Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malicious script running via svchost.exe: What's the cause?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malicious script running via svchost.exe: What's the cause?

Unread postby kuna86 » April 21st, 2011, 9:56 pm

I got a malicious script running from my computer.
The symptoms:
1. The dialog "Just in Time debugging" keeps popping every couple of seconds with the message "An unhandled exception ('Script Breakpoint') occurred in svchost.exe". When I open the debugger it shows a break in a middle of a regular webpage JavaScript code; each time different page with a different URL. Of course, none of my browsers is open at the moment.
2. The Process Explorer show that one of the svchost.exe instance running under System account is constantly busy, taking %3 to %20 of processor time.
It also shows that it established connections with up to 8 Internet hosts.
3. One of the recent events shows "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts."
4. I ran the HiJackThis, fsbl.exe, and even ComboFix that used to help me resolving issues before, but none of them shows any problem.

I hope someone could help me investigate the problem or at least point me to the right direction. Thanks!
Here is the DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by alex at 15:00:21.89 on Thu 04/21/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2310 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\MI4F93~1\webtool.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
E:\WinTips\HiJackThis\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = hxxp://www1.ca.dell.com/content/default ... l=en&s=gen
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = localhost:8000
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
IE: Download ALL with IDA
IE: Download with IDA
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
TCP: {3B5206D3-8BF8-450E-A0FE-C345B6060B5E} = 64.201.167.193,207.54.98.226
Notify: NavLogon - c:\windows\system32\NavLogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\4hwu8obz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\alex\application data\mozilla\firefox\profiles\4hwu8obz.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\alex\application data\mozilla\firefox\profiles\4hwu8obz.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Live HTTP Headers: {8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} - %profile%\extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: JavaScript Debugger: {f13b157f-b174-47e7-a34d-4815ddfdfeb8} - %profile%\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}
FF - Ext: Freecorder Community Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - %profile%\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2007-11-6 5248]
R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2007-1-29 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2007-1-29 5248]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-9-23 20328]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2005-10-14 199384]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2002-6-19 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe [2002-7-30 573440]
R2 WebTool;WebTool;c:\progra~1\mi4f93~1\webtool.exe [2010-10-14 705024]
R3 NAVAP;NAVAP;c:\program files\symantec_client_security\symantec antivirus\Navap.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110419.003\NAVENG.sys [2011-4-19 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110419.003\NAVEX15.sys [2011-4-19 1393144]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2008-11-4 120472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2007-11-6 160640]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
.
=============== Created Last 30 ================
.
2011-04-20 22:33:45 -------- d-----w- C:\Case
2011-04-20 14:51:07 -------- d-sha-r- C:\cmdcons
2011-04-20 04:06:11 98816 ----a-w- c:\windows\sed.exe
2011-04-20 04:06:11 89088 ----a-w- c:\windows\MBR.exe
2011-04-20 04:06:11 256512 ----a-w- c:\windows\PEV.exe
2011-04-20 04:06:11 161792 ----a-w- c:\windows\SWREG.exe
2011-04-20 04:06:06 -------- d-----w- C:\ComboFix
2011-04-20 00:13:37 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-20 00:13:37 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-04 22:44:43 -------- d-----w- c:\docume~1\alex\applic~1\Microsoft FxCop
2011-04-04 22:22:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Microsoft Visual Studio
2011-04-04 17:05:36 -------- d-----w- c:\docume~1\alex\applic~1\Microsoft Corporation
2011-04-04 16:59:38 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-04-04 16:59:36 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-04-04 16:58:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\PreEmptive Solutions
2011-04-04 16:55:39 -------- d-----w- c:\program files\Microsoft ASP.NET
2011-04-04 16:55:31 -------- d-----w- c:\program files\IIS
2011-04-04 16:50:41 18368 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\vsa\9.0\1033\ResourceCache.dll
2011-04-04 16:50:39 2313152 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\visualstudio\10.0\1033\ResourceCache.dll
2011-04-04 16:47:25 -------- d-----w- c:\program files\Microsoft F#
2011-04-04 16:47:24 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-04-04 16:47:24 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-03-24 15:50:11 -------- d-----w- c:\program files\Sun
2011-03-24 15:50:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-24 15:50:07 411368 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-24 15:50:07 411368 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
==================== Find3M ====================
.
2011-04-18 17:17:59 70656 ----a-w- c:\windows\system32\SSTree.oca
2011-04-18 17:17:59 52224 ----a-w- c:\windows\system32\comct232.oca
2011-03-12 02:56:09 256 ----a-w- c:\windows\system32\pool.bin
2007-09-12 00:32:38 520192 ----a-w- c:\program files\WinDjView-0.5.exe
2007-03-13 16:29:07 454656 ----a-w- c:\program files\putty.exe
2000-12-09 02:35:10 154115 ----a-w- c:\program files\ATOMTIME.EXE
.
============= FINISH: 15:01:08.62 ===============










///////////////////////
Attach.txt
///////////////////////

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/21/2006 6:59:02 PM
System Uptime: 4/21/2011 2:53:56 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0DT031
Processor: Intel(R) Xeon(R) CPU 5150 @ 2.66GHz | Microprocessor | 2660/1333mhz
Processor: Intel(R) Xeon(R) CPU 5150 @ 2.66GHz | Microprocessor | 2660/1333mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 38 GiB total, 8.187 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 77 GiB total, 15.086 GiB free.
F: is FIXED (NTFS) - 117 GiB total, 34.636 GiB free.
I: is CDROM ()
K: is FIXED (NTFS) - 699 GiB total, 326.431 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\81C38089D100
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\81C38089D100
Service: NIC1394
.
Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Plug and Play BIOS Extension
Device ID: ROOT\SYSTEM\0004
Manufacturer: (Standard system devices)
Name: Plug and Play BIOS Extension
PNP Device ID: ROOT\SYSTEM\0004
Service: a347bus
.
==== System Restore Points ===================
.
RP1283: 3/24/2011 10:01:04 AM - System Checkpoint
RP1284: 3/24/2011 10:49:28 AM - Installed Java(TM) SE Development Kit 6 Update 20
RP1285: 3/24/2011 10:49:59 AM - Installed Java(TM) 6 Update 20
RP1286: 3/25/2011 3:12:00 PM - System Checkpoint
RP1287: 3/26/2011 3:52:55 PM - System Checkpoint
RP1288: 3/27/2011 3:54:00 PM - System Checkpoint
RP1289: 3/28/2011 4:17:02 PM - System Checkpoint
RP1290: 3/29/2011 8:15:53 PM - System Checkpoint
RP1291: 3/30/2011 9:57:38 PM - System Checkpoint
RP1292: 3/31/2011 10:52:55 PM - System Checkpoint
RP1293: 4/1/2011 11:56:54 PM - System Checkpoint
RP1294: 4/3/2011 1:51:50 AM - System Checkpoint
RP1295: 4/4/2011 10:48:35 AM - System Checkpoint
RP1296: 4/4/2011 10:19:37 AM - System Checkpoint
RP1297: 4/4/2011 12:40:29 PM - Installed Windows XP KB942288-v3.
RP1298: 4/4/2011 12:40:52 PM - Installed Windows XP KB958655-v2.
RP1299: 4/5/2011 10:37:50 AM - Installed Windows Media Player 11
RP1300: 4/6/2011 3:23:22 PM - System Checkpoint
RP1301: 4/7/2011 8:17:01 PM - System Checkpoint
RP1302: 4/8/2011 8:47:01 PM - System Checkpoint
RP1303: 4/10/2011 6:47:46 AM - System Checkpoint
RP1304: 4/11/2011 7:47:20 AM - System Checkpoint
RP1305: 4/12/2011 9:39:43 AM - System Checkpoint
RP1306: 4/13/2011 9:48:26 AM - System Checkpoint
RP1307: 4/14/2011 9:55:45 AM - System Checkpoint
RP1308: 4/15/2011 1:53:24 PM - System Checkpoint
RP1309: 4/16/2011 2:47:20 PM - System Checkpoint
RP1310: 4/17/2011 2:48:25 PM - System Checkpoint
RP1311: 4/18/2011 9:36:22 PM - System Checkpoint
RP1312: 4/19/2011 8:11:58 PM - Restore Operation
RP1313: 4/19/2011 9:18:02 PM - Restore Operation
RP1314: 4/19/2011 9:31:35 PM - Restore Operation
RP1315: 4/19/2011 9:37:13 PM - Restore Operation
RP1316: 4/19/2011 9:47:28 PM - After_FFoxCrashAndRestore_ToApr18
.
==== Installed Programs ======================
.

7-Zip 4.65
ABC Amber LIT Converter
Ac3Tool (remove only)
ACDSee 32
ACDSee Pro
Adobe Acrobat 4.0
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe Anchor Service CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Creative Suite 4 Master Collection
Adobe CSI CS4
Adobe Default Language CS4
Adobe Dreamweaver CS4
Adobe Dynamiclink Support
Adobe Encore CS4
Adobe Encore CS4 Codecs
Adobe ExtendScript Toolkit CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Dolby
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS
Adobe Photoshop Lightroom 2.4
Adobe Premiere Pro CS4
Adobe Premiere Pro CS4 Functional Content
Adobe Premiere Pro CS4 Third Party Content
Adobe Reader 9.4.0
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Soundbooth CS4 Codecs
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advanced Email Verifier
Advanced Port Scanner v1.3
Agent Ransack Version 1.7.3
Applian FLV Player
AudioConverter
Auto Gordian Knot 2.55
AviSynth 2.5
AVS DVD Player version 2.4
BlackBerry Desktop Software 4.7
BlackBerry Device Software Updater
BlazeDVD 4.0 Professional
Compatibility Pack for the 2007 Office system
Connect
CPUID CPU-Z 1.55
Crystal Reports for Visual Studio
Cucusoft DVD to iPod + iPod Video Converter Suite 3.9.3.17
DAP Premium
Data Access Objects (DAO) 3.5
Data Access Objects (DAO) SDK
DivX Content Uploader
DivX Player
DivX Web Player
DNS Thing 1.1
Dotfuscator Software Services - Community Edition
Download Master version 5.3.4.1093
DVD Shrink 3.1.7
Easy CD-DA Extractor 10
eMule
ESCV2
ffdshow [rev 3026] [2009-07-05]
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 4.3.0119
foobar2000 v0.9.4.5
Free Mp3 Wma Converter V 1.5.1
GNU Backgammon (MAIN branch, 20101215 code)
Google Earth
Google Update Helper
HexEdit
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB958655-v2)
Indeo® Software
Intel(R) Matrix Storage Manager
InterVideo AVControlSDK
InterVideo DVDCopy 4
iriver Music Manager
iWisoft Flash SWF to Video Converter 3.4
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java DB 10.5.3.0
Java(TM) 6 Update 20
Java(TM) SE Development Kit 6 Update 20
K-Lite Codec Pack 2.85 Full
kuler
LAN Speed Test
LimeWire 4.12.6
LiveUpdate 1.7 (Symantec Corporation)
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
MediaInfo 0.7.4.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Help Viewer 1.0
Microsoft Office 2000 SR-1 Professional
Microsoft Office 2003 Web Components
Microsoft Office Project Professional 2003
Microsoft Reader
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Analysis Services
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Books Online (English)
Microsoft SQL Server 2005 Integration Services
Microsoft SQL Server 2005 Notification Services
Microsoft SQL Server 2005 Tools
Microsoft SQL Server 2008 R2 Data-Tier Application Framework
Microsoft SQL Server 2008 R2 Data-Tier Application Project
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 R2 Transact-SQL Language Service
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server System CLR Types
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime v1.0 SP1 (x86)
Microsoft Sync Framework SDK v1.0 SP1
Microsoft Sync Framework Services v1.0 SP1 (x86)
Microsoft Sync Services for ADO.NET v2.0 SP1 (x86)
Microsoft Team Foundation Server 2010 Object Model - ENU
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
Microsoft Visual F# 2.0 Runtime
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio 2010 Office Developer Tools (x86)
Microsoft Visual Studio 2010 Performance Collection Tools - ENU
Microsoft Visual Studio 2010 SharePoint Developer Tools
Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
Microsoft Visual Studio 2010 Ultimate - ENU
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Visual Studio Macro Tools
Microsoft Web Application Stress Tool
Microsoft Web Publishing Wizard 1.53
Microsoft XML Parser
Monkey's Audio
Mozilla Firefox (3.6.8)
MPEG Video Wizard
MSXML 6.0 Parser (KB933579)
Nero Suite
Nmap 4.68
NVIDIA Drivers
PartitionMagic
PDF Settings CS4
PerformanceTest v7.0
Photoshop Camera Raw
Pixel Bender Toolkit
PowerQuest PartitionMagic 8.0
ProCoder 3
Profile Canada 2008
Profile Canada 2009
Pure Motion EditStudio 5
QuickTime
Quintessential Player
RealPlayer
Remove DivX Pro Codec
Roxio Media Manager
SDP Downloader
Seagate Crystal Reports 6.0
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB913433)
Setup
SigmaTel Audio
Solunet: Info-Mex 2010 Volume 4
SpeedFan (remove only)
SQLXML4
Suite Shared Configuration CS4
Symantec AntiVirus Client
TopStyle Lite (Version 1.5)
Total Recorder 7.0
VeryPDF PDF2Word v2.0
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
VLC media player 1.0.2
VNC Enterprise Edition E4.2.5
VobSub v2.23 (Remove Only)
Web Deployment Tool
WebEx
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Resource Kit Tools
Windows XP Service Pack 3
WinPlex version 0.918 Beta
WinRAR archiver
WinZip
WM Recorder 11.3
xplorerІ lite 32 bit
XviD MPEG4 Video Codec (remove only)
.
==== Event Viewer Messages From Past Week ========
.
4/20/2011 6:34:52 PM, error: Service Control Manager [7034] - The SQL Server Integration Services service terminated unexpectedly. It has done this 1 time(s).
4/20/2011 6:34:34 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
4/20/2011 10:55:34 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WPFFontCache_v0400 service.
4/19/2011 9:16:03 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
4/19/2011 9:12:27 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/19/2011 9:11:46 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126ADB-2166-11D1-B1D0-00805FC1270E}
4/19/2011 9:09:19 AM, error: TermDD [50] - The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
4/19/2011 9:08:50 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
4/19/2011 9:07:20 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service ntmssvc with arguments "-Service" in order to run the server: {D61A27C6-8F53-11D0-BFA0-00A024151983}
4/19/2011 8:54:09 PM, error: Service Control Manager [7034] - The WebTool service terminated unexpectedly. It has done this 1 time(s).
4/19/2011 8:54:06 PM, error: Service Control Manager [7034] - The FLEXnet Licensing Service service terminated unexpectedly. It has done this 1 time(s).
4/19/2011 8:54:03 PM, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
4/19/2011 8:51:12 PM, error: NETLOGON [5719] - No Domain Controller is available for domain NEXPORT due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
4/19/2011 8:13:00 PM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\uxtheme.dll could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
4/19/2011 7:06:20 PM, error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 4.0.0.0 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
4/19/2011 7:06:02 PM, error: Service Control Manager [7034] - The Simple TCP/IP Services service terminated unexpectedly. It has done this 1 time(s).
4/19/2011 7:05:38 PM, error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 4.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
4/19/2011 11:17:50 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
4/17/2011 5:00:12 AM, error: TermService [1006] - The terminal server received large number of incomplete connections. The system may be under attack.
4/14/2011 11:10:04 AM, error: Schannel [36882] - The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.
.
==== End Of File ===========================
kuna86
Active Member
 
Posts: 2
Joined: April 20th, 2011, 11:20 am
Advertisement
Register to Remove

Re: Malicious script running via svchost.exe: What's the cau

Unread postby deltalima » April 22nd, 2011, 2:50 pm

Checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Malicious script running via svchost.exe: What's the cau

Unread postby deltalima » April 22nd, 2011, 2:57 pm

Hi kuna86,

Welcome to the forum.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

CKScanner

  • Please download CKScanner from here to your Desktop.
  • Make sure that CKScanner.exe is on the your Desktop before running the application!
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved
  • Double-click on the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.

Next

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

Please let me know if the computer is used for home or for business use.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Malicious script running via svchost.exe: What's the cau

Unread postby kuna86 » April 23rd, 2011, 1:57 am

Hello deltalima,
As you have such strict rules of not helping all users in needs (I didn't get it first), I'm closing the case.

Sorry for taking your time and thanks anyway!
kuna86
Active Member
 
Posts: 2
Joined: April 20th, 2011, 11:20 am

Re: Malicious script running via svchost.exe: What's the cau

Unread postby Gary R » April 23rd, 2011, 4:37 am

This topic is now closed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 383 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware