required to create a clean Restore Point.
- On the Start Menu, right-click Computer > Properties > System Protection.
- Click Configure.
- Click Delete > Continue > OK.
- You are now back at the System Protection Tab.
- Click Create > <Any Title Here> > Create.
- A prompt should tell you that it was successful. Click Close.
- Click OK.
- System Restore will be working again and will have a new Restore Point.
- On the Start Menu, right-click Computer > Properties > System Protection.
- Step 3
Besides compromising network security, their association with illegal file-sharing creates legal liabilities for their employers. More often than not, companies aren't aware of software license violations and other infractions their workers commit through file-sharing.
More from 'this' article.
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer. Your system is at risk. Even if you are using a safe P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
I strongly recommend that you uninstall the following program(s) present in your system through Add or Remove Programs for Windows XP and Programs and Features for Vista and Windows 7:
- Vuze
Note: If you choose not to remove the program(s), please do not use them until this computer is clean.
Here is the list of Safe and Unsafe P2P Programs.
Clean
- Ares
- Azureus 2.5.0.0
- BitComet
- Bittorrent
- E-Mule
- Frostwire
- Limewire
- µTorrent
Unsafe- Ares
- Azureus Vuze
- BearShare
- Bitlord
- BittorrentUltra
- iMesh
You can see more of that 'here'.- Azureus Vuze
- Step 4
Looking at your log, I have seen that you have the program(s) below installed. I highly suggest a removal through Add or Remove Programs or Programs and Features. I am asking you this for I have seen negative feedback from users. Should the program(s) in question be utterly clean, no such comment should be seen. Take this as a pre-cautionary measure. Better safe than sorry.
The list below shows the program(s) with poor or flawed reputation that you currently have installed in your system:
- Akamai NetSession Interface
Please respond back if you encounter difficulties uninstalling the program(s).
- Comments:
- Is it still logging those connections? Also, would you consider yourself to be a typical Internet user or advanced?
RE: Svchost.exe acting weird - |Z3R0| - 01-01-2011
Step 2
Problems Encountered:N/A
Step 3
Problems Encountered:N/A
Step 4
Problems Encountered:N/A
I have removed all of the programs you had asked of. I wasn't using them anyways, I used them once then forgot to uninstall them I believe. To answer your question, yes, malwarebytes is still logging it almost everyday. It seems to be at very random times that I get the block notifications and some days I wont get one while other days I'll get a dozen. Also, yes I would consider myself an advanced internet user.
Thanks,
|Z3R0|
RE: Svchost.exe acting weird - Quintus - 01-01-2011
- Comments:
- It appears as if you have a Chinese malware in your system, which I was unable to find. However, that should be logged as outgoing if so. It is safest to assume that you are under attack. That IP Address is known to have done so.
- Step 5
Please download Combofix from one of the following locations:
'Link 1'
'Link 2'
**IMPORTANT!**
Let me give you a warning beforehand. I am instructing you to use one of the most powerful removal tool created. A simple mistake of running ComboFix without a helper's advice might render your machine unbootable. Do note that the steps below are crucial for the success of the clean-up you are currently undergoing. If by any chance you failed to meet any of them, I can almost guarantee a dreadful occurrence happening. See to it that you read the instructions first up to the very end and follow them accordingly after to ensure the best possible performance.
- Save ComboFix to your Desktop.
- Disable your anti-virus and anti-spyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix. If you have difficulty properly disabling your protective programs, refer to 'this' link.
- Double-click ComboFix.exe and follow the prompts.
- As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery or repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
- If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
![[Image: RcAuto1.gif]](http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)
- Save ComboFix to your Desktop.
- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
![[Image: whatnext.png]](http://img.photobucket.com/albums/v706/ried7/whatnext.png)
- Click on Yes, to continue scanning for malware.
- When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Reminders:
- Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
- Do not "re-run" ComboFix. If you have a problem, reply back for further instructions.
- ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
- ComboFix prevents autorun of all CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you - please tell me.
- ComboFix disconnects your machine from the Internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
- In your next post, please provide the following:
- ComboFix Log
- Format of Response
Code:[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Step #[/b][/color]
[color=#FFD700][b]Problems Encountered:[/b][/color]
[color=#00BFFF][b]Link To Requested Logs:[/b][/color]
RE: Svchost.exe acting weird - |Z3R0| - 01-02-2011
Step #
Problems Encountered: Came up with two errors, the first didn't surprise me. Told me I needed to "uninstall" AVG, it was the next one I wasn't expecting. It popped up right after the first error...
Code:
ASSERT:Pointer is NULL...
(webget.c/2726)I wasn't sure if that was related to the AVG running or not but I would rather wait and get your say in this rather than just uninstalling AVG and rerunning the program.
Thanks,
|Z3R0|
RE: Svchost.exe acting weird - Quintus - 01-02-2011
It is a C++ error. It's either your copy of AVG is corrupt, or you had it running when ComboFix was supposed to run. As stated, you must disable it. If disabling it still does not make ComboFix work (please try this only once), I would advise removing it for the moment. If you have difficulties uninstalling it through the default uninstaller, please download this tool. Run ComboFix only once. If errors still arise, download a fresh copy of AVG here and install it. Note that this is an online installer. Get back to me after.
RE: Svchost.exe acting weird - |Z3R0| - 01-02-2011
Step
Problems Encountered: N/A
Link To Requested Logs: ComboFix.txt
My computer seems to be running much more smoothly, so I think that fixed it. I'll post back if I get another IP block from Malwarebytes but I got a feeling that tool got rid of the problem.
Thanks,
|Z3R0|
---
EDIT: Well a good two hours after my first post, I got a...
Code:
14:04:02 Administrator IP-BLOCK 222.186.13.212 (Type: incoming, Port: 3246, Process: svchost.exe)RE: Svchost.exe acting weird - Quintus - 01-03-2011
- Step 6
Now we will uninstall ComboFix and remove its files. They may prove harmful to your system if unused without supervision therefore I will instruct you to remove it.
Windows Vista and Windows 7:- Click the Windows Orb (Start).
- In the search box type Run and click the program that comes up.
- Type ComboFix /Uninstall > OK. Or simply copy the emphasized text.
- Click the Windows Orb (Start).
- Comments:
- We will deal with the rouge IP Address in a bit.
Did you install AVG again?
- We will deal with the rouge IP Address in a bit.