malware as Windows Update! and HP website phishing

Yesterday my computer prompted me with an update available from HP and precisely told me that a patch to my HP PhotoSmart C5280 All-In-One printer. It uses the same look as Windows Vista interface!

I clicked in, and it directed me to the real HP site. I checked a number of items and it's a live site. It directed me to a ".DLL" file download. I used Windows and Norton's phishing check and discovered nothing unusual. (It quickly disappeared after run. I have no time to write down the file name. How can I get the name?

So I downloaded and ran the patch. It was a trojan horse!

The symptoms are:
- a svchost.exe process pointing to a DComLaunch service and a PlugPlay service, used up 60%-100% of my CPU.

- about every few minutes, I have observed that some data are being uploaded at 300-400 B/s in a regular pattern, even when there is nothing doing. Is there any utility which can trace where the data are going?

I am using Notron 360 version 2 and thus asked for help from Symantec. Their malware expert cannot fix it yet.

Norton said they will contact me in the next 2 days if they have any progress.

Is there any malware expert who can help?

 

Hi Arie,

Here's the main.txt:

Deckard's System Scanner v20071014.68
Run by Ivan on 2008-07-24 09:13:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
8: 2008-07-23 09:35:56 UTC - RP797 - Device Driver Package Install: Symantec Network Service
7: 2008-07-23 09:28:10 UTC - RP796 - Norton 360 Registry Clean
6: 2008-07-23 02:45:51 UTC - RP795 - Windows Update
5: 2008-07-22 22:39:12 UTC - RP793 - Windows Update
4: 2008-07-22 04:18:02 UTC - RP791 - Installed HP Print Diagnostic Utility


-- First Restore Point --
1: 2008-07-14 04:57:05 UTC - RP788 - Windows Update


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ivan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:59 AM, on 24/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\wpcumi.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Chinese Date & Time\ICalClk.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\Macquarie Library\WGMP\WGMP.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\conime.exe
C:\Users\Ivan\Desktop\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ivan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crazydomains.com.au/login/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [CTHotKeys] "C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe" -STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MSCalsClocks] C:\Program Files\Microsoft Chinese Date & Time\ICalClk.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe "
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: CCC.lnk = ?
O4 - Startup: Macquarie Concise Dictionary WordGenius Activate.LNK = C:\Program Files\Macquarie Library\WGMP\WGMP.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: MultiFrame.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.hkjc.com
O15 - Trusted Zone: http://*.hongkongjockeyclub.com
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/SKey/en/cab/EWinSKey.CAB
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendo.com/consumer/systems/wii/en_na/usbaptest.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com.tw/common/asusTek_sys_ctrl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUplden-au.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {89C9DDCA-7559-4E3D-B997-1BF81BAD699F} (IEZone Class) - https://bet.hongkongjockeyclub.com/ib/SKey/en/cab/IEZoneHlp.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} (DataStore Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {A93FB56D-2F76-4DD7-8E38-9B1EB38C88A5} (SecureSession Class) - http://warranty.samsungmcs.com.hk/plugIn/SecuiSECIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F2F441A-76E5-41AC-8060-6A8C00222DA4}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{69CFA55D-211B-44A3-97D4-E836651FEDB9}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\Windows\system32\Wacom_Tablet.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 18856 bytes

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe ",7
.js - jsfile - shell\open\command - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe ", "%1 "


