Thread: Help! Constant Svchost.exe and DEP Error Messages
View Single Post
Old 08-16-2008, 07:35 PM   #9 (permalink)
Raynman
Registered User
 
Join Date: Apr 2006
Posts: 13
OS: XP


Re: Help! Constant Svchost.exe and DEP Error Messages
Chemist,

Yes, I successfully submitted the zip file. It's now deleted from my desktop.

Here is the Combofix2.txt file.

Thanks,
Raynman


ComboFix 08-08-15.04 - Carli 2008-08-16 18:53:40.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1566 [GMT -4:00]
Running from: C:\Documents and Settings\Carli\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Carli\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\HP_Owner\Desktop\l2mfix.exe
C:\Documents and Settings\HP_Owner\drsmartload348a.exe
D:\R2NL.COM
G:\r2nl.com
H:\R2NL.COM
.

((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 )))))))))))))))))))))))))))))))
.

2008-08-10 20:31 . 2008-08-10 20:31 <DIR> d-------- C:\Deckard
2008-08-10 17:37 . 2008-08-10 17:37 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-10 17:37 . 2008-08-10 17:37 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-10 17:37 . 2008-08-10 17:37 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-10 17:37 . 2008-08-10 17:37 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-10 17:36 . 2008-08-10 17:36 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-10 17:30 . 2008-08-10 17:30 <DIR> d-------- C:\WINDOWS\EHome
2008-08-10 17:24 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-10 16:40 . 2008-08-10 16:40 <DIR> d-------- C:\ie-spyad_zo
2008-08-10 16:10 . 2008-08-10 16:12 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-10 16:10 . 2008-08-14 21:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-10 13:01 . 2008-08-10 13:01 <DIR> d-------- C:\Program Files\Panda Security
2008-08-10 13:01 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-10 12:09 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-10 12:09 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-10 12:09 . 2008-04-13 14:45 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-09 22:42 . 2008-04-23 00:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-09 22:42 . 2007-04-17 05:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-09 22:42 . 2007-03-08 01:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-09 22:42 . 2008-04-23 00:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-09 22:42 . 2008-04-23 00:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-09 22:42 . 2008-04-23 00:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-09 22:42 . 2008-04-23 00:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-09 22:42 . 2008-04-23 00:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-09 22:42 . 2008-04-22 03:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-29 08:34 . 2008-07-29 08:34 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Corel
2008-07-26 14:41 . 2008-07-26 14:41 <DIR> d-------- C:\Program Files\Gamevance

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 19:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-08-05 15:46 2,276 -c--a-w C:\Documents and Settings\Chris\Application Data\wklnhst.dat
2008-08-03 18:07 --------- d-----w C:\Program Files\Apple Software Update
2008-08-03 18:04 --------- d-----w C:\Program Files\Safari
2008-07-19 14:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-17 14:59 --------- d-----w C:\Program Files\Yahoo!
2008-07-03 22:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-30 13:38 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-30 13:21 --------- d-----w C:\Documents and Settings\Administrator.YOUR-27E1513D96\Application Data\You've Got Pictures Screensaver
2008-06-30 10:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-30 10:18 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-06-30 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-30 01:55 --------- d-----w C:\Program Files\Lavasoft
2008-06-30 01:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-29 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 01:03 90,112 ----a-w C:\WINDOWS\DUMP54e6.tmp
2008-06-06 00:40 4,382 ----a-w C:\Documents and Settings\Carli\Application Data\wklnhst.dat
2006-03-11 13:45 7,634,340 ----a-w C:\Documents and Settings\HP_Owner\Install_AIM.exe
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 20:12 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-08 13:59 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-08 14:03 114688]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 02:34 245760]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-05 01:46 172032]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-08-28 14:12 77824]
"DXM6Patch_981116"="C:\WINDOWS\p_981116.exe" [1998-11-30 18:04 497376]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-07-24 19:08 26112]
"DiscWizardMonitor.exe"="C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 22:24 1169744]
"AcronisTimounterMonitor"="C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 22:38 1945688]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 22:29 149024]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 03:20 372736]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 14:45 67488]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 13:00 531272]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 04:07 61952 C:\WINDOWS\system32\HdAShCut.exe]

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-06-01 13:40:44 225280]
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-18 20:31:20 4742184]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-18 20:31:20 4742184]

