Svchost.exe Issues

Hi


Bitdefender reports these problems.


Remaining issues:Object Name Threat Name Final Status


[system]=]C:\WINDOWS\system32\svchost.exe (memory dump) BehavesLike:Win32.IRC-Backdoor Disinfect Failed


[system]=]C:\WINDOWS\system32\svchost.exe (full dump) BehavesLike:Win32.IRC-Backdoor Disinfect Failed


[system]=]C:\WINDOWS\system32\svchost.exe (memory dump) Generic.Malware.G!WX!!g.69467997 Disinfect Failed


Any idea what I should do?


nb svchost.exe appears to be changing registry entry


HKEY_LOCAL_MACHINE


\SYSTEM


\CurrentControlSet


\Control


\Lsa


Value name: RestrictAnonymous


I set it to 0 & within 2 or 3 minutes its back to 1.


(I'm changing this setting because this PC is restricting access to its network shares & I cant


seem to stop it doing this.) [They can be accessed as mapped network drive though!)


Yours hopefully

Comments

  • Hello strangebluehuman


    Perform another BitDefender update and see if it's still being detected. That is the legit windows process. It could be that this false positiv is already fixed.


    Best regards


    Niels

  • svchost.exe is a legitimate process, but it's sort of a "loader" rather than a stand-alone application: it is actually running code from other modules.


    Please post a HijackThis log and we'll see what files we need to study.

  • svchost.exe is a legitimate process, but it's sort of a "loader" rather than a stand-alone application: it is actually running code from other modules.


    Please post a HijackThis log and we'll see what files we need to study.


    I have 3 problems 2 the same as his maybe they are all connected who knows. Any help and or ideas would be most appreciated. TIA


    Remaining issues:Object Name Threat Name Final Status


    D:\System Volume Information\_restore{1E8B7D7D-85CD-4BBE-8FB4-CEED3F2D355E}\RP3\A0016649.exe=](NSIS o)=]lzma_nsis0019 Backdoor.Pcclient.GV Delete Failed (file was in an archive)


    [system]=]C:\WINDOWS\system32\svchost.exe (memory dump) BehavesLike:Win32.IRC-Backdoor Disinfect Failed


    [system]=]C:\WINDOWS\system32\svchost.exe (full dump) BehavesLike:Win32.IRC-Backdoor Disinfect Failed


    Logfile of HijackThis v1.99.1


    Scan saved at 12:12:13 AM, on 11/23/2007


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16544)


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe


    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe


    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\Program Files\Prevx2\PXConsole.exe


    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE


    C:\Program Files\Picasa2\PicasaMediaDetector.exe


    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Prevx2\PXAgent.exe


    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Secure Tunnel\stunnel.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\Program Files\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?wa=wsignin...px&id=64855


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080


    O1 - Hosts: 127.0.0.60 st-Colossus-east.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.61 st-Adt-east.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.62 st-text-east.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.63 st-Exe-east.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.64 st-Mp3-east.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.65 st-Multimedia-east.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.66 st-Images-east.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.67 st-news-east.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.68 st-Unlimited.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.69 st-a.dult-east.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.70 st-terrific.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.30 st-Goliath-west.newsfeeds.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.31 st-a.dult-west.newsfeeds.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.32 st-Text-west.newsfeeds.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.33 st-Exe-west.newsfeeds.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.34 st-Mp3-west.newsfeeds.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.35 st-Multimedia-west.newsfeeds.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.36 st-Images-west.newsfeeds.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.37 st-Family.newsfeeds.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.42 st-news.newsfeeds.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.43 st-nolimit.newsfeeds.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.89 st-nolimit.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.80 st-Colossus-west.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.81 st-Adt-west.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.82 st-Text-west.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.83 st-Exe-west.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.84 st-Mp3-west.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.85 st-Multimedia-west.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.86 st-Images-west.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.87 st-Family.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.88 st-news-west.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.89 st-nolimit.usenet.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.2 smtp.secure-tunnel.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.0.2 pop3.secure-tunnel.com #rs4u_uninstall_mark


    O1 - Hosts: 127.0.1.254 nfupdate.secure-tunnel.com #rs4u_uninstall_mark


    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless


    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe


    O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Ringz Studio\Storm Codec\QTTask.exe" -atboottime


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"


    O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe


    O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - Global Startup: BlueSoleil.lnk = ?


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O11 - Options group: [iNTERNATIONAL] International*


    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase4009.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1194311434360


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194579844843


    O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AXSafeControls.cab


    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab


    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = China.nypro.com


    O17 - HKLM\Software\..\Telephony: DomainName = China.nypro.com


    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = China.nypro.com


    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = China.nypro.com


    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL (file missing)


    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL (file missing)


    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL


    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll


    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe


    O23 - Service: BitDefender Local Manager (BDLM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe" /service (file missing)


    O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe


    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service (file missing)


    O23 - Service: BitDefender Enterprise Update Service (LIVESRV_EM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe" /service (file missing)


    O23 - Service: PREVXAgent - Unknown owner - C:\Program Files\Prevx2\PXAgent.exe" -f (file missing)


    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe


    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe


    O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)


    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe" /service (file missing)


    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe" /service (file missing)

    /applications/core/interface/file/attachment.php?id=1002" data-fileid="1002" rel="">hijackthis.txt

  • Dear kilroy238


    Fix these entries in hijackthis:


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O4 - HKLM\..\Run: [stormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti


    Press on fix checked and confirm the message.


    To see what modules are currently loaded in svchost please do this go


    to start,run,type cmd press enter type now :


    tasklist /svc /fi "IMAGENAME eq svchost.exe press enter That works only on windows xp professional.


    Otherwise download process explorer


    Unzip it. Double click on procexp agree the disclaimer.


    Now double click on a svchost.exe entry,click on services. Now you will see the services that are currently loaded.


    Now do this go to start,run,type regedit expand hkey_local_machine and the following folders and subfolders:


    system,currentcontrolset,services. You have to expand the folders on the left by clicking on the +-icon you will see a folder called parameter. You will now see which file is being loaded that information is written after ServiceDll.


    Best regards


    Niels

  • I am also having a similar problem wherein svchost seems to be changing my reg key for restrictedanonymous everytime I try to set it to 0. I ran a BD Scan as well as a HiJack Scan, then finsihed off with a jpg of svchost runs. BD does see svchost as malware - even after updating BD. Here are my findings:


    BD10 Log


    -----------


    //-----------------------------------------------------------------
    //
    //    Product BitDefender Antivirus v10
    //    Product 10.2
    //
    //    Created on:    27/11/2007    16:25:45
    //
    //-----------------------------------------------------------------


    Virus Statistics

    Scan path    : C:\
    Folders    : 2853
    Files    :  17592
    Memory processes scanned    : 31
    Archives    : 51
    Runtime packers    : 1943
    Identified viruses    : 3
    Infected files    : 2
    Memory processes infected    : 2
    Suspect files    : 0
    Warnings    : 0
    Disinfected files    : 0
    Deleted files    : 1
    Moved files    : 0
    I/O errors    : 7
    Scan time    : 00:09:56
    Scan speed (files/sec)    : 29

    Spyware Statistics

    Registry keys scanned        : 1818
    Registry keys infected        : 0
    Cookies scanned            : 0
    Cookies infected        : 0
    Spyware files infected            : 0
    Spyware threats detected    : 0


    Virus definitions    : 956855
    Scan plugins    : 16
    Archive plugins    : 41
    Unpack plugins    : 7
    Mail plugins    : 6
    System plugins    : 5

    Virus scan options

    Detection
    [X] Scan boot sectors
    [X] Memory Processes
    [ ] Scan archives
    [X] Scan runtime packers
    [X] Scan email

    File mask
    [X] Programs
    [ ] All files
    [ ] User defined extensions:
    [ ] Exclude extensions:;

    Action

    Infected objects
    [ ] Ignore
    [X] Disinfect
    [ ] Delete
    [ ] Move to quarantine
    [ ] Prompt user

    Second action
    [ ] Ignore
    [ ] Delete
    [X] Move to quarantine
    [ ] Prompt user

    Virus scan options
    [X] Enable warnings
    [ ] Enable heuristics
    [ ] Show all files in log
    [X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1196209545.log

    Spyware scan options

    [X] Scan for riskware
    [ ] Skip dial and applications from scan
    [X] Registry keys
    [X] Cookies


    Summary:

    <System>=>C:\WINDOWS\system32\svchost.exe (memory dump)    Infected: Generic.Malware.G!WX!!g.69467997
    <System>=>C:\WINDOWS\system32\svchost.exe (memory dump)    Disinfection failed
    <System>=>C:\WINDOWS\system32\svchost.exe (memory dump)    Move failed
    <System>=>C:\WINDOWS\system32\svchost.exe (full dump)    Infected: Generic.Sdbot.D645F474
    <System>=>C:\WINDOWS\system32\svchost.exe (full dump)    Deleted
    <System>    Archive repacking successfully completed (actions successfully applied)
    <System>=>C:\WINDOWS\system32\svchost.exe (memory dump)    Infected: BehavesLike:Win32.IRC-Backdoor
    <System>=>C:\WINDOWS\system32\svchost.exe (memory dump)    Disinfection failed
    <System>=>C:\WINDOWS\system32\svchost.exe (memory dump)    Move failed
    <System>=>C:\WINDOWS\system32\svchost.exe (full dump)    Infected: BehavesLike:Win32.IRC-Backdoor
    <System>=>C:\WINDOWS\system32\svchost.exe (full dump)    Disinfection failed
    <System>=>C:\WINDOWS\system32\svchost.exe (full dump)    Move failed


    HiJack This Log


    -----------------


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:40:34 PM, on 11/27/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Softwin\BitDefender10\bdmcon.exe
    C:\Program Files\Softwin\BitDefender10\bdagent.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Synergy\synergyc.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    C:\Program Files\Softwin\BitDefender10\vsserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Softwin\BitDefender10\bdlite.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe
    O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    O23 - Service: Synergy Client - Unknown owner - C:\Program Files\Synergy\synergyc.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

    --
    End of file - 3514 bytes


    and finally SVCHOST Services:


    svcrun.jpg

  • onlywiseman
    edited November 2007

    Me again


    I got infected with another malware/virus/etc with other computer.


    First I thought, it was the "MSN virus"


    However, I think i am getting this infection message ever time I scan the computer manually after I have updated the OS, which is WinXP pro. Unfortunately, I am not sure what file or program was updated before everything was "non-infectious"


    Any solutions? or False alarm?


    The following are Bitdefender 10 log and HijackThis


    Thanks


    //-----------------------------------------------------------------


    //


    // Product BitDefender Antivirus Plus v10


    // Product 10.2


    //


    // Created on: 28/11/2007 20:00:18


    //


    //-----------------------------------------------------------------


    Virus Statistics


    Scan path : C:\


    D:\


    E:\


    Folders : 12533


    Files : 63554


    Memory processes scanned : 42


    Archives : 8


    Runtime packers : 6328


    Identified viruses : 1


    Infected files : 1


    Memory processes infected : 1


    Suspect files : 0


    Warnings : 0


    Disinfected files : 0


    Deleted files : 0


    Moved files : 0


    I/O errors : 9


    Scan time : 00:18:29


    Scan speed (files/sec) : 57


    Spyware Statistics


    Registry keys scanned : 2091


    Registry keys infected : 0


    Cookies scanned : 529


    Cookies infected : 0


    Spyware files infected : 0


    Spyware threats detected : 0


    Virus definitions : 814470


    Scan plugins : 16


    Archive plugins : 40


    Unpack plugins : 6


    Mail plugins : 6


    System plugins : 5


    Virus scan options


    Detection


    [X] Scan boot sectors


    [X] Memory Processes


    [ ] Scan archives


    [X] Scan runtime packers


    [X] Scan email


    File mask


    [X] Programs


    [ ] All files


    [ ] User defined extensions:


    [ ] Exclude extensions: ;


    Action


    Infected objects


    [ ] Ignore


    [X] Disinfect


    [ ] Delete


    [ ] Move to quarantine


    [ ] Prompt user


    Second action


    [ ] Ignore


    [ ] Delete


    [X] Move to quarantine


    [ ] Prompt user


    Virus scan options


    [X] Enable warnings


    [ ] Enable heuristics


    [ ] Show all files in log


    [X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1196298018.log


    Spyware scan options


    [X] Scan for riskware


    [ ] Skip dial and applications from scan


    [X] Registry keys


    [X] Cookies


    Summary:


    <System>=>C:\WINDOWS\system32\svchost.exe (memory dump) Infected: BehavesLike:Win32.IRC-Backdoor


    <System>=>C:\WINDOWS\system32\svchost.exe (memory dump) Disinfection failed


    <System>=>C:\WINDOWS\system32\svchost.exe (memory dump) Move failed


    <System>=>C:\WINDOWS\system32\svchost.exe (full dump) Infected: BehavesLike:Win32.IRC-Backdoor


    <System>=>C:\WINDOWS\system32\svchost.exe (full dump) Disinfection failed


    <System>=>C:\WINDOWS\system32\svchost.exe (full dump) Move failed


    Logfile of HijackThis v1.99.1


    Scan saved at 5:24:55 PM, on 11/28/2007


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16544)


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe


    C:\WINDOWS\system32\CTHELPER.EXE


    C:\Program Files\Microsoft IntelliType Pro\itype.exe


    C:\Program Files\Softwin\BitDefender10\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe


    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe


    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE


    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe


    C:\Program Files\Logitech\SetPoint\SetPoint.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE


    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE


    C:\WINDOWS\system32\PnkBstrA.exe


    C:\WINDOWS\system32\PnkBstrB.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


    C:\WINDOWS\system32\conime.exe


    D:\Storage\HijackThis.exe


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll


    O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32


    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC


    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName


    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe


    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r


    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE


    O4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r


    O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE


    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"


    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE


    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE


    O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"


    O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background


    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"


    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe


    O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe


    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe


    O4 - Global Startup: Logitech SetPoint.lnk = %ProgramFiles%\Logitech\SetPoint\SetPoint.exe


    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present


    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html


    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html


    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)


    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL


    O11 - Options group: [iNTERNATIONAL] International*


    O15 - Trusted Zone: http://free.aol.com


    O15 - Trusted Zone: http://www.msi.com.tw


    O15 - Trusted Zone: http://*.wedisk.co.kr


    O15 - Trusted Zone: http://*.wedisk.net


    O16 - DPF: {00001025-B831-448B-9ABD-3D3DF187F359} (DaumGameStarter25 Class) - http://download.netmarble.com/web/nmstarte...meStarter25.cab


    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab


    O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworld.com/ImageUpload/CyIm...pload_10217.cab


    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab


    O16 - DPF: {118FAE88-BC23-4A74-B17A-64184362BCC7} (plueclear Control) - http://update.plusclear.com/activex/plueclearP.cab


    O16 - DPF: {1DE9BB01-B121-401D-8877-BCD5ED5B7EE5} (Tpwin Control) - http://www.crezio.com/test/leeyunho/AlwaysOn/AlwaysOn.CAB


    O16 - DPF: {32D94A9F-9A18-4E12-863D-8AABA8CBDA78} (NateOnMMSAtx3 Class) - http://sms.nate.com/NateOnMMS_AX3.cab


    O16 - DPF: {3EFC2239-B769-469F-A5E6-38693AE0B9DE} (Sysinfo2 Control) - http://speed.nia.or.kr/login/sysinfo2.cab


    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189657262109


    O16 - DPF: {66BA777F-C4FE-4EB1-959C-3BFBFD3FEFB2} (AxHttpTest Control) - http://speed.nia.or.kr/cptest/AxHttpTest.cab


    O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189657252390


    O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab


    O16 - DPF: {8FA141C5-29D7-4408-A57B-619C463ED7BB} (Cychannel_Club1_10.UserControl1) - http://club.cyworld.com/cychannel_club/Cyc...lubmain1_11.CAB


    O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.c...ersion=1,0,0,10


    O16 - DPF: {A1832535-5218-42F9-8959-19E2BCABFABF} (INIwallet50 Control) - http://plugin.inicis.com/wallet50/INIwallet50.cab


    O16 - DPF: {B8C4B31D-6DCE-4DF0-BF73-44686849F67D} (PDRInst1 Class) - http://imgcdn.pandora.tv/pan_img/p3player/...age/pdrinst.cab


    O16 - DPF: {C193DE20-29F4-4B4F-963B-EB20CB3186C0} (SpeedTest Control) - http://speed.nia.or.kr/speedtest/SpeedTest.cab


    O16 - DPF: {DA54C9C1-8109-43C9-9C80-E4210CEDF147} (EzwonSession Control) - http://www.wedisk.co.kr/app/EzwonSessionCtl.cab


    O16 - DPF: {E75386B4-C629-11DB-8338-444553544200} (PcubeSet Class) - http://cyimg7.cyworld.nate.com/cymusic/package/cyinstal.cab


    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL


    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL


    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll


    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe


    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)


    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)


    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)


    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

  • I have the exact problem with the same types of infections.!!! but in two different computers (posted in the forum already)


    I hope this is a false alarm.. I don't wanna wipe the Hard disk.. *sigh*

  • Hi


    Bitdefender reports these problems.


    Remaining issues:Object Name Threat Name Final Status


    [system]=]C:\WINDOWS\system32\svchost.exe (memory dump) BehavesLike:Win32.IRC-Backdoor Disinfect Failed


    [system]=]C:\WINDOWS\system32\svchost.exe (full dump) BehavesLike:Win32.IRC-Backdoor Disinfect Failed


    [system]=]C:\WINDOWS\system32\svchost.exe (memory dump) Generic.Malware.G!WX!!g.69467997 Disinfect Failed


    Any idea what I should do?


    nb svchost.exe appears to be changing registry entry


    HKEY_LOCAL_MACHINE


    \SYSTEM


    \CurrentControlSet


    \Control


    \Lsa


    Value name: RestrictAnonymous


    I set it to 0 & within 2 or 3 minutes its back to 1.


    (I'm changing this setting because this PC is restricting access to its network shares & I cant


    seem to stop it doing this.) [They can be accessed as mapped network drive though!)


    Yours hopefully


    I am having a similar problem. :unsure:


    My Report is just limited to the "C:\WINDOWS\system32\svchost.exe (memory dump) Generic.Malware.G!WX!!g.69467997 Disinfect Failed" Message, though.


    I've read through the whole post and would like some further clarification if at all possible. I always thought svchost.exe was a general Windows process and not Malware. If anybody has any further information, please take the time to post suggestions here.


    Unlike the quoted member, I am not certain if svchost.exe is somehow changing any of my registry entries.


    I'd like to thank any of you that post in advance.

  • Deirdre
    edited November 2007

    *bump*

  • Hey hey folks ...


    I'm back to post yet again. Bitdefender seems to be growing on me and windows is showing a little more love as it seems ... you'll be able to tell by the following. My "problems" have expanded and now match those of the original poster.


    Remaining issues:


    [system]=]C:\WINDOWS\system32\svchost.exe (memory dump) BehavesLike:Win32.IRC-Backdoor Disinfect Failed


    [system]=]C:\WINDOWS\system32\svchost.exe (full dump) BehavesLike:Win32.IRC-Backdoor Disinfect Failed


    [system]=]C:\WINDOWS\system32\svchost.exe (memory dump) Generic.Malware.G!WX!!g.69467997 Disinfect Failed


    As stated before, prior to this little sweep, merely the 3rd message was appearing on the report.


    I'm wondering if anyone has been able to resolve the issue? -_-


    Peace

  • Hey hey folks ...


    I'm back to post yet again. Bitdefender seems to be growing on me and windows is showing a little more love as it seems ... you'll be able to tell by the following. My "problems" have expanded and now match those of the original poster.


    Remaining issues:


    [system]=]C:\WINDOWS\system32\svchost.exe (memory dump) BehavesLike:Win32.IRC-Backdoor Disinfect Failed


    [system]=]C:\WINDOWS\system32\svchost.exe (full dump) BehavesLike:Win32.IRC-Backdoor Disinfect Failed


    [system]=]C:\WINDOWS\system32\svchost.exe (memory dump) Generic.Malware.G!WX!!g.69467997 Disinfect Failed


    As stated before, prior to this little sweep, merely the 3rd message was appearing on the report.


    I'm wondering if anyone has been able to resolve the issue? -_-


    Peace


    same for me:


    [system]=]C:\WINDOWS\system32\svchost.exe (memory dump) Generic.Malware.G!WX!!g.69467997 Disinfect Failed


    but I also get ntsecurity.exe getting blocked by by Scotty as a new startup program...is ntsecurity.exe safe or not?


    Thanks


    L.

  • I am having the same problem with this Generic.Malware.G!WX!!g.69467997 - no action possible. What can be done about it? Anything?

  • In reference to the G!WX!!g.69467997 post from earlier , I did a HiJack This scan and here is the log:


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 11:31:31 AM, on 1/2/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16574)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe


    C:\Program Files\Spyware Doctor\svcntaux.exe


    C:\Program Files\Spyware Doctor\swdsvc.exe


    C:\Program Files\Seagate\Sync\SeaSyncServices.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    C:\WINDOWS\system32\wdfmgr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe


    C:\WINDOWS\System32\alg.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Spyware Doctor\SDTrayApp.exe


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\WINDOWS\system32\taskswitch.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\WINDOWS\System32\svchost.exe


    C:\PROGRA~1\Mozilla Firefox\firefox.exe


    C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE


    C:\Program Files\Microsoft Office\Office12\WINWORD.EXE


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    C:\WINDOWS\system32\wbem\wmiprvse.exe


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL


    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL


    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe


    O4 - HKLM\..\Run: [sDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"


    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe


    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html


    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html


    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll


    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O15 - Trusted Zone: http://sef.mlxchange.com


    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188661730156


    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL


    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe


    O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe


    O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe


    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe


    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe


    O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe


    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 8595 bytes

  • I also had, probably still have problems with svchost.exe


    I installed avira and detected some droppper(probably a false positive) into svchost.


    In the past also I had problems with it.