Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think Svchost.exe Has Been Hijacked And Is Sending Automated Spam


  • Please log in to reply
18 replies to this topic

#1 mikezone13

mikezone13

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 18 February 2008 - 05:31 PM

Hi all,

First post here, here goes.

PC/Network Environment
I have a laptop running Windows XP SP2 which connects to my work network (wired) and to a wireless network (now wired as wireless router has died) at home (1 internet gateway pc, 1 laptop and 1 desktop connected to that network). The laptop is installed with Symantec Antivirus Corporate which is managed by my work domain/server.

While at work we are behind a firewall (server based) but I am not running a firewall on any of the pc's connected to the home network (silly me I know).

The Problems
About a week ago my pc all of a sudden started sending out spam when connected to my wireless home network, I knew this was happening as Symantec was monitoring outgoing email and was reporting send failures due to spam every few seconds. I ran a total antivirus scan through Symantec while disconnected from the network and cleaned out what was found and the problem appeared to be over.

However, a week or so later and it started again (again when connected to the home network). This time I performed an Ad Aware scan, followed by a Panda ActiveScan Pro scan and another Symantec Antirus scan. Once all issues appeared to be under control I then installed the Sygate Personal Firewall to monitor any future outbound traffic just in case the problem hadn't been eradicated... it hadn't.

Now with the firewall runnign all of a sudden I see traffic going to virtuoz.info from svchost.exe and everynow and then to other strange addresses/IP's that I wouldn't expect.

To test things even further I unblocked svchost and gave it access to the network and it starts sending again, however once again this only happens when connected to my home network as I can leave svchost.exe unblocked for a full working day with no issues.

The other interesting thing to note is that while connected to the home network svchost.exe can be quiet for a day or two while unblocked but then all of a sudden at a certain time in the evening (Australia time) it kicks into gear.

Solutions Tried
In addition to solutions tried above I have also run a full anti virus scan (Symantec corporate) on my home network internet gateway pc as well as running a Panda ActiveScan pro and cleaning/deleting all infected issues.

Thanks in advance to anyone that can assist with this issue as I'd rather get this sorted out than have to do a full reinstall/repair of the laptop.

Cheers,
Mike

Edited by mikezone13, 18 February 2008 - 05:32 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,106 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:12 PM

Posted 18 February 2008 - 06:31 PM

Hello mikezone13,

Have you retained the logs from any of those scans? If so, please paste them in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 mikezone13

mikezone13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 18 February 2008 - 06:43 PM

Hello mikezone13,

Have you retained the logs from any of those scans? If so, please paste them in your next reply.

Orange Blossom :thumbsup:


Unfortunately not, but more than happy to rescan and do so if that helps.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,106 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:12 PM

Posted 18 February 2008 - 10:16 PM

Hello mikezone13,

At this point, I'd like you to scan with SUPERAntiSpyware in Safe Mode. You will install it, of course, in Normal Mode.

Download and install SUPERAntiSpyware free found here: SUPERAntiSpyware

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into Safe Mode
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into Normal Mode
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#5 mikezone13

mikezone13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 19 February 2008 - 04:15 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/20/2008 at 00:32 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:32:05

Memory items scanned : 219
Memory threats detected : 0
Registry items scanned : 7945
Registry threats detected : 0
File items scanned : 48184
File threats detected : 255

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@101-sex-positions[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@122.2o7[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@2o7[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@3.adbrite[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@4.adbrite[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@a.websponsors[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ad.e-kolay[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ad.uk.tangozebra[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ad.yieldmanager[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ad.zanox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ad1.clickhype[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ad2.fotki[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@adbrite[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@adecn[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@adlegend[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@adopt.euroclick[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@adopt.specificclick[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@adrevolver[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.adbrite[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.associatedcontent[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.bleepingcomputer[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.boozle.com[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.bridgetrack[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.crakmedia[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.e4network[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.gameforgeads[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.mambocommunities[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.mediamayhemcorp[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.pgatour[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.planetactive[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.pugetsoundsoftware[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.revsci[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.techguy[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ads.telegraph.co[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@adserver.toptenreviews[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@adtech[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@adult[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@amlocalhost.trymedia[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@anad.tacoda[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@aotgroup.122.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@apmebf[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@apnonline.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@aru.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@atdmt[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@au.hwstats[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@banner.centrebet[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@bizrate[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@bs.serving-sys[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@buysafe.122.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@casalemedia[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@cbs.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@clickaider[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@clickfire[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@clickgolf.co[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@clicksor[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@clicktorrent[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@cnetaustralia.122.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@counter.hitslink[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@counter2.hitslink[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@crackserialkeygen[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@creview.adbureau[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@customerthink.advertserve[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@dealnews.122.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@demo70.adbureau[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@dminsite.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@doubleclick[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wbk4ghajihq.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wbkoehdzicq.stats.esomniture[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wblouldjmao.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wbmialczokq.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wfk4wmczalq.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wfkoomc5chp.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wfkyqkcjafp.stats.esomniture[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wfliggczgkp.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wfloaicpieo.stats.esomniture[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wfloknd5ihp.stats.esomniture[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wgk4apd5ccq.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wgkyspc5cko.stats.esomniture[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wglyejazalo.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wgmyelajieo.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wgmyuhcpmlp.stats.esomniture[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6whkyghcjgho.stats.esomniture[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjk4cld5weq.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjkoknczolq.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjkowocjwkp.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjkycgajcfo.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjkycmdjodq.stats.esomniture[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjkykhdzsep.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjkykiazsdp.stats.esomniture[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjl4eidjeeo.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjliuoazmkp.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjlokmd5mgo.stats.esomniture[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjloulcpsfo.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjlyspdjmfp.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjlywjdpokq.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjmywkazkbp.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjnycpdjmkp.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjnygidzggp.stats.esomniture[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjnyoldpmbo.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@e-2dj6wjnyopazwhp.stats.esomniture[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@eas.apm.emediate[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@edge.ru4[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-acreisaustralia.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-alkemi.hitbox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-autodesk.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-bskyb.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-coresenseinc.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-deltatre.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-electrum.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-foxmovies.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-futurepub.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-gaddispartners.hitbox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-irb.hitbox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-magicalia.hitbox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-melbourneit.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-oreilly.hitbox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-segaofamerica.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-sigames.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-starcomworldwide.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-techtarget.hitbox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-tgpublishing.hitbox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-theactivenetwork.hitbox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-tmgolf.hitbox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-twi.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-warnerbrothers.hitbox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-webex.hitbox[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-winnercomm.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ehg-wsseurope.hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@elitemss[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@equs.liveperson[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@equs.liveperson[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@equs.liveperson[4].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@fastclick[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@fdau.adbureau[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@free.wegcash[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@gcc-03.googleadservices[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@gettyimages.122.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@globalvaluecommerce.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@gmap.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@hc2.humanclick[3].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@hitbox[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ibangpornstars[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@image.masterstats[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@imagebank.ipcmedia[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@imrworldwide[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@incisivemedia.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@indexstats[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@indextools[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@inl.adbureau[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@interclick[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@ipoint.targetpoint[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@itxt.vibrantmedia[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@keywordmax[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@linkto.mediafire[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@majestymedia[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@mathworks.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@media.adrevolver[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@media.adrevolver[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@media.sensis.com[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@media.titleist[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@mediafire[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@mediaonenetwork[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@mediaplex[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@megastats[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@metacafe.122.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@msnportal.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@netgear.122.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@nextag[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@pamedia.com[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@partygaming.122.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@partypoker[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@paypal.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@porn365[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@premiumtv.122.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@pro-market[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@prominentplacement.adtrack.voicestar[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@qksrv[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@realmedia[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@revsci[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@roiservice[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@rotator.adjuggler[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@russell.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@sales.liveperson[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@sales.liveperson[3].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@sensismediasmart.com[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@server.cpmstar[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@server.iad.liveperson[10].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@server.iad.liveperson[11].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@server.iad.liveperson[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@server.iad.liveperson[3].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@server.iad.liveperson[4].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@server.iad.liveperson[5].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@server.iad.liveperson[6].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@server.iad.liveperson[7].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@server.iad.liveperson[8].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@server.iad.liveperson[9].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@serving-sys[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@sexy-photos[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@specificclick[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@stat.dealtime[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@stats.channel4[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@stats.clicktracks[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@stats.sitesuite[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@stats.thescripts[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@statse.webtrendslive[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@stopzilla[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@tacoda[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@tdstats[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@tourismwesternaustralia.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@track.asus[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@track.webtrekk[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@track.webtrekk[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@track.webtrekk[3].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@tracking.newzealand[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@tremor.adbureau[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@tribalfusion[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@tripod[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@twstats[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@usatoday1.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@valueclick[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@webcam.ibangpornstars[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@webtrack.bestsoftware[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@windowsmedia[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@wotifcom.112.2o7[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.ads-click[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.clicktoconvert[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.clickxchange[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.etracker[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.ezytrack[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.googleadservices[10].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.googleadservices[11].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.googleadservices[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.googleadservices[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.googleadservices[3].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.googleadservices[4].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.googleadservices[5].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.googleadservices[6].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.googleadservices[7].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.googleadservices[8].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.googleadservices[9].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.halstats[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.porn365[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.pornpasses4free[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.sexy-photos[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.statssheet[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.stopzilla[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.switch-media-group[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www.yourtracking[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www4.addfreestats[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@www7.addfreestats[1].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@youngentrepreneur.us.intellitxt[2].txt
C:\Documents and Settings\michaelt.TAV\Cookies\michaelt@youngentrepreneur[2].txt