C:\Documents and Settings\Carli\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-05-27 20:04:55 947544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus USB.lnk - C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE [2007-08-26 07:30:30 258048]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 10:23:26 282624]
Updates from HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-29 03:40:52 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"46731:TCP"= 46731:TCP:PORT_46731
"60107:TCP"= 60107:TCP:PORT_60107
"12396:TCP"= 12396:TCP:PORT_12396
"36520:TCP"= 36520:TCP:PORT_36520
"52800:TCP"= 52800:TCP:PORT_52800
"50423:TCP"= 50423:TCP:PORT_50423
"58880:TCP"= 58880:TCP:PORT_58880
"28676:TCP"= 28676:TCP:PORT_28676
"33882:TCP"= 33882:TCP:PORT_33882
"23184:TCP"= 23184:TCP:PORT_23184
"64543:TCP"= 64543:TCP:PORT_64543
"38379:TCP"= 38379:TCP:PORT_38379
"18707:TCP"= 18707:TCP:PORT_18707
"25040:TCP"= 25040:TCP:PORT_25040
"27547:TCP"= 27547:TCP:PORT_27547
"57492:TCP"= 57492:TCP:PORT_57492
"21076:TCP"= 21076:TCP:PORT_21076
"18351:TCP"= 18351:TCP:PORT_18351
"45894:TCP"= 45894:TCP:PORT_45894
"46919:TCP"= 46919:TCP:PORT_46919
"16741:TCP"= 16741:TCP:PORT_16741
"41155:TCP"= 41155:TCP:PORT_41155
"57720:TCP"= 57720:TCP:PORT_57720
"55924:TCP"= 55924:TCP:PORT_55924
"37891:TCP"= 37891:TCP:PORT_37891
"33523:TCP"= 33523:TCP:PORT_33523
"44177:TCP"= 44177:TCP:PORT_44177
"48649:TCP"= 48649:TCP:PORT_48649
"39626:TCP"= 39626:TCP:PORT_39626
"52572:TCP"= 52572:TCP:PORT_52572
"53996:TCP"= 53996:TCP:PORT_53996
"46566:TCP"= 46566:TCP:PORT_46566
"9591:TCP"= 9591:TCP:PORT_9591
"12835:TCP"= 12835:TCP:PORT_12835
"24958:TCP"= 24958:TCP:PORT_24958
"38180:TCP"= 38180:TCP:PORT_38180
"43821:TCP"= 43821:TCP:PORT_43821
"42395:TCP"= 42395:TCP:PORT_42395
"18591:TCP"= 18591:TCP:PORT_18591
"28030:TCP"= 28030:TCP:PORT_28030
"59132:TCP"= 59132:TCP:PORT_59132
"59590:TCP"= 59590:TCP:PORT_59590
"37861:TCP"= 37861:TCP:PORT_37861
"8985:TCP"= 8985:TCP:PORT_8985
"40339:TCP"= 40339:TCP:PORT_40339
"64305:TCP"= 64305:TCP:PORT_64305
"65009:TCP"= 65009:TCP:PORT_65009
"63645:TCP"= 63645:TCP:PORT_63645
"58870:TCP"= 58870:TCP:PORT_58870
"17066:TCP"= 17066:TCP:PORT_17066
"62837:TCP"= 62837:TCP:PORT_62837
"11713:TCP"= 11713:TCP:PORT_11713
"65224:TCP"= 65224:TCP:PORT_65224
"18908:TCP"= 18908:TCP:PORT_18908
"64520:TCP"= 64520:TCP:PORT_64520
"61239:TCP"= 61239:TCP:PORT_61239
"40778:TCP"= 40778:TCP:PORT_40778
"30200:TCP"= 30200:TCP:PORT_30200
"52008:TCP"= 52008:TCP:PORT_52008
"59334:TCP"= 59334:TCP:PORT_59334
"34528:TCP"= 34528:TCP:PORT_34528
"42707:TCP"= 42707:TCP:PORT_42707
"17453:TCP"= 17453:TCP:PORT_17453
"64540:TCP"= 64540:TCP:PORT_64540
"27094:TCP"= 27094:TCP:PORT_27094
"10102:TCP"= 10102:TCP:PORT_10102
"40255:TCP"= 40255:TCP:PORT_40255
"43296:TCP"= 43296:TCP:PORT_43296

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 07:12]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 14:46]
S3 TIAcxubt;D-Link WLAN USB Boot Device;C:\WINDOWS\system32\Drivers\tiacxubt.sys [2003-04-24 17:59]
S3 TIACXUSB;D-Link AirPlus DWL-120+ Wireless USB Adapter;C:\WINDOWS\system32\Drivers\tiacxusb.sys [2003-04-29 10:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-08-08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-08 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2007-01-18 18:24]

2005-11-29 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 23:24]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 18:57:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-08-16 19:03:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-16 23:03:10
ComboFix2.txt 2008-08-16 22:20:14
ComboFix3.txt 2008-08-16 20:46:21

Pre-Run: 181,070,864,384 bytes free
Post-Run: 181,055,041,536 bytes free

261 --- E O F --- 2008-08-10 02:43:27
Raynman is offline