[Cjreef]

I have uploaded the picture, can't seem to get it in the reply. Okay, I see the link.

[Cookiegal]

Let's check to see if the svchost.exe file may be infected.

Go to the link below and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/

C:\Windows\System32\svchost.exe

[Cjreef]

Something really strange happened. I was told that the scan had been run before on 9/13 with 0 out of 21 scanners reporting Malware, same as today's scan. I was never on that site before let alone uploading the file which I had trouble finding today. Noone but me has access to my computer. What's up?





Jotti's malware scan

Filename: svchost.exe Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Fri 18 Sep 2009 03:17:40 (CET) Permalink



Additional info

File size: 14336 bytes Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18 SHA1: 49083ae3725a0488e0a8fbbe1335c745f70c4667

[Cookiegal]

That's just telling you that someone else did a scan on that date.

Download OTS.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.

1. Close any open browsers.
2. If your Real protection or Antivirus interferes with OTS, allow it to run.
3. Open the OTS folder and double-click on OTS.exe to start the program.
4. In Additional Scans section put a check in Disabled MS Config Items and EventViewer logs
5. Now click the Run Scan button on the toolbar.
6. Let it run unhindered until it finishes.
7. When the scan is complete Notepad will open with the report file loaded in it.
8. Save that notepad file.

Use the Reply button, scroll down to the attachments section and attach the notepad file here.

[Cjreef]

Here is the OTS file:

[Cookiegal]

Start OTS. Copy/Paste the information in the code box below into the pane where it says "Paste fix here" and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.

Code:

[Kill All Processes]
[Registry - Safe List]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {2E5E800E-6AC0-411E-940A-369530A35E43}:{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} [HKLM] -> Reg Error: Key error. [Button: The Weather Channel]
YN -> {2E5E800E-6AC0-411E-940A-369530A35E43}:Reg Error: Value error. [HKLM] -> Reg Error: Value error. [Menu: The Weather Channel]
[Files/Folders - Modified Within 30 Days]
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 31 C:\Documents and Settings\Claude Poole\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Claude Poole\Local Settings\temp\*.tmp
NY -> rtsr.dat -> C:\WINDOWS\Temp\rtsr.dat
NY -> msoAB.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\msoAB.com
NY -> mso5D.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\mso5D.com
NY -> msoAC.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\msoAC.com
NY -> mso30D.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\mso30D.com
NY -> mso2EE.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\mso2EE.com
NY -> mso30E.com -> C:\Documents and Settings\Claude Poole\Local Settings\temp\mso30E.com
[Alternate Data Streams]
NY -> @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
[Empty Temp Folders]
[Start Explorer]
[Reboot]

[Cjreef]

[IMG]file:///C:/DOCUME%7E1/CLAUDE%7E1/LOCALS%7E1/Temp/moz-screenshot-1.png[/IMG][IMG]file:///C:/DOCUME%7E1/CLAUDE%7E1/LOCALS%7E1/Temp/moz-screenshot-2.png[/IMG][IMG]file:///C:/DOCUME%7E1/CLAUDE%7E1/LOCALS%7E1/Temp/moz-screenshot-3.png[/IMG]All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2E5E800E-6AC0-411E-940A-369530A35E43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E5E800E-6AC0-411E-940A-369530A35E43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2E5E800E-6AC0-411E-940A-369530A35E43}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E5E800E-6AC0-411E-940A-369530A35E43}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\Temp\rtsr.dat moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\msoAB.com moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\mso5D.com moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\msoAC.com moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\mso30D.com moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\mso2EE.com moved successfully.
C:\Documents and Settings\Claude Poole\Local Settings\temp\mso30E.com moved successfully.
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
[Empty Temp Folders]


User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Claude Poole
->Temp folder emptied: 95660824 bytes
File delete failed. C:\Documents and Settings\Claude Poole\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 41545176 bytes
->Java cache emptied: 43484675 bytes
->FireFox cache emptied: 76349991 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 43971409 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 82576 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 287.21 mb

< End of fix log >
OTS by OldTimer - Version 3.0.12.1 fix logfile created on 09202009_125804

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:04 PM, on 9/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9186 bytes


Cookiegal, Thanks again for all your help. By the way, I am not ignoring you. I did print all the 04 entries to be checked and (some) deleted from the start up. I just haven't had the time to get to it yet, I will. Computers are great when they work, but sooooo time consuming when there is a problem. I didn't add anything to the start up, it must have come with all these unnecessary start ups from the factory.

[Cookiegal]

Go to Start - Run and type in cmd

At the command prompt copy/paste this into the window and hit "enter":

cd %userprofile%\desktop
tasklist /svc /fi "imagename eq svchost.exe" >> taskservlist.txt

A text file should appear on your desktop called taskservlist.txt. Copy/paste the contents of that here.

[Cjreef]

Image Name PID Services
========================= ====== =============================================
svchost.exe 1704 DcomLaunch, TermService
svchost.exe 1784 RpcSs
svchost.exe 208 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
HidServ, LanmanServer, lanmanworkstation,
Netman, Nla, RasMan, Schedule, seclogon,
SENS, SharedAccess, ShellHWDetection,
srservice, TapiSrv, Themes, TrkWks, w32time,
winmgmt, wscsvc, wuauserv, WZCSVC
svchost.exe 620 LmHosts, RemoteRegistry, SSDPSRV
svchost.exe 584 WebClient
svchost.exe 268 stisvc

[Cookiegal]

They are all legitimate process running under svchost.exe.

[Cjreef]

That's good, but I've been blocking every warning window from Bit Defender, so whatever it is Bit Defender is warning about should not be running.

Since we've run so many program and I don't seem to be infected, do you think I can ignore the warning and allow the application to run? Thanks

[Cookiegal]

I don't understand that BitDefender doesn't explain more about the process that's tryng to run under svchost.exe. Can you check the alert logs and see if there's any more detailed explanation please.

[Cjreef]

I'm sorry, I can't find anything.
I've sent a query to Bit Defender. We'll see if I get a reply.

[Cookiegal]

Please let me know what you find out.

In the meantime, are there any other problems remaining?

[Cjreef]

I certainly will, when/if I hear anything.

Yes, I still have problems. My original problem with Microsoft Outlook resurfaced. Out of the blues screens pop up while I'm typing and the margins get messed up. That problem was originally fixed by uninstalling and reinstalling the keypad driver. It hasn't turned into a major problem yet, so I kept it on the back burner.

Recently, another problem developed. The Windows updates appear to be installing but they are not and the yellow shield reappears on the task bar. Every time I turn off the computer it tries to install 1 update but next time it's there again. I did send an email to Microsoft and I'm waiting for an answer. I will let you know about that too.

Thanks