Generic host process for win32 services error

Lately I have been getting a message that says that Windows has closed the program Generic Host Process for Win32 Services whenever I start the computer or open a program. The performance of my computer does not seem to be affected in any other way, but it is annoying and I suspect something harmful. I've looked this up all over the place, and I found out that it was often due to an error in a Windows XP update, and I downloaded all the patches that were supposed to fix it with no luck. I found this post, but it seemed that his problem was simply fixed by downloading the latest patches. My problem appears identical, but that solution did not work. I ran SpyBot and AdAware to no effect. I also found that there were duplicate versions of svchost on my computer named SVCHOST, which apparently is a malicious copycat file, so I deleted it. There seems to be traces of something called IUWORK on my computer as well, although I can't seem to find much about it online. Maybe you can help me? Here is the HiJack THis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:29:52 PM, on 12/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\HKeySer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\IBMAIBM.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AIBMTOOLS] IBMAIBM.exe
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HotKey Service - Unknown owner - C:\WINDOWS\HKeySer.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Remote Procedure (RPC) Service (Rpctors) - Unknown owner - C:\WINDOWS\system32\com\svchost.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SYSTEM - Unknown owner - C:\WINDOWS\SVCHOST.exe (file missing)
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe



Thanks!

 

Hello and welcome to WindowsBBS Forums.

Looks to be a HackerDefender infection, got a couple of services that look funky. Lets run the tool and se what it finds.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

 

SDFix: Version 1.51
****************

Sat 12/23/2006 - 1:01:14.95

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:


File Path:



Starting Registry Repairs...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Services:
---------


Authorized Applications Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe "= "C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe:*:Enabled:ThinkVantage System Update "
"C:\\Program Files\\iTunes\\iTunes.exe "= "C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes "
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe "= "C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:TaskPanl "
"C:\\Program Files\\AIM\\aim.exe "= "C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger "
"C:\\Program Files\\ARTstor\\2.6\\OIV\\OIV.exe "= "C:\\Program Files\\ARTstor\\2.6\\OIV\\OIV.exe:*:Enabled:OIV "
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe "= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader "
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe "= "C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader "
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe "= "C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader "
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe "= "C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader "
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe "= "C:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe:*:Enabled:ThinkVantage System Update "
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "


Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\Program Files\1F936BD6\84ECD6E5.DLL
C:\Program Files\50C48BC8\84ECD6E5.DLL
C:\Program Files\Common Files\System\MS1F936B.DLL
C:\Program Files\Common Files\System\MS50C48B.DLL
C:\WINDOWS\system32\Com\SVCHOSTKEY.DLL
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\WINDOWS\system32\Com\svchost.exe
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0001.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0002.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0003.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0004.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0005.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0006.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0007.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0106.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0116.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0173.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0179.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0211.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0283.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0370.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0377.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0378.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0395.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0426.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0432.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0494.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0532.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0575.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0595.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0621.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0690.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0721.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0848.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0851.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0921.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0931.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0938.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0950.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0983.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL0988.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1033.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1050.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1109.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1176.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1197.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1205.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1219.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1241.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1292.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1296.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1310.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1341.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1367.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1444.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1488.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1600.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1654.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1677.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1791.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1807.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1849.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1897.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1898.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1950.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL1974.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2055.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2142.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2151.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2194.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2195.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2196.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2217.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2234.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2262.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2327.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2366.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2374.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2389.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2504.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2519.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2541.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2547.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2561.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2591.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2697.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2699.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2734.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2900.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2947.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL2977.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3008.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3027.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3066.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3080.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3091.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3179.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3206.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3281.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3392.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3412.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3455.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3509.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3522.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3590.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3605.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3633.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3635.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3686.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3687.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3712.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3721.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3744.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3903.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3904.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3956.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3957.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\~WRL3961.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\5th and 6th grade work\~WRL0067.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\5th and 6th grade work\~WRL0415.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\5th and 6th grade work\~WRL0474.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\5th and 6th grade work\~WRL1948.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\5th and 6th grade work\~WRL2877.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\5th and 6th grade work\~WRL3390.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\Litteracy Circle\~WRL1713.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\Litteracy Circle\~WRL2119.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\Litteracy Circle\~WRL3340.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\sc project 6th\~WRL1638.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\sc project 6th\~WRL2511.tmp
C:\Documents and Settings\Administrator\Desktop\Renee's Stuff\sc project 6th\~WRL3162.tmp

FINISHED!



Logfile of HijackThis v1.99.1
Scan saved at 1:06:46 AM, on 12/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\HKeySer.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\IBMAIBM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AIBMTOOLS] IBMAIBM.exe
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HotKey Service - Unknown owner - C:\WINDOWS\HKeySer.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Remote Procedure (RPC) Service (Rpctors) - Unknown owner - C:\WINDOWS\system32\com\svchost.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SYSTEM - Unknown owner - C:\WINDOWS\SVCHOST.exe (file missing)
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe



As you can probably tell by looking at the HijackThis log, the problem has only gotten worse. Thanks for helping!

 

YIKES!

Got some nasties there, and likely new ones too. We'll disable some services and send those files off to the creator of that SDFix tool.

Lets disable two services:

Click 'Start' button, select 'Run', type the following(or copy and paste), hitting 'Enter' after each:
sc config rpctors start= disabled
sc config system start= disabled

Please send the following files to this site:
uploadmalware.com

Enter your user name, add the link to this thread too:
C:\WINDOWS\system32\com\svchost.exe<<<--this file, in this location
C:\WINDOWS\SVCHOST.exe<<<--this file, in this location
C:\WINDOWS\system32\Com\SVCHOSTKEY.DLL<<<---this file, in this location

In the 'Comments' section, add that the files be submitted to 'AndyManchesta'.

Ok, now we need to get one of these infections off your machine. We'll be using a few different tools, very specialized and powerful, yet simple to use.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
Subratam
Bleeping Computing

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once rebooted please post the text that will open (report.txt) and a new Hijackthis log file into this thread.
If you get a file output similar to below:

Go here and run the fix appropriate to your version of Windows:

http://www.tech-forums.net/computer/topic/29806.html

Then re-run Fixwareout please, thanks.

When we see what that produces, it will determine what we do next. Each process is not too terribly long, but expect to put in some time for removal.

Should you decide to reformat instead, and it's likely that would take less time than removal (excluding hitting Windows Update), if you're familiar with reformatting, please send those files off first. Thanks.

 

Thanks for the help. I am out of town for about a week, so I will not be able to do this right away. I will reply when I have done all of this. It looks worse than I imagined. Who knew I was on the forefront of new viruses?

 

Very well, we'll await your reply.

And you'd be surprised at the amount of new variants found every day, pretty amazing.

 

Given the length of the process of cleaning the system I think that I am simply going to do a system restore, although I hate abandoning a challenge. I will upload those files to the website, but then I am going to reformat. Thanks for your help regardless. I am sure we would have solved the problem, but I do not have the time to address it.

 

OK, no problem. But I'm somewhat confused, system restore may bring you to a slightly better state, then you say a reformat. Which will you do, or is the sys restore to save data, then you're going to reformat?

 

Hmmm, well those files seem to have disappeared. I also realize that I don't really know about reformatting if I was confusing my terms. I was thinking that I would just restore the computer to its factory settings and then re-install everything, but then I realized that I have a lot to reinstall and might just try to fix the problem instead. I have all my files backed up in case I do have to do that. I'm going to run the fix you suggested and then we'll see. Also, let me know at any point if I should probably just give up.

 

Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

...
...
Reg Entries that were deleted
...

Random Runs removed from HKLM
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system "=" "

...


Logfile of HijackThis v1.99.1
Scan saved at 3:22:44 AM, on 12/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\HKeySer.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\IBMAIBM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AIBMTOOLS] IBMAIBM.exe
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HotKey Service - Unknown owner - C:\WINDOWS\HKeySer.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

Thoughts?

 

Well yes, it does appear that those files and entries are gone. But not all of them.

color=red]Please follow these instructions, exactly, for proper HJT installation.[/color] Please place HJT into ITS OWN PERMANANT FOLDER. It must not be installed on the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Move HijackThis.exe into this folder (C:\HJT\HijackThis.exe). When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.


Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\wdfmgr32.exe

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white [Delete File] button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Do not reboot yet.


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u


O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
<<<<<<USER SET? IF SO, IGNORE FIX

Reboot post a new HJT log back into this thread please

 

Logfile of HijackThis v1.99.1
Scan saved at 12:53:17 PM, on 12/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\HKeySer.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\IBMAIBM.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AIBMTOOLS] IBMAIBM.exe
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HotKey Service - Unknown owner - C:\WINDOWS\HKeySer.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

Also, when I did the HJT fix, this file (O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u) was not there. Anyway, I'm ready for whatever's next. Thanks!

 

Ok, the logs appear to be clear, how is the machine bahaving at this point? Let us know.

 

Still the same problem, although not quite as frequent. I'm still getting the generic host process for win32 services error, usually twice whenever I open a program. Other than that, everything seems to be running smoothly.

 

Ok, have you done any system repair\checking? chkdsk or scanreg? If not, lets do those and lets also rummage aorund the system to see what we can find.

Please download SilentRunners from here

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them.
Then select 'Yes' to confirm the search.
When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see.

Download GMER from here

• Right Click the Zip and Select "Extract All "
• Double-click gmer.exe to launch the program.
• Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.

Once the scan is done, hit the copy button, then open notepad and paste the results here for me to see.

 

"Silent Runners.vbs ", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"E6TaskPanel" = " "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart" [ "EarthLink, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [ "Analog Devices, Inc."]
"SoundMAX" = " "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray" [ "Analog Devices, Inc."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" [ "Sonic Solutions"]
"UpdateManager" = " "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" [ "Sonic Solutions"]
"AIBMTOOLS" = "IBMAIBM.exe " [null data]
"suScheduler" = "C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER" [null data]
"ccApp" = " "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" " [ "Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" [ "Symantec Corporation"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb01.exe" [ "HP"]
"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u "

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express "
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" [ "Adobe Systems Incorporated"]
{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}\(Default) = "EarthLink Popup Blocker "
-> {HKLM...CLSID} = "PnIEBrowserHelperObj Class "
\InProcServer32\(Default) = "C:\Program Files\EarthLink TotalAccess\PnEL.dll" [ "EarthLink, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" [ "Safer Networking Limited"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "*Z" (unwritable string)
-> {HKLM...CLSID} = "DriveLetterAccess "
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" [ "Sonic Solutions"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [ "Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
-> {HKLM...CLSID} = "Portable Media Devices Menu "
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler "
-> {HKLM...CLSID} = "Microsoft Office Outlook "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler "
-> {HKLM...CLSID} = "Outlook File Icon Extension "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess "
-> {HKLM...CLSID} = "DriveLetterAccess "
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" [ "Sonic Solutions"]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt "
-> {HKLM...CLSID} = "RecordNow! SendToExt "
\InProcServer32\(Default) = "C:\Program Files\IBM RecordNow!\shlext.dll" [null data]
"{E91B2703-013E-4A99-AD33-2B6FB00AA356}" = "RecordNow! ContextMenuExt "
-> {HKLM...CLSID} = "RecordNow! ContextMenuExt "
\InProcServer32\(Default) = "C:\Program Files\IBM RecordNow!\shlext.dll" [null data]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions "
-> {HKLM...CLSID} = "VpshellEx Class "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" [ "Symantec Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes "
-> {HKLM...CLSID} = "iTunes "
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" [ "Apple Computer, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{1F936BD6-A6FF-11E0-9A84-00C04FD8DBD8}" = "1F936BD6 "
-> {HKLM...CLSID} = "*b" (unwritable string)
\InProcServer32\(Default) = "C:\WINDOWS\system32\hF936BD6.log" [null data]
<<!>> "{50C48BC8-A6FF-11E0-9A84-00C04FD8DBD8}" = "50C48BC8 "
-> {HKLM...CLSID} = "*b" (unwritable string)
\InProcServer32\(Default) = "C:\WINDOWS\system32\h0C48BC8.log" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" [ "ATI Technologies Inc."]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [ "Symantec Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945} "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C} "
-> {HKLM...CLSID} = "VpshellEx Class "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" [ "Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C} "
-> {HKLM...CLSID} = "VpshellEx Class "
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" [ "Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Program Files\UNC\CCI_BGRD.BMP "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Program Files\UNC\CCI_BGRD.BMP "


