Well, my C:\\windows\system32\svchost.exe file has been infected by a trojan that used to start up windows vista security update center, while my computer runs on xp pro, and (at first) had control of my background with a big radioactive sign that said "Your Privacy is in Danger!" below it, along with some other !!!!. I used smitfraudfix, and superantivirus free edition to get rid of that problem. By the way, I've checked at least 5 times, it is svchost.exe, not scvhost.exe, and it is located in C:\\windows\system32. Now, on to my point. Everytime I use apple safari, which I'm surfing with now, it uses some of the same configurations as ie. The only problem is, I keep trying to open links in new windows, and I keep getting redirected to search engines that show the results for various acts of porn. I now use Spyware Process Detector v3.12. It has labelled svchost.exe as altered most of the time, and dangerous sometimes. It also labels C:\windows\explorer.exe as altered. I think the list of 09 is what is wrong with my comp, but anyways, here is my hijackthis logfile:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 06:30:31, on 8/3/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch
Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
Copy and Paste that log into your next reply.
NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Here are the results of the scan. I'm still amazed that this program found 50 files that were still infected, after I've used about 5 other scan and delete malware programs:
Malwarebytes' Anti-Malware 1.24 Database version: 1018 Windows 5.1.2600 Service Pack 2
8:17:54 AM 8/3/2008 mbam-log-8-3-2008 (08-17-54).txt
Scan type: Full Scan (C:\|) Objects scanned: 50496 Time elapsed: 4 minute(s), 21 second(s)
Memory Processes Infected: (No malicious items detected)
Memory Modules Infected: C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\msliksurcredo.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\msliksurdns.dll (Rootkit.Agent) -> Delete on reboot.
Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\VAV (Rogue.VistaAntivirus2008) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\msliksur (Trojan.DNSChanger) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msliksurserv (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\eqvwamkl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.104 85.255.112.157 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.104 85.255.112.157 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a0f4e53d-c356-4d33-9649-3990af3bc74c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.104,85.255.112.157 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a0f4e53d-c356-4d33-9649-3990af3bc74c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.104,85.255.112.157 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.104 85.255.112.157 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.104 85.255.112.157 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a0f4e53d-c356-4d33-9649-3990af3bc74c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.104,85.255.112.157 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a0f4e53d-c356-4d33-9649-3990af3bc74c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.104,85.255.112.157 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.104 85.255.112.157 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{a0f4e53d-c356-4d33-9649-3990af3bc74c}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.104,85.255.112.157 -> Quarantined and deleted successfully.
Folders Infected: C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
Files Infected: C:\Program Files\PCHealthCenter\0.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\3.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\4.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\5.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\7.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\edot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vav.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\awhpaq.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\btdnahju.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\Windk22.sys (Rootkit.Agent) -> Delete on reboot. C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\sex1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\sex2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\Thumbs.db (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sex2.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\WinCtrl32.dl_ (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msliksurcredo.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\msliksurdns.dll (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Fichtner Family\Application Data\TmpRecentIcons\Vista Antivirus 2008.lnk (Rogue.Link) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\msliksurserv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
If I discover any more problems, I'll try to see how I can resolve them. Thanks for your help, and hopefully I won't have to waste your time. As far as I can tell, my system is back to functioning normally. Just a quick question, is there any way I can continue a download (through Ie) that my system shut down when it rebooted? I'm going to try using the link again, and hopefully the temp file is still saved from the previous 20 minutes of downloading.
Currently it is Saturday, November 22, 2008 12:48 PM (GMT +1) There are a total of 64.045 posts in 15.836 threads. In the last 3 days there were 26 new threads and 154 reply posts. View Active Threads
Who's Online
This forum has 27194 registered members. Please welcome our newest member, caro1a. 47 Guest(s), 0 Registered Member(s) are currently online. Details
|