BleepingComputer.com: tidserv?

Whatever it is doing on either or our machines quietman, it can't be good. Unfortunately, 150 other times it did this I wouldn't get the error message and I often get IE is not responding if I try to close. I have a program that shows all running programs with several svhosts going at the same time and I have no clue what is going on. I would really like to find out what business the website appears to be doing that my best guess tells me is un-necessary. Humm.
Found out I have sodimm ddr2 ram and need 512 more, I'll poke around for some. That might solve some of the problem.

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (.dll's) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual to find multiple instances of Svchost.exe running at the same time in Windows Task Manager in order to optimize the running of the various services.

• svchost.exe SYSTEM
  
• svchost.exe LOCAL SERVICE
  
• svchost.exe NETWORK SERVICE

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process identifier (PID)'s must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. The PID is not static and can change with each logon but generally they stay nearly the same because they are always running services.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. The legitimate Svchost.exe file is located in the C:\WINDOWS\system32\ folder.

Another technique is for the process to alter the registry and add itself as a service or startup program as shown here and here so that it can run automatically each time the computer is booted. If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Always make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

Tools to investigate running processes, services and gather additional information to identify them or resolve problems:

• Process Explorer
  
• System Explorer
  
• ProcessHacker - (requires Microsoft .NET Framework 2.0 or above to use)
  
• Autoruns
  
• Process Monitor
  
• AnVir TaskManager Free
  
• Windows Service Commander
  
• svchostViewer

-- These tools will provide information about each process, CPU usage, file description and its path location Most of them are stand-alone apps in a zip file so no installation is necessary.

-- System Explorer provides a security check of running processing using their online security database when you first launch the program. If you want process the initial scan, press the "Start Security Check" button. Keep in mind, that the check is not a guarantee of what is or is not detected as malware. Further investigation is always recommended. At the Security Check page you can also check the file through the VirusTotal database by pressing the Check MD5 button.

-- Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

Great info, thanks.

I did the online scan and some old spy bot stuff came up and I uninstalled then deleted anything to do with spybot. It has not ran.
This is what it came up with:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SweetIM33.zip Win32/Bagle.gen.zip worm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SweetIM52.zip Win32/Bagle.gen.zip worm

I was online before hand searching on yahoo and doing this and that and all was well for a long time, I would say 3 hours total that
I was online.

Now,after the scan which took a good amount of time in itself, if I use the yahoo search engine it is redirecting to the same places as before. Darn it.
I did a kasperski again and that was ok and my cookies are not being reset and am doing another Malwarebytes at the moment.
We took 3 steps fwd and now 1 backward LOL

If you are still getting redirects then that indicates we are not finding all the malware. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".

• If you cannot complete a step, then skip it and continue with the next.
  
• In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.

Got it quietman, gathering data and then will go from there.
Thank you.

New post:

http://www.bleepingcomputer.com/forums/topic410838.html

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.