Solve : Nasty Infection, Please look over my Logs.?

1.	Solve : Nasty Infection, Please look over my Logs.?
Answer» Hello all, I'm having trouble with a computer that is running Windows XP and having a svchost.exe error. Instruction at "0x7564d27e" referenced memory at "0x00000060". the memory could not be "read". Press on OK to terminate the program. Now this error never goes away, I've tried investigating it and can't seem to find a solution, I'm hoping someone here can help me. I've gone through the steps for Malware Removal and I'm attaching my logs here, please let me know if you need additional information as well! Thanks in ADVANCE for all your help! [attachment deleted by admin]Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode. Download SDFix by AndyManchesta and save it to your desktop. When using this tool, you must use the Administrator's account or an account with Administrative rights * Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button. * A window will now open showing SDFix being extracted into the C:\SDFix folder. * Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions. * DO NOT use it just yet. Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow KEYS to navigate and select the option to run Windows in "Safe Mode". When your computer has started in safe mode, and you see the desktop, close all open Windows. * Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK button. Code: [Select]C:\SDFix\RunThis.bat * SDFix window will open containing some brief info and a disclaimer on the use of the tool. * Type Y on your keyboard and then press Enter to begin the cleanup process. * It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. * Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode). Thanks evilfantasy for taking the time to look at these. I've attached the new log files. [attachment deleted by admin]Go to Add/Remove Programs and uninstall: My Web Search Bar Search Scope Monitor . ---------- Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe . Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. ---------- Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web BROWSERS. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important:** Do not MOUSECLICK ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFixHi, I'm not finding * My Web Search Bar Search Scope Monitor under add/remove programs. Is there another way to find it?Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w . Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. ---------- Go to Start > Run and type notepad.exe then click OK Copy and paste the below into Notepad and save as fixme.reg to Your Desktop Code: [Select]REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run] "My Web Search Bar Search Scope Monitor"=- Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry. Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work. Delete the fixme.reg from the Desktop. Now continue on with ComboFix.Quote from: evilfantasy on March 09, 2009, 06:19:42 PM Copy and paste the below into Notepad and save as fixme.reg to Your Desktop Code: [Select]REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run] "My Web Search Bar Search Scope Monitor"=- Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry. Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work. Delete the fixme.reg from the Desktop. Now continue on with ComboFix. Hi again, I did receive a success message with the registry edit. Here is the combofix log attached. Cheers [attachment deleted by admin]Download the OTMoveIt3 by OldTimer Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator. * Save it to your Desktop. * Double-click OTMoveIt3.exe to run it. * Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy) Code: [Select]:Processes explorer.exe :services gaopdxserv gaopdxl :Commands [purity] [emptytemp] [start explorer] [Reboot] * Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. * Click the red Moveit! button. * Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt3 Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway. Also let me know how the computer is running now.Hi, Thanks again for all your help! Computer is definitely working better No more svchost errors or anything. Here is the OTMoveit information: ========== PROCESSES ========== Process explorer.exe killed successfully. ========== SERVICES/DRIVERS ========== Unable to stop service gaopdxserv . Unable to stop service gaopdxl . ========== COMMANDS ========== File delete failed. C:\DOCUME~1\NATALI~1\LOCALS~1\Temp\etilqs_Z7jKkLQEJX9mSUKEX5Yo scheduled to be deleted on reboot. User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. Local Service Temporary Internet Files folder emptied. Windows Temp folder emptied. Java cache emptied. File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_001_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_002_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_003_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\urlclassifier3.sqlite scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\XUL.mfl scheduled to be deleted on reboot. FireFox cache emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03092009_181439 Files moved on Reboot... File C:\DOCUME~1\NATALI~1\LOCALS~1\Temp\etilqs_Z7jKkLQEJX9mSUKEX5Yo not found! File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_001_ moved successfully. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_002_ moved successfully. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_003_ moved successfully. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_MAP_ moved successfully. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\urlclassifier3.sqlite moved successfully. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\XUL.mfl moved successfully. OK looks good. Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then HIT Enter. . . The above procedure will: Delete: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- 1. Double click OTMoveIt3.exe to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?) 5. Once complete exit out of OTMoveIt3 ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Hi and thanks again evilfantasy!! Computer is working brilliantly again, really appreciate all your help! Your welcome. Safe surfing...

Answer»

Hello all,

I'm having trouble with a computer that is running Windows XP and having a svchost.exe error.

Instruction at "0x7564d27e" referenced memory at "0x00000060". the memory could not be "read". Press on OK to terminate the program.

Now this error never goes away, I've tried investigating it and can't seem to find a solution, I'm hoping someone here can help me.

I've gone through the steps for Malware Removal and I'm attaching my logs here, please let me know if you need additional information as well!

Thanks in ADVANCE for all your help!

[attachment deleted by admin]Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

* Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
* A window will now open showing SDFix being extracted into the C:\SDFix folder.
* Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
* DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow KEYS to navigate and select the option to run Windows in "Safe Mode".

When your computer has started in safe mode, and you see the desktop, close all open Windows.

* Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK button.

Code: [Select]C:\SDFix\RunThis.bat
* SDFix window will open containing some brief info and a disclaimer on the use of the tool.
* Type Y on your keyboard and then press Enter to begin the cleanup process.
* It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).
Thanks evilfantasy for taking the time to look at these. I've attached the new log files.

[attachment deleted by admin]Go to Add/Remove Programs and uninstall:

My Web Search Bar Search Scope Monitor

.
----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

.
Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web BROWSERS. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not MOUSECLICK ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFixHi,

I'm not finding
* My Web Search Bar Search Scope Monitor

under add/remove programs. Is there another way to find it?Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

.
Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

Now continue on with ComboFix.Quote from: evilfantasy on March 09, 2009, 06:19:42 PM

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

Now continue on with ComboFix.

Hi again,
I did receive a success message with the registry edit. Here is the combofix log attached.

Cheers

[attachment deleted by admin]Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]:Processes
explorer.exe

:services
gaopdxserv
gaopdxl

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Also let me know how the computer is running now.Hi,

Thanks again for all your help! Computer is definitely working better No more svchost errors or anything. Here is the OTMoveit information:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Unable to stop service gaopdxserv .
Unable to stop service gaopdxl .
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\NATALI~1\LOCALS~1\Temp\etilqs_Z7jKkLQEJX9mSUKEX5Yo scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03092009_181439

Files moved on Reboot...
File C:\DOCUME~1\NATALI~1\LOCALS~1\Temp\etilqs_Z7jKkLQEJX9mSUKEX5Yo not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Natalie Garfield\Local Settings\Application Data\Mozilla\Firefox\Profiles\vvxv5i3j.default\XUL.mfl moved successfully.
OK looks good.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then HIT Enter.

.
.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt3

----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Hi and thanks again evilfantasy!! Computer is working brilliantly again, really appreciate all your help! Your welcome.

Safe surfing...

Solve : Nasty Infection, Please look over my Logs.?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment