Hijack Log - review needed

I'm running XP SP2 and ran hijackthis - any comments would be appreciated.

 

All of the following look quite suspicious.

O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
O4 - Startup: winupdate03818741[1].exe
O4 - Startup: winupdate07036323[1].exe
O4 - Startup: winupdate09630549[1].exe
O4 - Startup: winupdate43212527[1].exe
O4 - Startup: winupdate52743216[1].exe
O4 - Startup: winupdate98909472[1].exe

I recommend you search out those files and check their properties/validity and delete as necessary, after fixing the entries with HijackThis and rebooting. Then clear all your Temp folders, dump temporary internet files and delete everything in C:\Windows\Prefetch. Turn off system restore. Empty the recycle bin and reboot again. Then run at least one online virus scan (RAV and Housecall are both good). Post the results, as well as a new HJT log.

 

Thanks for taking the time to review that for me. I'm not sure how I should check these files for validity - can you provide some info on making this determination.

Also, in a previous thread it was noted that svchost.exe should probably only reside in the system32 folder - if that's the case should this one be deleted out of hand for that reason alone? Thanks again. -Bob

 

Re: svchost.exe location - I would remove any copy of this file that was directly in \windows or \winnt. It will almost certainly be a virus byproduct. You can probably tell the difference if you check file properties on the \system32 copy and the one you have in \windows. I put in a picture of the properties on my main copy.

However, there will probably be more than one legit copy on the PC.

From my XP-pro SP2 PC
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe - 13 KB (compressed)
C:\WINDOWS\ServicePackFiles\i386\svchost.exe - 14 KB
C:\WINDOWS\system32\svchost.exe - 14 KB

 

File Validation

Ok, I got you now on the validation, but how difficult/easy is it to hack the properties info and make the file look valid? -Bob

 

Rerun Hijackthis

Deleted the files specified above and reran hijackthis w/the following results. I forgot how to disable system restore before rebooting - I need to search and find out how to do that - what does that do anyway, reset the restore file w/o the offending files? I assume then that once I reboot the system will turn on system restore or do I need to do it manually? Thanks. -Bob

 

Other potential problems

I also have several user accounts in my "doc and settings" folder that I can't delete even using the GiPO-MoveonBoot utility. They are titled Default User, Local Service and NetworkService.NT AUTHORITY. I'm pretty sure I don't need these "users" and they may be componding some of the issues I've been having but I can't seem to get rid of them. Any suggestions? -Bob

 

Those user account folders are default operating system folders and not to be deleted. To turn off system restore, right click My Computer and select properties, then system restore tab. Check the box to turn it off and OK out. Reboot and turn it back on. Click start>all programs>accessories>system tools>system restore and create a new SR point. Toggling it off/on deletes all previous restore points, some of which are infected. There is no other way to clean out the stored infected files and not clearing them leaves your system open to re-infection.

 

Why did they just start to appear since I've been having problems with Trojans/Worms, etc? They were never there before. -Thanks. -Bob

 

Bob - no quick answer on why the user accounts recently showed up (or came to your attention) although some very normal actions can add an account.

Bottom line - they don't hurt anything and removal can do some damage so I'd leave them.

I took a couple of shots on my work PC to show the accounts loaded here. I'm on a domain and lots of the accounts in the first picture are domain accounts so not showing up in the local users picture. Of the local user accounts, I have some disabled but available at need.

You might do well to just disable any you don't think you need. Then if any strangeness shows up, you can easily re-enable them. When disabled they absolutely do nothing and cannot be accessed.

 

Ok and thanks again - I appreciate the help. -Bob

 

Two more questions - is the Local Users and Groups folder under Computer Management only available in XP Pro? I don't have that folder and I'm running XP Home.

And how do I keep from getting messags from "Data Execution Prevention" ( "to help protect your computer Windows has closed this program ") whenever I try to open the Control Panel (and of course it won't let me!). -Bob

 

Because you were instructed to show hidden files and folders, as well as system files.

 

Well, I'm not sure when I was "instructed" to do that - but no I have always had my system set to view all files. -Bob