[Cjreef]

I get the message:
"Bit Defender has blocked a potentially malicious or infected application"

The application apparently is part of the Microsoft Windows Operating System:
C:\Windows\System 32\svchost.exe

Bit Defender blocks it and I'm not sure I can allow it because of previous problems involving blue screens and stop errors. Dell support was unable to help me, as a matter of fact they made things worse by uninstalling a video adapter and then installing one meant for Vista on my XP laptop. So, I restored to a previous point and haven't seen a blue screen since but it's only been a week or so. I also uninstalled McAfee which came with the computer and installed Bit Defender which still has some life from the previous computer. That's when I started getting the above message. Neither McAfee or Bit Defender found anything wrong with malware or spyware.
Normally, I would allow the program to run since you would think a new computer would not have a corrupted operating system, but because one of the techs at Dell suggested that that was the problem with my blue screens and the fact that I haven't been able to use the delete key since day one and that the delete key works in safe mode. According to him, 2/3 of the time it's due to spyware. They want me to restore the computer to its original day one status. It took me two days to get all my programs and stuff moved from the old computer, so I'm not really too anxious to start all over again unless I'm really sure that's what needs to be done. Can you tell I don't trust the Dell techs at this point?
I was told the same thing when I had problems getting all kinds of screens when typing certain keys, but I went on a chat with another tech who uninstalled and reinstalled the touchpad driver and everything was fine after that. I had been also told by another tech that it was a software problem and I had to call the fee based number. What a mess. I've had nothing but problems since day one.

If it helps any, the last time I got a blue screen here is what it said:

Check that there is adequate disk space
If driver is identified in the stop message disable driver
Try changing vedeo adapters
Do a BIOS update
Disable BIOS memory options such as caching or shadowing
Technical info: xxxSTOP P:0X0000008E (0XE0000001, 0X99D72925, 0X9804944C, 0X00000000)
xxxWatchdog.sys - address 99D72925 base 99D72000 Date stamp 480254ab

This last error occured after I tried to play a video demo on the Samsung's website.

Hope you can help, thank you in advance.

[perfume]

Dear Cjreef,
Welcome aboard! From your post it is apparent that you have two anti-virus programs running side by side! That's a Real Big No ! If the BitDefender you have is the 2009 version, then keep it and delete McAfee! If the BitDefender is 2010 version,please remove it as it has an inbuilt"registry DESTROYER" and keep McAfee! The minimum disk space required for (us) XP users is 200 MB!

I am posting below the message of another person who had a similar prob.: My computer, a Dell Dimension WinXP home edition, was working and suddenly a blue screen appeared with the following message:
A PROBLEM HAS BEEN DETECTED AND WINDOWS HAS BEEN SHUT DOWN TO PREVENT DAMAGE TO YOUR COMPUTER.

IF THIS IS THE FIRST TIME YOU'VE SEEN THIS "STOP ERROR" SCREEN, RESTART YOUR COMPUTER. iF THIS SCREEN APPEARS AGAIN, FOLLOW THESE STEPS:


CHECK TO BE SURE YOU HAVE ADEQUATE DISK SPACE. iF A DRIVER IS IDENTIFIED IN THE "STOP MESSAGE", DISABLE THE DRIVER OR CHECK WITH THE MANUFACTURER FOR DRIVER UPDATES. TRY CHANGING VIDEO ADAPTERS.

CHECK WITH YOUR HARDWARE VENDOR FOR ANY BIOS UPDATES. DISABLE BIOS MEMORY OPTIONS SUC AS CACHING OR SHADOWING. IF YOU NEE TO USE SAFE MODE TO REMOVE OR DIASABLE COMPONENTS, RESTART YOUR COMPUTER, PRESS F8 TO SELECT ADVANCE STARTUP OPTIONS, AND THEN SELECT SAFE MODE.

TECHNICAL INFORMATION:

*** STOP: 0X0000008E (0xC0000005,0x8053CF57,0xB158199C,0x00000000)

BEGINNING DUMP OF PHYSICAL MEMORY
PHYSICAL MEMORY DUMP COMPLETE.
CONTACT YOUR SYSTEM ADMINISTRATOR OR TECHNICAL SUPPORT GROU FOR FURTHER ASSISTANCE.

I had no choice but to turn off the computer.

After I restart got "windows experienced a serious error", etc, and the following error message in one of those "send error reporting to Microsoft" options. I copied what was in the message and it is as follows:

Error signature:
BCCode: 10000008e BCP1: C0000005 BCP2: 8053cF57 BCP3:B158199C
BCP4:00000000 OSVer: 5_1_2600 SP: 1_0 Product: 768_1

REPORTING DETAILS: This error report includes: information regarding the condition of Microsoft Window when the problem occurred, the operating system version and computer hardware in use, and the Internet Protocol (IP) address of your computer.

[Cjreef]

Thanks for the reply. I did uninstall McAfee before installing Bit Defender, so there is no problem there.

Does anyone know what this svchost application is? I get the screen from Bit Defender every few minutes about it being potentially malicious or infected.

[perfume]

Dear Cjreef,
The points below are taken from an article, the link to which i will provide at the end! 1) The easiest, i can come up with what svchost.exe is " it is an underlying Windows component responsible for Windows services"(This is my copyright ).

"The Svchost Viewer is a small application that lists all of the current svchost.exe instances, shows how much memory each one is using and what services are running beneath it(this is not my copyright)". I am providing below an excellent, must-read article from--> howtogeek.com about svchost. I urge you to read it! http://www.howtogeek.com/howto/windo...is-it-running/

Once you get a hang of it, you will be advising folks about svchost!

If you want to use the "command line" here it goes:To view the list of services that are running in Svchost:

1. Click Start on the Windows taskbar, and then click Run.
2. In the Open box, type CMD, and then press ENTER.
3. Type Tasklist /SVC, and then press ENTER.

Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For more information about a process, type the following command, and then press ENTER: Tasklist /FI "PID eq processID" (with the quotation marks) . Source : http://support.microsoft.com/kb/314056

Please get back and tell us all whether you could access the svchost via "command line". Do you know one thing, when i am helping you i am enriching myself and that's the kick i get out of it!

[Cjreef]

I was able to access the list of services via the command list but when I tried to get more information I was told that "the search filter cannot be recognized".

There were two active processes one for stisvc and the other WebClient.

I also checked under Windows Task Manager, six processes were running all of them with user names of "system", "local service" or "Network Service". Based on what I read in the thread you provided, it seems that I do not have an infection. I will have to read more as it is a lot to assimilate. I'm not completely computer illiterate but I'm no expert either. It will take me a while to digest it all.

Thank you so very much, you have helped a lot.

I think what I will do is back up all my data, just in case, and allow Bit Defender to unblock svchost and see what happens. Will let you know.

I'm a bit confused that this application is running when Bit Defender says it blocked it?

Thanks again.

[Cookiegal]

There will always be several instances of svchost.exe running and applications run under svchost.exe so it's possible one of those applications is malicious. It's also possible the actual svchost.exe is patched, meaning altered by malware so therefore infected. Before doing anything else, please do the following:

Click here to download HJTsetup.exe.

• Save HJTsetup.exe to your desktop.
• Double click on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
• Click Save to save the log file and then the log will open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[Cjreef]

Thank you, here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:32 PM, on 8/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r214424\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [LoJackForLaptops] C:\Program Files\LFLInstall\InstallManager.exe /d60 /dd1 /bd0
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: wkcalrem.LNK = C:\Program Files\Microsoft Works\WkCalRem.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C653377A-D8AC-4C64-9C39-69762EED141A}: NameServer = 216.144.187.199,204.186.0.201
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\drivers\audio\r214424\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9749 bytes

[Cookiegal]

Doesn't BitDefender tell you more about the detection than that?

Nother there other than some minor iffy stuff like Ask Toolbar. But since not everything shows in a HijackThis log, let's run this scan:

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[Cjreef]

The only other thing Bit Defender said was to allow if the application was trusted. I'm paraphrasing , I didn't write that down. I didn't trust it since Dell seemed to think my computer was infected and wanted me to reinstall windows, ugh...


Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/23/2009 4:36:36 PM
mbam-log-2009-08-23 (16-36-36).txt

Scan type: Quick Scan
Objects scanned: 100488
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Wow, and I trusted Bit Defender so much.

Also, when I installed the program, I got an error message. "An error occurred. Please report the following error to the Malwarebytes Anti-Malware support team. Error code: 732 (0,0)"

I was hoping fixing the infections would fix my "delete" key problem, but it didn't.

Could you please let me know, if you have an idea, what those two infections are all about? Thank you so very much for your help.

[Cjreef]

Follow up:
I found in the FAQ the problem with error code 732 (0,0). I had to close all the programs in order to install and so the data base could not be updated. I have updated it now and reran the scan. No further problems were found.

I have a USB smart drive onto which I had copied my Program Files and Documents folders. I stuck it into the computer for the second scan but it didn't look like it was scanned, only the C drive was. I wonder if I should erase the smart drive and start over?

Thanks again

[Cookiegal]

I believe the two items found by MalwareBytes are false positives because the setup.exe file is in the wrong location. You must have downloaded something and saved the setup.exe file in there. The registry entry is because it's linked to that file.

I doubt there's any need to reformat the flash drive but we'll check it. Please insert the Smart USB drive into the slot and then do the following.

I'm attaching a MountPoints Diagnostic.zip file to this post. Save it to your desktop. Unzjip it and double click the MountPoints Diagnostic.bat file and let it run. It will create a report in Notepad named Diagnostic.txt. Please upload the Diagnostic.txt file as an attachment.

[Cjreef]

Here you are:
Diagnostic Report
Mon 08/24/2009 15:28:03.93

Mountpoints > Drives subkeys:
------------------------------------

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a42-409c-11de-acf9-806d6172696f}]
"BaseClass"="Drive"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a43-409c-11de-acf9-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff, ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff, \
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff, \
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,e0,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a43-409c-11de-acf9-806d6172696f}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a43-409c-11de-acf9-806d6172696f}\_Autorun\DefaultIcon]
@="D:\\cdrom.ico"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff, ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff, \
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff, \
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,20,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\Shell]
@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\Shell\AutoRun]
@="Auto&Play"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\Shell\AutoRun\command]
@="E:\\LaunchU3.exe -a"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\_Autorun\Action]
@="Run U3 Launchpad"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a48-409c-11de-acf9-0022fb18a8b6}\_Autorun\DefaultIcon]
@="E:\\LaunchU3.exe,0"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff, ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff, \
ff,ff,ff,ff,ff,01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff, \
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,09,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\Shell]
@="Open"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\Shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\Shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\Shell\AutoRun]
"Extended"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\Shell\AutoRun\command]
@="F:\\LinksysConnectPC.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\_Autorun\Action]
@="Wireless Network Setup Wizard"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{4b574a49-409c-11de-acf9-0022fb18a8b6}\_Autorun\DefaultIcon]
@="F:\\LinksysConnectPC.ICO"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{afb252af-8e85-11de-ad93-002219eedf2b}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff, ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff, \
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff, \
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,20,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{afb252af-8e85-11de-ad93-002219eedf2b}\Shell]
@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{afb252af-8e85-11de-ad93-002219eedf2b}\Shell\AutoRun]
@="Auto&Play"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{afb252af-8e85-11de-ad93-002219eedf2b}\Shell\AutoRun\command]
@="E:\\LaunchU3.exe -a"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{afb252af-8e85-11de-ad93-002219eedf2b}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{afb252af-8e85-11de-ad93-002219eedf2b}\_Autorun\Action]
@="Run U3 Launchpad"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{afb252af-8e85-11de-ad93-002219eedf2b}\_Autorun\DefaultIcon]
@="E:\\LaunchU3.exe,0"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{afb252b0-8e85-11de-ad93-002219eedf2b}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff, ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff, \
ff,ff,ff,ff,ff,01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff, \
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{afb252b0-8e85-11de-ad93-002219eedf2b}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{afb252b0-8e85-11de-ad93-002219eedf2b}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{afb252b0-8e85-11de-ad93-002219eedf2b}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{c9557e4b-59f6-11de-ad26-002219eedf2b}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f, 5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df, \
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff, \
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{c9557e4b-59f6-11de-ad26-002219eedf2b}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{c9557e4b-59f6-11de-ad26-002219eedf2b}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{c9557e4b-59f6-11de-ad26-002219eedf2b}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{da0c2a69-5a8d-11de-ad28-002219eedf2b}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f, 5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df, \
5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,cf,cf,cf, \
5f,cf,cf,cf,5f,5f,5f,5f,5f,5f,5f,5f,5f,5f,00,00,10,00,00,00,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{da0c2a69-5a8d-11de-ad28-002219eedf2b}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{da0c2a69-5a8d-11de-ad28-002219eedf2b}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountP oints2\{da0c2a69-5a8d-11de-ad28-002219eedf2b}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

~~~~~~~~~~~~~~~~~~~~~~~~~
No Autorun files found in C:\WINDOWS

No Autorun files found in C:\WINDOWS\system32

No Autorun files found in root of C:


Files found on E:
autorun.inf


Contents of autorun.inf on E:
[AutoRun]
open=LaunchU3.exe -a
icon=LaunchU3.exe,0
action=Run U3 Launchpad

[Definitions]
Launchpad=LaunchPad.exe
Vtype=2

[CopyFiles]
FileNumber=1
File1=LaunchPad.zip

[Update]
URL=http://u3.sandisk.com/download/lp_installer.asp?custom=1.6.1.4&brand=PelicanBFG


[Comment]
brand=PelicanBFG

No Autorun files found in root of F:


Wow, I'm glad this means something to you, it's Greek to me.

[Cjreef]

By the way, I haven't heard from Bit Defender about svchost all day.

[Cookiegal]

I'm sorry it took me so long to respond. It's been pretty hectic.

The flash drive looks fine.

Let's just do an on-line scan for good measure.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

JRE 6 Update 15

Instructions for Kaspersky scan:

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure the following is checked.
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

[Cjreef]

Please, don't apologize. I am so grateful for all the time you have given me.
I'm getting the warnings again, on and off, mostly when I'm using Microsoft Outlook, if that means anything.
Since we've checked for infections with so many programs and came up with nothing, do you think it is safe for me to "allow" Bit Defender to let the application run?
Here is the log you requested and thanks again:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, August 26, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, August 26, 2009 23:44:34
Records in database: 2690294
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 99426
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:52:11

No threats found. Scanned area is clean.

Selected area has been scanned.