Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: AVG rootkit scan found these


(!)

Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
14-Jul-2011, 12:27 PM #16
THX now the buttons are working?! ???????????

:-]
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
15-Jul-2011, 10:30 PM #17
Avast Threat Detected just reinstalled yesterday
My Machine is a Toshiba Sattelite L301-S5945 64bit Vista Home Premium

The Threat-Win32:SuspBehav-d [Huer]
Action taken-I moved it to the chest. Should I remove it?

I just reinstalled the OS per dvk01. Then I got an email which was a phishing attempt from someone in Nigeria using a person from my contacts showing their email address as the source. I found the original source, Nigeria in the properties of the message. EDIT: I am wondering if since it is possible to send me an email that looks to be from somewhere it isn't, can the same hackers have routed my email client so that it will go through their machine or website on its way to mine when I startup my email client? It would explain how I got reinfected so quickly to me.
Today I have used several newspapers, Hulu, pbs and did a search or two. I have not gone anywhere I would think was a dangerous place.
I changed my ISP email passwords and the passwords from the sites I recall going to over the last few weeks.
Is there a list of things I should change or do?
Thx

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:24:44 PM, on 7/15/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19088)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Toshiba Registration\Registration.exe
C:\Program Files (x86)\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10u_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\User1\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TSS.exe" /hide
O4 - HKLM\..\Run: [jswtrayutil] "C:\Program Files (x86)\Jumpstart\jswtrayutil.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [951738463] C:\Program Files (x86)\Toshiba Registration\Registration.exe /r "C:\Program Files (x86)\Toshiba Registration\Registration.rpd"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: ConfigFree Gadget Service - TOSHIBA Corporation. - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files (x86)\Jumpstart\jswpsapi.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files (x86)\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 8284 bytes

Last edited by Veryfrustratedus; 16-Jul-2011 at 09:47 AM..
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
16-Jul-2011, 10:40 AM #18
I'm adding in the log file of the latest Avast scan. I had not set the settings to save a log for the scan that found the threat. I am doing this because a l see a lot of "The process cannot access.." in it and that seems wrong. I am using IE to read papers and listen to the radio I don't think that should be causing so many system32 files to be blocked.

Avast Scan 7-16-11
C:\System Volume Information\{6e436283-ad74-11e0-9bb7-001e33b79998}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information\{6e436289-ad74-11e0-9bb7-001e33b79998}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information\{6e43628f-ad74-11e0-9bb7-001e33b79998}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information\{6e436295-ad74-11e0-9bb7-001e33b79998}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information\{6e43629b-ad74-11e0-9bb7-001e33b79998}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information\{7f04955d-ad8c-11e0-849c-001e33b79998}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information\{93abdc81-ada7-11e0-8531-001e33b79998}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information\{9a8495d5-adb6-11e0-a070-001e33b79998}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\System Volume Information\{a6f7cfb2-ada2-11e0-af64-001e33b79998}{3808876b-c176-4e48-b7ae-04046e6cc752} [E] Access is denied (5)
C:\Users\User1\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{EA5B9B42-AFAF-11E0-9561-001E33B79998}.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{2C3DCEEF-AFB2-11E0-9561-001E33B79998}.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{EA5B9B43-AFAF-11E0-9561-001E33B79998}.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Microsoft\Windows\UsrClass.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Microsoft\Windows Defender\FileTracker\{5624235F-2511-45B4-8610-ED9AC18D21D7} [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Microsoft\Windows Mail\edb.log [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Microsoft\Windows Mail\tmp.edb [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Temp\~DF106C.tmp [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Temp\~DFDD7E.tmp [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\AppData\Local\Temp\~DFFD6E.tmp [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\NTUSER.DAT [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\ntuser.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Users\User1\ntuser.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\SoftwareDistribution\Download\1f57887152913a39f9d4e570614e61bc\W indows6.0-KB944036-x64.cab|>241|>{gzip} [E] GZIP archive is corrupted. (42129)
C:\Windows\SoftwareDistribution\Download\e8d36bbfe3ef21c587e85bdc7b755aaa\w indows6.0-kb973917-v2-x64.cab|>292|> [E] ARJ archive is corrupted. (42120)
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\catroot2\edb.log [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\COMPONENTS [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\COMPONENTS.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\COMPONENTS.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\DEFAULT [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\DEFAULT.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\DEFAULT.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\COMPONENTS [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\DEFAULT [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\SAM [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\SECURITY [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\SOFTWARE [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\RegBack\SYSTEM [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SAM [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SAM.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SAM.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SECURITY [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SECURITY.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SECURITY.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SOFTWARE [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SOFTWARE.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SOFTWARE.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SYSTEM [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SYSTEM.LOG1 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\config\SYSTEM.LOG2 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\Temp\TMP0000005CBEFDA01E44E79025 [E] The process cannot access the file because it is being used by another process (32)
C:\Windows\Temp\_avast_\Webshlock.txt [E] The process cannot access the file because it is being used by another process (32)
Infected files: 0
Total files: 641837
Total folders: 31958
Total size: 66.4 GB
*
* Scan stopped: Saturday, July 16, 2011 7:30:59 AM
* Run-time was 58 minute(s), 31 second(s)
*
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,738 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
16-Jul-2011, 12:53 PM #19
That is all perfectly normal
Locked files or access denied are normal & most antiviruses don't bother to report them

why do you think that you have been reinfected, because you have received a phishing email

Last edited by dvk01; 16-Jul-2011 at 12:58 PM..
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
16-Jul-2011, 01:13 PM #20
No.
I did and Avast scan and it showed me the Threat. I listed it at the beginning of this thread. I put it in the chest and asked if I should delete it. I am also having problems with my CPOU running at high levels above 80% and there are 12 SVCHosts running in task manager. They are running now as: system, network, system, system, local, system, network, local, network, local, system, system, local. This is after I shut down the two I mention below.
I shut one down that was using 157,000K and another using 69,000K I'm playing freecell and have a webpage and my email client open. It had no effect on what I'm doing.
I have come to find over the last few weeks that freecell slows down when something wrong is going on with the machine and Avast always finds a threat when it does. Freecell is slowing down.

There is also an issue with updates. I have had the icon for an available update in the tray for days now. I have repeatedly clicked on it then deselected the item (IE9) and the icon stays in the tray. Today I went in and chose the check for updates but let me choose. I just noticed now that there are two available updates icons in the tray and that and my screen has flashed and gone blanki twice as I type this.
I am goiung to restart as soon as I post this.

Last edited by Veryfrustratedus; 16-Jul-2011 at 01:18 PM..
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,738 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
16-Jul-2011, 01:55 PM #21
I don't think that there is a anything more we can do for you
Either you have a malware that withstood a format & reinstall or something else you have on the computer keeps reinfecting you

Or there is a different problem somewhere that isn't malware related at all

It is normally extremely difiicult to infect a 64 bit computer so I think that you need to take the computer to a local repair shop where they can run other tests that can't be done from a forum
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | How to protect yourself and other Security Advice
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
16-Jul-2011, 02:10 PM #22
Could you please answer these questions directly?


What is this? Win32:SuspBehav-d [Heur] Should I delete it from the Avast chest?

Why am I having so many large svchosts?

Since it ispossible to make an email to me look like it came from someone I know, is it possible to reroute my email so that it goes through another machine first?
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,738 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
16-Jul-2011, 02:42 PM #23
Win32:SuspBehav-d [Heur] is a heuristic detection that might or might not be anything, leave it in the chest

I have no idea why you have so many large svchosts but the last logs you posted showed everything as legitimate & ok
the attached is my svchost processes on W7 64 bit & is perfectly normal
I think it is because of the pending updates in yiour case
I know you don't wantt IE9 so do this
http://technet.microsoft.com/en-us/ie/gg615599#options
Quote:
The automatic delivery process will notify users that an update is available and allow users to choose whether to install Internet Explorer 9.

Automatic Updates will only offer Internet Explorer 9 to users with local administrator accounts. Automatic Updates will notify all such users (including those with Automatic Updates configured to automatically download and install updates) when Internet Explorer 9 has been downloaded and is ready to install. The notification and installation process will not start unless and until a user who is a local administrator logs on to the machine. Users who are not local administrators will not be prompted to install the update and will thus continue their currently installed version of Internet Explorer.

After clicking on the Automatic Updates notification balloon, users will see a welcome screen summarizing key features of Internet Explorer 9 and presenting three options: Install, Donít Install, and Ask Me Later.

If a user selects Install, installation of Internet Explorer 9 will not override a user's default browser choice and will transfer the user's previous homepage, favorites, search settings and compatible toolbars. When the user launches Internet Explorer 9, a first-run experience will be offered highlighting new features and changes.

If a user selects Don't Install, the notification process will not re-prompt the user to install at a later time; however, any user who is a local administrator will be able to install Internet Explorer 9 at any time as an optional update from the Windows Update and Microsoft Update sites or from the Microsoft Download Center.

If a user selects Ask Me Later, the install process will not proceed and Automatic Updates will start notifying the user that an update is available using the same process (notification balloon and welcome screen) according to the local Automatic Updates settings
Just unchecking the update in WU, means that you will continually be offered it

No it is impossible to route your email through another machine first, UNLESS the email server is compromised or your ISP name server is compromised or something like that
What is possible is someone to hack your router & intercept anything coming in or out of your connection ( if you have a weak or non existant encryption)
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
16-Jul-2011, 02:57 PM #24
Thx
I have a cable and cable modem.

I guess the email was a last gasp to try to get me to respond. I am worried about what they might have seen of my personal stuff but I haven't purchased anything online in a long time online so there was likely no credit card info.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