Author Topic: svchost.exe and windows update (Read 38158 times)

cfnyy51 · « **Reply #15 on:** November 07, 2010, 06:52:22 AM »

I had the OS Disk and ran the scan. It did not ask for the disk.

Antivir is still detecting BOO/Alureon A.

SuperDave · « **Reply #16 on:** November 07, 2010, 10:40:12 AM »

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

cfnyy51 · « **Reply #17 on:** November 07, 2010, 06:01:10 PM »

After clicking "Create Log", a few seconds passes as a blue status bar progresses. Then, the attached image appears.

[recovering disk space - old attachment deleted by admin]

SuperDave · « **Reply #18 on:** November 07, 2010, 07:09:36 PM »

Ok. Forget about that one and try this:

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

cfnyy51 · « **Reply #19 on:** November 08, 2010, 03:51:29 AM »

GMER 1.0.15.15507 - http://www.gmer.net
Rootkit scan 2010-11-08 05:47:44
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380011A 8.16
Running: gmer.exe; Driver: C:\DOCUME~1\MARIOG~1\LOCALS~1\Temp\pxloapoc.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwAllocateVirtualMemory [0xEE9EFED0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwAssignProcessToJobObject [0xEE9F0700]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwConnectPort [0xEE9EDDA0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwCreateFile [0xEE9FD9C0]
SSDT F8B6E636 ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwCreatePort [0xEE9ED8E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwCreateProcess [0xEE9EA620]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwCreateProcessEx [0xEE9EAA30]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwCreateSection [0xEE9E9EF0]
SSDT F8B6E62C ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwDebugActiveProcess [0xEE9ECB90]
SSDT F8B6E63B ZwDeleteKey
SSDT F8B6E645 ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwDuplicateObject [0xEE9ED6F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwLoadDriver [0xEE9EF490]
SSDT F8B6E64A ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwOpenFile [0xEE9FE040]
SSDT F8B6E618 ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwOpenSection [0xEE9EA310]
SSDT F8B6E61D ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwProtectVirtualMemory [0xEE9F0350]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwQueryDirectoryFile [0xEE9EFA70]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwQueueApcThread [0xEE9F08A0]
SSDT F8B6E654 ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwRequestPort [0xEE9EE9A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwRequestWaitReplyPort [0xEE9EEF90]
SSDT F8B6E64F ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwResumeThread [0xEE9ED340]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSecureConnectPort [0xEE9EE190]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSetContextThread [0xEE9EC970]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSetSystemInformation [0xEE9ECD30]
SSDT F8B6E640 ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwShutdownSystem [0xEE9EF370]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSuspendProcess [0xEE9ED520]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSuspendThread [0xEE9ED130]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwSystemDebugControl [0xEE9ECF40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwTerminateProcess [0xEE9EBC80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwTerminateThread [0xEE9EC760]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwUnloadDriver [0xEE9EF780]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Emsisoft) ZwWriteVirtualMemory [0xEE9F0520]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [E0, D8, 9E, EE, 20, A6, 9E, ...] {LOOPNZ 0xffffffffffffffda; SAHF ; OUT DX, AL ; AND [ESI-0x55cf1162], AH; SAHF ; OUT DX, AL }
.text ntoskrnl.exe!_abnormal_termination + 368 804E29D4 8 Bytes JMP 6FDF1877
.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [20, D5, 9E, EE, 30, D1, 9E, ...] {AND CH, DL; SAHF ; OUT DX, AL ; XOR CL, DL; SAHF ; OUT DX, AL ; INC EAX; IRET ; SAHF ; OUT DX, AL }
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF88F3760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF7158F80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[168] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[212] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Bonjour\mDNSResponder.exe[360] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\csrss.exe[448] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\winlogon.exe[472] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text ...
.text C:\Program Files\Windows Defender\MSASCui.exe[532] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FA0001
.text C:\Program Files\Windows Defender\MSASCui.exe[532] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[532] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[532] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Windows Defender\MSASCui.exe[532] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[532] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[532] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[532] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\lsass.exe[536] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[572] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[788] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E40001
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[788] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[788] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[788] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[788] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[788] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[788] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[788] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Windows Defender\MsMpEng.exe[888] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text ...
.text C:\WINDOWS\system32\igfxpers.exe[1148] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A00001
.text C:\WINDOWS\system32\igfxpers.exe[1148] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\igfxpers.exe[1148] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\igfxpers.exe[1148] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\igfxpers.exe[1148] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\igfxpers.exe[1148] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\igfxpers.exe[1148] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\igfxpers.exe[1148] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Emsisoft\Online Armor\OAcat.exe[1200] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\spoolsv.exe[1396] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71AF003D
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1588] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\System32\svchost.exe[1592] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text ...
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1756] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CD0001
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1756] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1756] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1756] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1756] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1756] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F1B0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1756] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1E0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1756] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[1804] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\DellSupport\DSAgnt.exe[1808] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EA0001
.text C:\Program Files\DellSupport\DSAgnt.exe[1808] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\DellSupport\DSAgnt.exe[1808] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\DellSupport\DSAgnt.exe[1808] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\DellSupport\DSAgnt.exe[1808] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\DellSupport\DSAgnt.exe[1808] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\DellSupport\DSAgnt.exe[1808] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\DellSupport\DSAgnt.exe[1808] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1848] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1936] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\taskmgr.exe[2388] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C00001
.text C:\WINDOWS\system32\taskmgr.exe[2388] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\taskmgr.exe[2388] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\taskmgr.exe[2388] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\taskmgr.exe[2388] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\taskmgr.exe[2388] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\taskmgr.exe[2388] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\taskmgr.exe[2388] iphlpapi.dll!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\alg.exe[2776] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\ctfmon.exe[2780] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C20001
.text C:\WINDOWS\system32\ctfmon.exe[2780] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2780] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[2780] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\ctfmon.exe[2780] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\ctfmon.exe[2780] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\ctfmon.exe[2780] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2780] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\hkcmd.exe[2848] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A10001
.text C:\WINDOWS\system32\hkcmd.exe[2848] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\hkcmd.exe[2848] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\hkcmd.exe[2848] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\hkcmd.exe[2848] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\hkcmd.exe[2848] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\hkcmd.exe[2848] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\hkcmd.exe[2848] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[3008] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EB0001
.text C:\WINDOWS\Explorer.EXE[3008] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[3008] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[3008] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\WINDOWS\Explorer.EXE[3008] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[3008] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\Explorer.EXE[3008] USER32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[3008] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3224] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E80001
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3224] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3224] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3224] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 71B0003D
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3224] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F130F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3224] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3224] USER32.dll!ExitWindowsEx &nb

SuperDave · « **Reply #20 on:** November 08, 2010, 12:03:05 PM »

Is your computer running any better now?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

cfnyy51 · « **Reply #21 on:** November 08, 2010, 09:04:28 PM »

May I run an Anti-Vir scan at this point and see if it still detects BOO/Alureon A?

-------------------------------------------------------------------
ESET scan results"

C:\WINDOWS\Web\ksidgmi.bak1   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\WINDOWS\Web\ksidgmi.bak2   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\WINDOWS\Web\ksidgmi.ini   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\WINDOWS\Web\ksidgmi.ini2   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined

SuperDave · « **Reply #22 on:** November 09, 2010, 11:35:20 AM »

Quote

May I run an Anti-Vir scan at this point and see if it still detects BOO/Alureon A?

Yes, go ahead but it's probably a false positive. You can also download another AV and run a scan with that but don't enable two AV's on your computer because they will conflict. Just use one for occasional scanning
Microsoft Security Essentials for Windows XP

Let's see if you can run ComboFix again as outlined in Reply #5.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.

cfnyy51 · « **Reply #23 on:** November 09, 2010, 05:34:02 PM »

Few things:

1) I ran MBR Check, and the log is what follows after these few notes.

2) I have attached a photo of a message from combofix. I did not get this far prior to this. However, after seeing the message and what your last post suggested, I removed AntiVir, and Combofix is still seeing it. Also, (this is not my PC) I have no idea where AOL antivirus is or how to close it/disable it.

3) svchost.exe is still taking up a large amount of the cpu. Near 100%. Is this because I uninstalled ANtivir?

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows XP Professional
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x0000001d

Kernel Drivers (total 149):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF8A38000 \WINDOWS\system32\KDCOM.DLL
0xF8948000 \WINDOWS\system32\BOOTVID.dll
0xF84E9000 ACPI.sys
0xF8A3A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF84D8000 pci.sys
0xF8538000 isapnp.sys
0xF8B00000 pciide.sys
0xF87B8000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8A3C000 intelide.sys
0xF8548000 MountMgr.sys
0xF84B9000 ftdisk.sys
0xF8A3E000 dmload.sys
0xF8493000 dmio.sys
0xF87C0000 PartMgr.sys
0xF8558000 VolSnap.sys
0xF847B000 atapi.sys
0xF8568000 disk.sys
0xF8578000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF845B000 fltmgr.sys
0xF8449000 sr.sys
0xF8434000 drvmcdb.sys
0xF87C8000 PxHelp20.sys
0xF841D000 KSecDD.sys
0xF8390000 Ntfs.sys
0xF8363000 NDIS.sys
0xF8349000 Mup.sys
0xF85E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF743C000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF7428000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF88E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7404000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF88E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF85F8000 \SystemRoot\system32\DRIVERS\IntelC53.sys
0xF73E1000 \SystemRoot\system32\DRIVERS\ks.sys
0xF72BA000 \SystemRoot\system32\DRIVERS\IntelC51.sys
0xF7225000 \SystemRoot\system32\DRIVERS\IntelC52.sys
0xF88F0000 \SystemRoot\system32\DRIVERS\mohfilt.sys
0xF88F8000 \SystemRoot\System32\Drivers\Modem.SYS
0xF71FF000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF8900000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF8608000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF8908000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8618000 \SystemRoot\system32\DRIVERS\serial.sys
0xF830C000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF71EB000 \SystemRoot\system32\DRIVERS\parport.sys
0xF8A56000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF8628000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8638000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF8308000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF8648000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF71AB000 \SystemRoot\system32\drivers\smwdm.sys
0xF7187000 \SystemRoot\system32\drivers\portcls.sys
0xF8658000 \SystemRoot\system32\drivers\drmk.sys
0xF70D4000 \SystemRoot\system32\drivers\senfilt.sys
0xF8C0B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF8668000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF82FC000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF70BD000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF8678000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF8688000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8910000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF8918000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF8920000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF8928000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF708D000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF8698000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8930000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8A58000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF702F000 \SystemRoot\system32\DRIVERS\update.sys
0xF78F2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF86A8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF8758000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8A66000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF8A08000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF8808000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF8A20000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF8A72000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8B58000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A74000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8818000 \SystemRoot\system32\drivers\ssrtln.sys
0xF8820000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF8828000 \SystemRoot\System32\drivers\vga.sys
0xF8A76000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A78000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8830000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8838000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8A2C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF75CA000 \??\C:\WINDOWS\system32\drivers\OAnet.sys
0xEEC41000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF75BA000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xEEB48000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF8840000 \??\C:\WINDOWS\system32\drivers\OAmon.sys
0xEEB20000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF8A34000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEEAFE000 \SystemRoot\System32\drivers\afd.sys
0xF75AA000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF8848000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xEEA72000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF759A000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF8850000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEEA47000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEE9D1000 \??\C:\WINDOWS\system32\drivers\OADriver.sys
0xEE961000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF758A000 \SystemRoot\System32\Drivers\Fips.SYS
0xF8B67000 \SystemRoot\System32\Drivers\BANTExt.sys
0xEE93E000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF8A7C000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xEEF30000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF85A8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xEEF2C000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xEEE3F000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEE729000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8AA2000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEECAB000 \SystemRoot\System32\drivers\Dxapi.sys
0xEE88E000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8BA4000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEE6C4000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xEE839000 \SystemRoot\system32\drivers\drvnddm.sys
0xF8BBC000 \SystemRoot\system32\dla\tfsndres.sys
0xEE6AE000 \SystemRoot\system32\dla\tfsnifs.sys
0xEEEE5000 \SystemRoot\system32\dla\tfsnopio.sys
0xF8AC4000 \SystemRoot\system32\dla\tfsnpool.sys
0xEE886000 \SystemRoot\system32\dla\tfsnboio.sys
0xEE829000 \SystemRoot\system32\dla\tfsncofs.sys
0xF8BBD000 \SystemRoot\system32\dla\tfsndrct.sys
0xEE695000 \SystemRoot\system32\dla\tfsnudf.sys
0xEE67C000 \SystemRoot\system32\dla\tfsnudfa.sys
0xEE654000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEE41F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xEE3D3000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF8AA4000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xF8AAA000 \SystemRoot\system32\DRIVERS\dsunidrv.sys
0xEE1DA000 \SystemRoot\System32\Drivers\HTTP.sys
0xEE10A000 \SystemRoot\system32\DRIVERS\srv.sys
0xEDB7F000 \SystemRoot\system32\drivers\wdmaud.sys
0xEDD1A000 \SystemRoot\system32\drivers\sysaudio.sys
0xF8A4E000 \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
0xED594000 \??\C:\DOCUME~1\MARIOG~1\LOCALS~1\Temp\pxloapoc.sys
0xED429000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
408 C:\WINDOWS\system32\smss.exe
448 csrss.exe
472 C:\WINDOWS\system32\winlogon.exe
516 C:\WINDOWS\system32\services.exe
536 C:\WINDOWS\system32\lsass.exe
724 C:\WINDOWS\system32\svchost.exe
820 svchost.exe
888 C:\Program Files\Windows Defender\MsMpEng.exe
928 C:\WINDOWS\system32\svchost.exe
1000 svchost.exe
1136 svchost.exe
1200 C:\Program Files\Emsisoft\Online Armor\oacat.exe
1396 C:\WINDOWS\system32\spoolsv.exe
1444 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1508 svchost.exe
1588 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1692 C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
1804 C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
1936 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
168 aoltpspd.exe
360 C:\Program Files\Bonjour\mDNSResponder.exe
572 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
1592 C:\WINDOWS\system32\svchost.exe
1848 C:\Program Files\Java\jre6\bin\jqs.exe
212 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
880 C:\WINDOWS\system32\svchost.exe
1720 C:\WINDOWS\wanmpsvc.exe
2776 alg.exe
3008 C:\WINDOWS\explorer.exe
3404 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
4028 C:\WINDOWS\system32\dla\tfswctrl.exe
4068 C:\Program Files\Common Files\AOL\1125946752\ee\aolsoftware.exe
532 C:\Program Files\Windows Defender\MSASCui.exe
3476 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
1756 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2848 C:\WINDOWS\system32\hkcmd.exe
1148 C:\WINDOWS\system32\igfxpers.exe
788 C:\Program Files\Analog Devices\Core\smax4pnp.exe
3224 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1808 C:\Program Files\DellSupport\DSAgnt.exe
2780 C:\WINDOWS\system32\ctfmon.exe
2388 C:\WINDOWS\system32\taskmgr.exe
1912 C:\Program Files\Internet Explorer\iexplore.exe
3060 C:\Program Files\Internet Explorer\iexplore.exe
1960 C:\WINDOWS\system32\notepad.exe
960 C:\Documents and Settings\Mario Graziano\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: ST380011A, Rev: 8.16