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{D7F30B62-8269-41AF-9539-B2697FA7D77E}" = "Pop-Up Blocker "
-> {HKLM...CLSID} = "Pop-Up Blocker "
\InProcServer32\(Default) = "C:\Program Files\EarthLink TotalAccess\PnEL.dll" [ "EarthLink, Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research "
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} "
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_05 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll" [ "Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research "

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM "
"Exec" = "C:\Program Files\AIM\aim.exe" [ "America Online, Inc."]

{D1A4DEBD-C2EE-449F-B9FB-E8409F9A0BC5}\
"ButtonText" = "Software Installer "
"Exec" = "C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe" [ "Lenovo Group Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001 "
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" [ "ATI Technologies Inc."]
HotKey Service, HotKey Service, "C:\WINDOWS\HKeySer.exe" [null data]
IBM Rapid Restore Ultra Service, IBM Rapid Restore Ultra Service, " "C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe" " [empty string]
Machine Debug Manager, MDM, " "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" " [MS]
SAVRoam, SavRoam, " "C:\Program Files\Symantec AntiVirus\SavRoam.exe" " [ "symantec"]
Symantec AntiVirus, Symantec AntiVirus, " "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" " [ "Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, " "C:\Program Files\Symantec AntiVirus\DefWatch.exe" " [ "Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, " "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" " [ "Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, " "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" " [ "Symantec Corporation"]
ThinkVantage System Update, UCLauncherService, "C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt01\Driver = "hpzlnt01.dll" [ "HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 46 seconds.
---------- (total run time: 93 seconds)


GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-31 03:30:36
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 8999C438 ZwConnectPort

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE AE764C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE AE7617C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ AE75D60A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE AE75DAED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION AE768958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION AE76B821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA AE77438A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA AE773D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS AE76DBBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION AE76E331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION AE77C4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL AE764B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL AE760948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL AE76A46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN AE77B79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL AE77AC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP AE7612FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP AE77B1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible AE7761F9
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AFB99912] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AFB99912] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AFB99912] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AFB99912] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [AFB99912] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [AFB99AAE] tfsnifs.sys

---- EOF - GMER 1.0.12 ----

Looks like that found something, awaiting reply.

 

Well no odd files, but a couple of logs which don't look to be malicious, but likely need to be deleted anyway.

Delete these two logs:
C:\WINDOWS\system32\h0C48BC8.log
C:\WINDOWS\system32\hF936BD6.log

Have you run the system utilities yet, the scanreg and chkdsk yet?

 

I ran chkdsk, but when I tried to run scanreg, the file could not be found. The two logs simply disappeared. The message is still popping up frequently, so the problem does not appear to be solved.

 

Could you make sure that this file is gone from your system:
C:\WINDOWS\SVCHOST.exe

It appeared in your initial logs as this entry:
O23 - Service: SYSTEM - Unknown owner - C:\WINDOWS\SVCHOST.exe (file missing)

 

Be sure and look in that specific location, there will be legit svchost.exe in the system32 folder where it belongs.