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ghaio - \??\c:\program files\asus\nb probe\spm\ghaio.sys
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 WCPU - \??\c:\program files\p4g\wcpu.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 ASLDRService (ASLDR Service) - c:\program files\atk hotkey\asldrsrv.exe <Not Verified; ; ADSMSrv>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 mple7docserver (Maya 7 PLE Documentation Server) - "c:\program files\alias\maya 7.0 personal learning edition\docs\wrapper.exe" -s "c:\program files\alias\maya 7.0 personal learning edition\docs\wrapper.conf "
R2 spmgr - c:\program files\asus\nb probe\spm\spmgr.exe <Not Verified; ; spmgr Module>
R2 TOSHIBA Bluetooth Service - c:\program files\toshiba\bluetooth toshiba stack\tosbtsrv.exe <Not Verified; TOSHIBA CORPORATION; Bluetooth Stack for Windows by TOSHIBA>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e96d-e325-11ce-bfc1-08002be10318}
Description: Motorola SM56 Data Fax Modem
Device ID: HDAUDIO\FUNC_02&VEN_1543&DEV_3155&SUBSYS_10431335&REV_1007\4&335B0D82&0&0101
Manufacturer: Motorola Inc
Name: Motorola SM56 Data Fax Modem
PNP Device ID: HDAUDIO\FUNC_02&VEN_1543&DEV_3155&SUBSYS_10431335&REV_1007\4&335B0D82&0&0101
Service: Modem


-- Scheduled Tasks -------------------------------------------------------------

2008-07-24 09:15:46 420 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{B5E29D6D-3A42-42D4-8055-B4F12A00EA70}.job


-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-24 08:47:23 0 d-------- C:\Program Files\Trend Micro
2008-07-03 22:58:37 0 d-------- C:\Program Files\VideoLAN


-- Find3M Report ---------------------------------------------------------------

2008-07-24 08:13:01 45056 --a------ C:\Windows\system32\acovcnt.exe
2008-07-23 23:09:26 12 --a------ C:\Windows\bthservsdp.dat
2008-07-23 19:35:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-22 15:14:00 0 d-------- C:\Users\Ivan\AppData\Roaming\Skype
2008-07-22 14:20:09 0 d-------- C:\Program Files\HP
2008-07-22 11:35:16 147697 --a------ C:\Windows\hpoins21.dat
2008-07-09 23:15:58 0 d-------- C:\Program Files\Windows Mail
2008-07-02 08:26:17 0 d-------- C:\Program Files\Norton 360
2008-06-18 12:44:53 0 d-------- C:\Users\Ivan\AppData\Roaming\Mozilla
2008-06-13 22:40:11 0 d-------- C:\Program Files\Certification Preparation
2008-06-11 19:20:18 0 d-------- C:\Program Files\Symantec
2008-05-27 17:00:26 0 d-------- C:\Users\Ivan\AppData\Roaming\Adobe
2008-04-27 13:32:24 107438 --a------ C:\Windows\hpqins13.dat
2008-04-24 01:41:36 2310 --a------ C:\Windows\system32\MyMaps.reg


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
02/03/2007 03:52 PM 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
30/06/2008 01:44 PM 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
12/04/2008 10:54 AM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} "= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [30/06/2008 01:44 PM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot "=" " []
"pdfSaver3 "=" " []
"@ "=" " []
"WPCUMI "= "C:\Windows\system32\WpcUmi.exe" [02/11/2006 10:35 PM]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 05:38 PM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [25/03/2007 11:55 AM]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [22/11/2006 03:27 PM]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25 AM]
"SecurDisc "= "C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [12/03/2007 06:54 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 10:13 PM]
"PowerForPhone "= "C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe" [08/09/2006 11:58 AM]
"osCheck "= "C:\Program Files\Norton 360\osCheck.exe" [27/02/2008 12:50 AM]
"NeroFilterCheck "= "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 06:53 PM]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 12:10 PM]
"InCD "= "C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [12/03/2007 06:53 PM]
"hpqSRMon "= "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [02/06/2008 05:28 PM]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [11/03/2007 08:34 PM]
"DiscWizardMonitor.exe "= "C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" [08/08/2007 04:47 PM]
"CTHotKeys "= "C:\Program Files\Creative\Prodikeys PC-MIDI\HotKeysManager\HKManager.exe" [06/09/2005 06:56 PM]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [19/02/2008 05:37 AM]
"ATKMEDIA "= "C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [03/11/2006 02:27 AM]
"Adobe_ID0EYTHM "= "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [20/03/2007 03:40 PM]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 09:16 PM]
"AcronisTimounterMonitor "= "C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe" [08/08/2007 05:00 PM]
"Acronis Scheduler2 Service "= "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" [08/08/2007 04:51 PM]
"Acrobat Assistant 8.0 "= "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11/01/2008 07:54 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@ "=" " []
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [19/01/2008 05:33 PM]
"StartCCC "= "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 11:35 AM]
"Sidebar "= "C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 05:33 PM]
"MSCalsClocks "= "C:\Program Files\Microsoft Chinese Date & Time\ICalClk.exe" [20/10/2004 11:25 PM]
"ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [19/01/2008 05:33 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 01:49 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg "=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Users\Ivan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [29/09/2006 8:57:36 AM]
Macquarie Concise Dictionary WordGenius Activate.LNK - C:\Program Files\Macquarie Library\WGMP\WGMP.exe [2/04/2007 6:47:40 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [18/01/2007 1:48:42 PM]
MultiFrame.lnk - C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe [20/01/2007 6:41:46 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin "=2 (0x2)
"EnableUIADesktopToggle "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction "=2 (0x2)
"DontDisplayLogonHoursWarnings "=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@= "IEEE 1394 Bus host controllers "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@= "SBP2 IEEE 1394 Devices "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@= "SecurityDevices "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ
bthaudiosvc HFGService
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{147ce407-4162-11dc-bc46-b730c9f3f61b}]
AutoRun\command- F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{147ce411-4162-11dc-bc46-cad6641d5025}]
AutoRun\command- F:\setupSNK.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - DCOMLAUNCH
*Newly Created Service* - PLUGPLAY