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D13DDF8A51F8C99D562C7C0018E2F8FDA7D48E0 7

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

[recovering disk space - old attachment deleted by admin]

SuperDave · « **Reply #24 on:** November 10, 2010, 12:37:13 PM »

•Start HijackThis
•Click on the Misc Tools button
•Click on the Open Uninstall Manager button.
•Click on the Save list... button and specify where you would like to save this file. When you press Save button a Notepad will open with the contents of that file. Save the file to your desktop.
Copy and paste this file in your next reply.

cfnyy51 · « **Reply #25 on:** November 10, 2010, 01:39:59 PM »

Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
Belarc Advisor 6.1
Bonjour
BUM
CCleaner
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 942
Dell Picture Studio v3.0
Dell Support Center (Support Software)
DellSupport
EarthLink setup files
ESET Online Scanner
ESET Online Scanner v3
Google Earth
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
InterActual Player
Internet Explorer Default Page
iPod for Windows 2005-02-07
iPod for Windows 2005-06-26
iPod for Windows 2006-01-10
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 22
KODAK EASYSHARE Gallery Upload ActiveX Control
Learn2 Player (Uninstall Only)
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (3.6.12)
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Musicmatch® Jukebox
Netflix Movie Viewer
Online Armor 4.0
OpenOffice.org Installer 1.0
Optimum Online net guide
PowerDVD 5.3
Pure Networks Port Magic
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer Basic
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spybot - Search & Destroy
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebCyberCoach 3.2 Dell
WinASO Registry Optimizer 4.5.5
Windows Defender
Windows Defender Signatures
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows Media Player 11
WordPerfect Office 12

SuperDave · « **Reply #26 on:** November 10, 2010, 05:25:31 PM »

Quote

I have no idea where AOL antivirus is or how to close it/disable it.

This was probably installed with AOL Uninstaller (Choose which Products to Remove)
. You can have a look in there to see if it is actually there and remove it.

Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.
WinASO Registry Optimizer 4.5.5

There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners
********************************************
Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
Go to Start > Run and type: cmd.exe
press Ok.
At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
press Enter.
The process is automatic...a black DOS window will open and quickly disappear. This is normal.
A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.

cfnyy51 · « **Reply #27 on:** November 10, 2010, 05:53:24 PM »

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.8.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________8.16____#
4a354b563639454520202020202020202020202 0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82324398
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

SuperDave · « **Reply #28 on:** November 11, 2010, 07:02:07 AM »

Please open Command Prompt (Start > Run and type CMD and press OK [Vista/7: Start search: CMD and press enter])
Enter the following in to the black box, pressing enter after each line:

Code: [Select]

cd desktop

mbr.exe -f

exit

Post a log (MBR.log).

cfnyy51 · « **Reply #29 on:** November 11, 2010, 07:43:20 AM »

When I type in the second command, mbr.exe -f, it says it is not recognized as an internal or external command, operal program or batch file.

I could be absolutely wrong in assuming what the first command (cd desktop) means, but since mbr.exe was saved in the root directory, wouldnt it not be in the desktop?

Again, I could absolutely be wrong.

Computer Hope Forum

News:

Author Topic: svchost.exe and windows update (Read 38158 times)

cfnyy51

Re: svchost.exe and windows update

SuperDave

Re: svchost.exe and windows update

cfnyy51

Re: svchost.exe and windows update

SuperDave

Re: svchost.exe and windows update

cfnyy51

Re: svchost.exe and windows update

SuperDave

Re: svchost.exe and windows update

cfnyy51

Re: svchost.exe and windows update

SuperDave

Re: svchost.exe and windows update

cfnyy51

Re: svchost.exe and windows update

SuperDave

Re: svchost.exe and windows update

cfnyy51

Re: svchost.exe and windows update

SuperDave

Re: svchost.exe and windows update

cfnyy51

Re: svchost.exe and windows update

SuperDave

Re: svchost.exe and windows update

cfnyy51

Re: svchost.exe and windows update