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,106 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:12 PM

Posted 19 February 2008 - 11:20 PM

Hello mikezone13,

That is a huge list of tracking cookies. I hoped the scan would unearth additional items, but there may be enough information from the tracking cookies to get an idea of what's responsible for the problem you're having. At this point, I'm going to turn this thread over to someone more experienced than I.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#7 mikezone13

mikezone13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 19 February 2008 - 11:28 PM

Thanks, I look forward to any follow up advice, currently my firewall is just keeping the issue at bay, but it's definitely only a short term solution.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:12 PM

Posted 20 February 2008 - 08:41 AM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.

It is not unusual for multiple instances of Svchost.exe running at the same time in Task manager in order to optimise the running of the various services.

svchost.exe SYSTEM
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure the spelling is correct. If it is scvhost.exe], then your dealing with a Trojan.

You need to investigate svchost.exe and the related processes. See How to determine what services are running under a Svchost.exe process.

You can download and use Proces Explorer or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

I'd also like for you to try a couple other scans.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.

Please download AVG Anti-Rootkit and save to your desktop
  • Double click avgarkt-setup-1.1.0.42.exe to begin installation.
  • Click Next to select the Normal interface.
  • Accept the license and follow the prompts to install. (By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit)
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with three buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, if anything was found, click "Remove selected items"
  • If nothing is found, a message will appear "Congratulations! There were no installed rootkits found on your computer."
  • Click close, then select "Perform in-depth Search".
  • When the scan has finished, if anything is found, click "Remove selected items"
  • Again, if nothing was found, you will see the message "Congratulations! There were no installed rootkits found on your computer."
  • Exit AVG ARK.
Note: Close all open windows, programs, and DO NOT USE the computer while scanning. If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted automatically.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 mikezone13

mikezone13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 20 February 2008 - 05:09 PM

Thanks will do the SDFix and AVG Anti-Rootkit shortly and reply.

Interestingly my firewall is set to block svchost.exe, however with it blocked and ccapp.exe allowed my pc still tried to send out spam mail. As soon as I blocked ccapp.exe the problem stopped.

#10 mikezone13

mikezone13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 21 February 2008 - 12:02 AM

SDFix: Version 1.144

Run by Administrator on Thu 21/02/2008 at 02:56 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Checking Files:

No Trojan Files Found






Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-21 15:50:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:ec,13,17,e7,b9,e4,3b,b2,bb,d1,5b,54,27,9b,73,b4,7a,21,70,1c,3c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,c9,9a,2c,a8,29,85,e2,ff,a9,99,9b,bf,f7,2f,8d,7a,ff,..
"hdf12"=hex:ef,4c,63,14,4b,73,db,da,29,97,95,cb,a5,65,2a,c3,d0,e7,2b,fa,24,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:45,39,d2,26,f2,65,9c,a8,e1,8e,d1,e2,f2,1b,dc,9f,da,19,0b,fe,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]
"hdf12"=hex:c9,91,55,7d,45,6c,cf,ec,96,40,c2,d5,3d,28,4f,35,41,33,8b,c0,8d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Program Files\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:ec,13,17,e7,b9,e4,3b,b2,bb,d1,5b,54,27,9b,73,b4,7a,21,70,1c,3c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,c9,9a,2c,a8,29,85,e2,ff,a9,99,9b,bf,f7,2f,8d,7a,ff,..
"hdf12"=hex:ef,4c,63,14,4b,73,db,da,29,97,95,cb,a5,65,2a,c3,d0,e7,2b,fa,24,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:45,39,d2,26,f2,65,9c,a8,e1,8e,d1,e2,f2,1b,dc,9f,da,19,0b,fe,fd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]
"hdf12"=hex:c9,91,55,7d,45,6c,cf,ec,96,40,c2,d5,3d,28,4f,35,41,33,8b,c0,8d,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\WINDOWS\\SMINST\\Scheduler.exe"="C:\\WINDOWS\\SMINST\\Scheduler.exe:*:Enabled:Scheduler "
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\The Eagle\\TheEagle.exe"="C:\\Program Files\\The Eagle\\TheEagle.exe"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\The Eagle\\TheEagle.exe"="C:\\Program Files\\The Eagle\\TheEagle.exe"
"C:\\WINDOWS\\SMINST\\Scheduler.exe"="C:\\WINDOWS\\SMINST\\Scheduler.exe:*:Enabled:Scheduler"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\WINDOWS\\system32\\fxsslm12.exe"="C:\\WINDOWS\\system32\\fxsslm12.exe:*:Enabled:Salutation Daemon"
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe:*:Enabled:Football Manager 2008"
"C:\\Program Files\\Microsoft Office\\Office12\\POWERPNT.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\POWERPNT.EXE:*:Enabled:Microsoft Office PowerPoint"
"C:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"="C:\\Program Files\\ACT\\Act for Windows\\ActSage.exe:*:Enabled:ACT! 10.x/2008"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss"
"C:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"="C:\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"

Remaining Files:



Files with Hidden Attributes:

Thu 30 Aug 2007 56 A.SH. --- "C:\WINDOWS\SMINST\hpboot.sys"
Fri 8 Feb 2008 88 ..SHR --- "C:\Documents and Settings\All Users\Application Data\73D9783D2E.sys"
Fri 8 Feb 2008 900 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"
Tue 26 Jun 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT7.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT5.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT9.tmp"
Thu 21 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2ac354659614029836a3e6f43f478d68\BITE.tmp"
Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT158.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT8.tmp"
Thu 21 Feb 2008 929,048 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d01ca2518af4a85a2dc5060b161ee5f6\BITD.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BITA.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT6.tmp"
Thu 29 Nov 2007 190,976 ...H. --- "C:\Documents and Settings\michaelt.TAV\Application Data\Microsoft\Word\~WRL0459.tmp"
Thu 29 Nov 2007 191,488 ...H. --- "C:\Documents and Settings\michaelt.TAV\Application Data\Microsoft\Word\~WRL1612.tmp"
Thu 29 Nov 2007 191,488 ...H. --- "C:\Documents and Settings\michaelt.TAV\Application Data\Microsoft\Word\~WRL3011.tmp"
Thu 29 Nov 2007 191,488 ...H. --- "C:\Documents and Settings\michaelt.TAV\Application Data\Microsoft\Word\~WRL3027.tmp"
Thu 29 Nov 2007 193,024 ...H. --- "C:\Documents and Settings\michaelt.TAV\Application Data\Microsoft\Word\~WRL3181.tmp"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\michaelt.TAV\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:12 PM

Posted 21 February 2008 - 08:10 AM

Open Windows Explorer, navigate to and delete the following file:
C:\Documents and Settings\All Users\Application Data\73D9783D2E.sys <- this file

and then delete all these BIT*.tmp files:
C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT7.tmp
C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT5.tmp
C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT9.tmp
C:\WINDOWS\SoftwareDistribution\Download\2ac354659614029836a3e6f43f478d68\BITE.tmp
C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT158.tmp
C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT8.tmp
C:\WINDOWS\SoftwareDistribution\Download\d01ca2518af4a85a2dc5060b161ee5f6\BITD.tmp
C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BITA.tmp
C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT6.tmp

--If you cannot see these files, then Reconfigure Windows XP to show hidden files, folders. Double-click on My Computer, go to Tools > Folder Options and click on the View tab. Under Hidden Files and Folders, check "Show hidden files and Folders", uncheck "Hide Protected operating system Files (recommended)", uncheck "Hide file extensions for known file types", and hit Apply > OK. (Don't delete anything other than what I ask you to delete. After we are finished, follow the same procedure to hide these files and folders again to protect them from accidental deletion)

How did the scan with AVG ARK go?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 mikezone13

mikezone13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 21 February 2008 - 04:32 PM

All files above have been deleted except...

C:\WINDOWS\SoftwareDistribution\Download\2ac354659614029836a3e6f43f478d68\BITE.tmp

It tells me this file is in use by another user or program.

I have not done the AVG ARK scan yet and plan to do that very shortly.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:12 PM

Posted 21 February 2008 - 06:12 PM

Then try deleting the file in safe mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 mikezone13

mikezone13
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:12 PM

Posted 21 February 2008 - 08:19 PM

First scan for rootkits in AVG turned up the following file... should I delete.

C:\WINDOWS\System32\Drivers\asnsj62c.SYS,Hidden driver file

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:12 PM

Posted 21 February 2008 - 09:52 PM

Not all hidden components detected by ARKs are malicious. Are you using Daemon Tools? It uses rootkit-like techniques to to hide from other applications and to circumvent copy protection schemes. Some of its files often leads to false reports by antivirus or ARK software. These are some examples I have seen.

%System%\Drivers\aipoo3sv.sys
%System%\Drivers\a8gmqt1g.sys
%System%\Drivers\a17bv1ll.sys
%System%\Drivers\a6coz31f.sys
%System%\Drivers\a8w1z6pv.sys
%System%\Drivers\ajmgz8bs.sys
%System%\Drivers\avq9mqqi.sys
%System%\Drivers\a5kvtrfn.sys
%System%\Drivers\a5kvtrfn.sys

It uses semi random names but always with a*******.sys and is 8 characters long (combination of letters/numbers). I have read that the name changing routine may be due to the fact that Daemon Tools is sometimes used to circumvent anti-piracy measures in games so the player does not have to keep swapping out CDs. Thus, the name change may be an attempt to stop the anti-piracy systems detecting its presence.

If you never used Daemon Tools or did at one time but uninstalled it, then go ahead and remove it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users