-
January 18th, 2005, 01:41 AM
#11
Very good point there TheSpecialist.
Non-Microsoft software in the Windows and system32 folders
The first is supposed to relate to a voice modem and the second to HP writing to disk, but the other entries suggest that the computer is actually a Dell?
-
January 18th, 2005, 11:49 AM
#12
anywho...
O4 - Startup: winupdate23036105[1].exe
O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
What happened after you deleted these ?? ( to my knowledge svchost.exe does not belong in the /WINDOWS directory, err ... , sorry, \WINDOWS directory: it is most likely a virus or trojan. And the other one, same-same, does not belong there to my knowledge. ( looks awfully suspicious to me )
Also, did you delete all your temp folder contents?
Did you restart it in safe mode and run the AV ?
So what did the HjackThis log look like afterwards?
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
January 18th, 2005, 09:54 PM
#13
Member
Iknownot:
Exactly, the svchost in the windows folder was part of the trojan. The real svchost is in windows\system32. So when I deleted it, it happily died a painful death.
Also, yes i removed all temp files (thanks to a batch file I found in this forum, sorry, i forget who wrote it).
The AV scans we did were as follows:
All definition updates were downloaded on all scanners
1. removed physical drive, installed in clean machine, scanned w/norton
found and removed 350+ instances of bagel and other small viruses
2. returned drive to original machine, booted to winpe, scanned w/mcafee command line
3. booted to xp, scanned w/norton
4. booted to xp safe mode, scanned w/norton
5. booted to xp, scanned w/trendmicro housecall
All scans found the dltime.dll file, but none could remove it completely.
I also scaned the machine with adaware (reg, safemode, winpe), spybot, and pest patrol. pest patrol found the false svchost, but failed to remove it.
The|Specialist|: (or whatever your old nick looked like)
I thought those entries were suspicious also. But as Nihil said, the files checked out. The HP one made me wonder, since the machine was indeed a dell, but it was not causing problems.
You are so bored that you are reading my signature?
-
January 18th, 2005, 10:23 PM
#14
In my last post I could not remember where I got PV.exe (prossess view) from but here is the download page with some info on usage, etc.
http://www.teamcti.com/pview/
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|