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-24 09:19:28 ------------

 

Hi IvanH
I'm not seeing anything in the logs.

What told you it was a trojan? dss is not showing any dll files created in the last month.

HP has a way of their products "calling home" for updates...I know I had it happen. It could be the data you see going out is that.
Open your task manager process tab and watch it at the time you think the data is being sent.
The process should flash on when it is happening.

Do you know how to get a screen capture or snap shot of your screen?
If so make one of the task manager and save it when it is not happening and then do one at the point that you see it happen. compare them and see what process starts up and let me know.

Thanks
Geri

 

Hi Geri,

Using HijackThis v1.99, I saw a few svchost.exe entries but not appearing under v2.0.2.

When I called Norton, I was only suspecious for a Trojan Horse. They took over my computer and after inspection, they confirm it but not mentioning the evidence.

I am quite sure everything happened after updating from HP. I am using a Network Meter monitoring upload and download. Since the incident, my computer is periodically uploading. So, I dare not to log on anything with a password from the keyboard.

I can capture the windows/screens, but I don't know how to put up a screen capture on this blog.

Number of processes is 112 all the time and the svchost.exe is always there, using 40%-100% of my CPU. I am currently setting the lowest priority of it and keeping it around 40% so I can still work on this blog. This svchost.exe is pointing to two services: DComLaunch and PlugPlay. I don't see them flashing.

The next thing I'll try will be booting up from safe mode, and uninstall the HP software, do a clean up. (likely on this coming Saturday). Any sugggestion?

Yes, my Windows Vista Home Premium is pre-installed so I don't have the installation DVD. Is there a way to prepare one?

 

Hi IvanH

It is normal to have a number of svchost running at one time.

I'm sure it is, This happened to me back when I bought a HP printer.
I'm not sure which of these may be doing it so you need to see if you can spot it in task manager.
hpdevmgmt, hpqcxs08 I'm guessing maybe this one. hpdevmgmt but we need to make sure.

DComLaunch
DCOMLaunch is an important system service for Microsoft Windows
http://www.greatis.com/appdata/n/d/dcomlaunch.htm

PlugPlay
Is also a fairly common program.

Yes, you should have been prompted to burn a copy when you first started up you computer. Is this a HP computer?
Lets get this taken care of and then I'll give you instructions on where to do that. You will need a few blank DVD disks. So if you don't have any you will need to get some My system took 3 yours may need more or less.

Geri

 

Hi
I have a question on a file so please do this.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • C:\Windows\system32\acovcnt.exe
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

Hi Geri,

Yes, but only one svchost.exe takes up 40%-100% of CPU. Others are almost idle.

No. This one points to an idle svchost.exe.

No. It's an Asus notebook. The first one with Vista Home Premium. It didn't ask me to burn anything. And there were a lot of trouble. Eventually I had to use recovery disk and fixed everything by myself. Asus was not technically competent to help at that time.

 

Hi Geri,

All scanning results show "Found nothing ".

Ivan

 

I start thinking of alternate possibility. Will Norton get it wrong and in fact there is no Trojan Horse, but just a lousy software problem from HP?

And if it's not trojan horse, then my case will be similar to many others who have CPU used up by svchost.exe. If this is the situation, what can I do to get my computer back to normal?

(Anyway, I shall uninstall HP printer software on Saturday.)

 

Hi

Where did you get that? That is what would be burned to a disk if Asus has the program to do so.

Open a command window and type the following command then hit enter.

tasklist /svc

You need the PID to show in Task Manager.
While on the Processes tab, click View>Select Columns
Select PID (Process Identifier) then OK

Now open Task Manager and identify the PID of the svchost process consuming the cpu, match it with the output in the command window and let me know which services are associated with that process.

It is possible to have false/positives. My eTrust has flagged a number of HP files because they call home.

Lets get a on-line scan and see what it says.

Scanning with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Please post the Kaspersky results.

Geri

 

Hi Geri,

1. The recovery disk is not an option. It restores, instead of re-install, the hard disk.

2. I use Process Explorer instead of tasklist. It's equally fine. The svchost.exe that exhausting my CPU points to two services:

- DcomLaunch at C:\Windows\system32\rpcss.dll
- PlugPlay at C:\Windows\system3umpnpmgr.dll

The Kaspersky Online Sacanner returns "Update Failed ". I cannot make it run successfully.

 

Hi IvanH

Both of those are legit.
Are you up to date on all the critical updates from Windows updates?

Please try these instructions with Kaspersky (has vista instructions)
Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the "Scan Report" On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

Hi Geri,

Thank you for your update. I ran the Kaspersky Online Scan (including Trojan Horse) and it reported nothing found.

So, I guess a Trojan Horse is less likely the reason. And that also explain why Norton didn't come back to me, though it was Norton who told me my computer was infected with Trojan Horse.

I used HP Level 3 uninstaller to uninstall the HP PhotoSmart All-In-One printer but the svchost.exe (pointing to DcomLaunch and PlugPlay services) are still using up to 60% of the CPUs.

What next shall I do to revert my Vista Home Premium computer to normal?

 

I think I've got the answer:

http://blog.hansmelis.be/2007/06/17/windows-vista-long-delay-when-switching-songs-in-media-player/

It all happens that from the HP Photosmart All-In-One Printer installation program, there is a video clip, that I have clicked once!

My RegCure has unfortunately expired last month. Is there any equivalent function software for fixing svchost.exe?

 

Hi IvanH
Well that was interesting. always something new with Vista.

Glad to hear you figured it out.

Sorry but I am not the person to ask here. I don't like regcleaners or use them, have had bad experances with them.

I would ask over on the "Other software" forum make sure they know you're using Vista.

Geri

 

Hi Geri,

The solution doesn't apply to my case!

Asus A8Jr is using SoundMAX Integrated HD Audio. From Control Panel > Hardware and Sound > Manage audio devices (in Sound) > Playback tab > Speakers Properties, there is no "Enhancement" tab!

So my CPUs are still being burnt at 70% or more.

Any solution?

 

Hi
I see you've posted on a couple different boards with no replies yet.
http://www.winvistaclub.com/forum/w...comlaunch-svchost-plug-play-hi-cpu-usage.html
http://forums.techguy.org/windows-vista/588168-solved-svchost-exe-processor-usage.html

I'll see if I can't get a couple people to look in here to see if they might have an ides.

Geri

 

Hi Arie and Geri,

The system restore point did not work because of the HP printer software level 3 uninstallation process.

Anyway, I have just fixed the problem. The CPU usage has reduced to 4-14% when idle.

It spent me 2 days to reconstruct the Startup programs and services.

Thank you for your help in the last few days.