Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Svchost.exe - Application Error pop ups [Solved]


  • This topic is locked This topic is locked

#1
irishunter

irishunter

    New Member

  • Member
  • Pip
  • 4 posts
Hello.

I was browsing spankwire and running a Microsoft Security Essentials quickscan after downloading a video (from a different website), which I also scanned using MSE. The video was a screensaver file. I right clicked it and clicked "test". At that point, the video opened up in vlc.

After the MSE scan, I kept getting a pop up message:

Svchost.exe - Application Error
"The application was unable to start correctly (0xc0000018). Click OK to close the application."

I am not sure if this is the result of being infected, but after some googling, I thought it might be possible.

I'm looking at C:\Users\DT\AppData\Roaming, and there seem to be some suspicious files that appeared around the time I got the first pop-up. These are: DTlog.dat; DT-wchelper.dll; the folder vlc was modified; new folders: install, 701D5E50, WinDir.

EDIT: I ran a Malwarebytes scan and it came up with two infections by backdoor.spynet.m.

Below is the OTL log:
Spoiler

Thanks for the help!

Edited by irishunter, 07 July 2013 - 11:45 PM.

  • 0

Advertisements


#2
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Hello, irishunter and welcome to GeeksToGo!

You can call me Phel and today I will try to help you with your trouble.

Please, read these instructions carefully, because they contain some very useful information.

Please, let me know, if you don't understand something. It is really important to understand any instruction. Also, please read all instructions carefully before performing them. Feel free to ask questions, if you aren't sure.

Please, be patient. You should stay here until your computer will become really clean. Malware Removal isn't very fast procedure, it usually has multiple steps, but result should be glad.;)

Please, wait for a while now, currently I'm analyzing your logs. Please note, that my answers could come with a slight delay, because they are checked by my teacher.
  • 0

#3
irishunter

irishunter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi! Thanks for your help.

This is the Malwarebytes scan log:
Spoiler

  • 0

#4
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Please, follow these steps:

Step 1. AdwCleaner scan.

  • Please, download AdwCleaner from here to your Desktop.
  • Right click on adwcleaner.exe file on your Desktop->Run as Administrator.
  • Adwcleaner window should appear.
  • Click on the Delete button.
  • Click on OK.
  • Computer will be rebooted automatically, when program will finish it's job.
  • After fix Notepad window with report should appear. Post the contents of the report in your next message.

Step 2. OTL fix.

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://search.babylon.com/home
    IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylo...c=browsersearch
    IE - HKCU\..\SearchScopes\{1748628F-AACD-44C1-8C25-3277D58FEE61}: "URL" = http://websearch.ask...D6-8F66DA296BE4
    FF - prefs.js..extensions.enabledAddons: {EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}:2.0
    FF - prefs.js..extensions.enabledItems: vshareus@toolbar:1.0.0
    FF - prefs.js..extensions.enabledItems: {5911488E-9D1E-40ec-8CBB-06B231CC153F}:2.5.0
    FF - prefs.js..extensions.enabledItems: {EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}:2.0
    [2011/10/01 17:44:05 | 000,000,000 | ---D | M] (DealPly) -- C:\Users\DT\AppData\Roaming\Mozilla\Firefox\Profiles\6zcaeo2z.default\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}
    [2010/11/02 12:18:20 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Users\DT\AppData\Roaming\Mozilla\Firefox\Profiles\6zcaeo2z.default\extensions\vshareus@toolbar
    [2010/07/29 17:24:38 | 000,002,191 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
    O4 - HKCU..\Run: [HKCU] C:\Users\DT\AppData\Roaming\install\Svchost.exe ()
    F3:64bit: - HKCU WinNT: Load - (C:\Users\DT\AppData\Roaming\Microsoft\Windows\Templates\VaultCmd.exe) - C:\Users\DT\AppData\Roaming\Microsoft\Windows\Templates\VaultCmd.exe (Microsoft Corporation)
    F3 - HKCU WinNT: Load - (C:\Users\DT\AppData\Roaming\Microsoft\Windows\Templates\VaultCmd.exe) - C:\Users\DT\AppData\Roaming\Microsoft\Windows\Templates\VaultCmd.exe (Microsoft Corporation)
    [2013/07/07 20:10:27 | 000,000,000 | ---D | C] -- C:\Users\DT\AppData\Roaming\install
    [2013/07/07 20:09:08 | 000,000,000 | ---D | C] -- C:\Users\DT\AppData\Roaming\WinDir
    [2013/07/07 20:09:08 | 000,154,283 | -H-- | M] () -- C:\Users\DT\AppData\Roaming\DT-wchelper.dll
    [2013/07/07 20:34:43 | 000,002,206 | -H-- | M] () -- C:\Users\DT\AppData\Roaming\DTlog.dat
    [2013/07/07 20:10:25 | 000,000,000 | -H-D | M] -- C:\Users\DT\AppData\Roaming\701D5E50
    
    :Commands 
    [EMPTYTEMP]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Step 3. Change of the passwords.

Your computer was infected with PSW trojan - malware, which steals your personal and confidential data, such as passwords. So, please, change all your passwords from:

  • Internet Banks
  • FTP-servers
  • Web-hosting
  • Social networks
  • Forums
  • E-mails
  • Other websites
  • IM-Messengers (Skype/ICQ/AOL/etc.)
  • and etc.

So, please, don't forget to post in your next message:

  • AdwCleaner log
  • OTL log

  • 0

#5
irishunter

irishunter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the help! The logs are below.

I was able to boot into safe mode yesterday, but today, the 'Advanced Boot Options' page that appears after I hold F8 is completely bypassed. Instead, a menu for selecting which drive to boot shows up.
I have also tried tapping F8 once per second after POST, and that does not change anything.

Also, should I be wary about having information from word documents on my HDD stolen?

AdwCleaner log:
Spoiler



OTL log:
Spoiler


EDIT:

I just ran another MAM scan and found there is a new infection (the previous two did not show up this time):
Spoiler

Edited by irishunter, 09 July 2013 - 01:40 PM.

  • 0

#6
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Hey,

What about this?

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.


  • 0

#7
irishunter

irishunter

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
OTL log:
Spoiler


MAM log from today:
Spoiler



EDIT: I decided to wipe the drive and do a fresh install. Thank you for all your help over the past few days.

Edited by irishunter, 11 July 2013 - 09:02 AM.

  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP