Help
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
This topic is locked
When I clicked on a Google search results link, the script blocking add-on I have installed in Firefox v.3.6.12 would stop the script and a white screen would appear with a url that started with:
hxxp://plxlestatservlce.com/
and has a long alpha-numeric string after it.
I could get past the problem most of the time if I right-clicked on the link and saved the link URL to the clipboard. I'd right-click again and choose 'Open in New Tab'. Some of the time it would work. If not, I would use another Firefox add-on to open the URL saved on the clipboard in the tab with the 'plxlestatservlce' URL string. This would always work.
I found one post about the 'http://plxlestatservlce.com/' problem when it first began. The post suggested using MalwareBytes Anti-Malware, then Combo-Fix to resolve the problem. I ran MalwareBytes, and it found bugs that I had it fix. I couldn't get ComboFix to run. ComboFix kept giving an error message that it couldn't find a file. I was in the process of sorting the problem out when my mom became sick and I had to put the problem on a back burner.
It was about 3 weeks later before I could get back to the problem. Before I could look for any new info on the Google hijacking problem, a new problem surfaced in the OS, particularly Explorer. I had been wanting to dump Norton AV, and had let the definitions expire a while back. I downloaded and installed aVast and it found problems with the following XP system files:
c:\windows\explorer.exe
c:\windows\system32\
lsass.exe
msvcrt.dll
services.exe
spoolsv.exe
svchost.exe
user32.dll
winlogon.exe
c:\windows\system32\dllcache\msvcrt.dll
c:\windows\system32\dllcache\user32.dll
The only file aVast could fix was the user32.dll in 'dllcache'. I figured the only way to fix the problem would be to find good copies of the files and replace the files using the 'Console' accessible via the XP setup process. I got good copies, and replaced them.
I re-ran aVast and got a clean bill of health.
A new Google search turned up a new post about 'http://plxlestatservlce.com/' hijacking Google. This one recommended using StopZilla to fix the problem. StopZilla found malware, trojans, etc and repaired/deleted/quarantined them. The 'http://plxlestatservlce.com/' problem went out with the trash.
I was about to celebrate when I realized the system was sluggish and not up to par. I ran Task Manager and noticed that one of the 'svchost.exe' processes seemed to be chewing up resources as fast as Task Manager could refresh, (set to High).
The good XP system files I used to fix my system came from my wife's machine. I built both computers at the same time, and except for HD size and I have a DVD burner, while she has a player, they are identical inside the box: MB, CPU, memory, video card, etc. They are twins.
When I first realized something was wrong with the svchost.exe process, I checked Task Manager on her system, and she had no svchost process eating up resources. None of the svchost.exe processes were even close to the resource usage I'm showing and her system hadn't been re-booted for several weeks. That's what leads me to think there's a problem.
Before I started this post, I re-booted the system and did a screen cap of Task Mgr shortly after the re-boot, at 0:16:05, (System Idle Process CPU Time). I just did another, at 3:35:34, (System Idle Process CPU Time). The results are below:
------------- CPU Time | Mem Usage | VM Size | Handles | USER Obj | GDI Objects
0:16:05 ====== 0:00:01 | 21,936k | 15,452k | 978 | 2 | 4
3:35:34 ====== 0:00:18 | 52,860k | 38,776k | 1,134 | 30 | 128
I have a utility called Process Explorer that reports what is running via any particular process. For this resource gulping svchost.exe, Process Explorer lists the following:
AudioSrv Windows Audio
CryptSvc CryptSvc
Dhcp DHCP Client
dmserver Logical Disk Manager
ERSvc Error Reporting Service
Event System COM+ Event System
helpsvc Help & Support
lanmanserver Server
lanmanworkstation Workstation
Netman Network Connections
Nla Network Location Awareness (NLA)
Schedule Task Scheduler
seclogon Secondary Logon
SENS System Event Notification
ShellHWDetection Shell Hardware Detection
srservice System Restore Service
W32Time Windows Time
winmgmt Windows Management Instrumentation
wscsvc Security Center
wuauserv Automatic Updates
I've only posted a Hijack This log, but I have logs or screen caps from the utilities I've used and mentioned above. If these or any others would be helpful, let me know.
AVast, Anti-Malware and StopZilla give the system a clean bill of health, but something is not right. I'm hoping someone may have experienced what I'm going through. I have never had to 'splice' OS files back into XP before, so I'm not sure if the problem is related to that, or not.
Thanks, in advance, for any help or ideas.
Sincerely,
GeoD
~~~~~~~~~~~
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:26:26 PM, on 11/19/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
U:\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
E:\Office\Atomic Clock\AtomicAlarmClock.exe
C:\Program Files\FTR\ForTheRecord\FTR.TREdge.DeviceDetector.exe
C:\WINDOWS\RTHDCPL.EXE
U:\Avast\avastUI.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
U:\Folder Size\FolderSizeSvc.exe
c:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\disk.creating\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
E:\Office\EditPad.Pro\EditPadPro.exe
U:\HiJack This\hijack.this..v.2.0.4.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=45724
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {2D0733B6-0BAC-47C1-909A-D9DB0533FFAF} - (no file)
O2 - BHO: DepositFiles.com BHO - {9DFE2FE9-CF99-4ADF-A28E-9B5ADB8DC74F} - W:\D'LOAD~1.MGR\DEPOSI~1\DEPOSI~1\DEPOSI~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Deposit IE Toolbar - {6AA40521-14E7-4B1D-B1B4-98528C1388C9} - W:\D'LOAD~1.MGR\DEPOSI~1\DEPOSI~1\DEPOSI~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SkinClock] E:\Office\Atomic Clock\AtomicAlarmClock.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DeviceDetector] c:\Program Files\FTR\ForTheRecord\FTR.TREdge.DeviceDetector.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast5] "U:\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [SkinClock] E:\Office\Atomic Clock\AtomicAlarmClock.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Download all with DF Manager - {D5AD327A-A089-4F04-89FD-4EA9812B3913} - W:\D'LOAD~1.MGR\DEPOSI~1\DEPOSI~1\DEPOSI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} (WSpell Spelling Checker Control) - https://mercury.gale.com:1505/Per_Periodical/tools/wspell.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O20 - Winlogon Notify: !SASWinLogon - U:\Super AntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - AVAST Software - U:\Avast\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - U:\Avast\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - U:\Avast\AvastSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - U:\Folder Size\FolderSizeSvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Unknown owner - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe (file missing)
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - c:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\disk.creating\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
--
End of file - 6857 bytes
This post has been edited by Orange Blossom: 20 November 2010 - 07:23 PM
Reason for edit: Deactivate link. ~ OB
Back to top
