January 18th, 2005 12:41 AM
Very good point there TheSpecialist.
Non-Microsoft software in the Windows and system32 folders
The first is supposed to relate to a voice modem and the second to HP writing to disk, but the other entries suggest that the computer is actually a Dell?
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
January 18th, 2005 10:49 AM
What happened after you deleted these ?? ( to my knowledge svchost.exe does not belong in the /WINDOWS directory, err ... , sorry, \WINDOWS directory: it is most likely a virus or trojan. And the other one, same-same, does not belong there to my knowledge. ( looks awfully suspicious to me )
O4 - Startup: winupdate23036105.exe
O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
Also, did you delete all your temp folder contents?
Did you restart it in safe mode and run the AV ?
So what did the HjackThis log look like afterwards?
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
January 18th, 2005 08:54 PM
Exactly, the svchost in the windows folder was part of the trojan. The real svchost is in windows\system32. So when I deleted it, it happily died a painful death.
Also, yes i removed all temp files (thanks to a batch file I found in this forum, sorry, i forget who wrote it).
The AV scans we did were as follows:
All definition updates were downloaded on all scanners
1. removed physical drive, installed in clean machine, scanned w/norton
found and removed 350+ instances of bagel and other small viruses
2. returned drive to original machine, booted to winpe, scanned w/mcafee command line
3. booted to xp, scanned w/norton
4. booted to xp safe mode, scanned w/norton
5. booted to xp, scanned w/trendmicro housecall
All scans found the dltime.dll file, but none could remove it completely.
I also scaned the machine with adaware (reg, safemode, winpe), spybot, and pest patrol. pest patrol found the false svchost, but failed to remove it.
The|Specialist|: (or whatever your old nick looked like)
I thought those entries were suspicious also. But as Nihil said, the files checked out. The HP one made me wonder, since the machine was indeed a dell, but it was not causing problems.
You are so bored that you are reading my signature?
January 18th, 2005 09:23 PM
In my last post I could not remember where I got PV.exe (prossess view) from but here is the download page with some info on usage, etc.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry