More help, please. Processes???

Hi, I left for two days and came back only to find out the dogsitter used my computer to watch adult material. I arrived last night, and turned on the computer. A few moments later (2 a.m.), the computer started spinning as if running a program.

This morning, I got on the computer and it wouldn't allow me to get online. A few days ago on another forum, someone had problems and someone recommended Ctrl+Shift+Esc to look at processes running (for someone else).



So, I decided to hit the keys and lo and behold. If you look at the Hijack this log, it doesn't tell the story.

Explorer.EXE is not Internet Explorer. That is IExplore.EXE. It ran up to 90,000kb mem usage. For several hours it varied from 8,000kb to the 90,000kb. It was also created 5 months after Internet Explorer was downloaded.

svchost.exe has 6 processes running.

And on. I have 33 or so running. I will post a normal scan from hijack this, it only show 25.

I searched the commands on yahoo, and there are posts regarding duplicate files at other than normal locations. Some of these were ctreated last night at 2a.m..

All of a sudden, it went to about normal after 4-5 hours after Explorer.exe peaking.

And RunKeys found a lingering spyaxe in the SharedTaskScheduler. What is that, I can't find any Shared scheduler.

I checked on process, and it was in a different location and was all uppercased.

While in safe mode, CounterSpy had a .dll problem, I ran it after on normal after redownloading. It only found weatherbug.


EDIT::::BitDefender scan found nothing, and it would not allow me to save a log.


When trying PandaScan, it kept having problems. It would close out the browser and a thing came on saying flash?? problem.

I ran the read me first, and then the SpyAxe thread stuff, nothing.

 

......

 

........

 

Sorry about the delay in in posting the PandaScan. It was in normal boot mode. As stated before, it would not work in safe mode. The only one that bothers me is the first, SpyAxe in the windows registry.

I will be back tomorrow. Thanks.

 

Your HijackThis log appears as if it is from safe mode. Post one from Normal Mode along with fresh ShowNew and GetRunKeys logs.

 

Thank you. Here you go.....

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop.

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Reboot

Run Panda ActiveScan and attach the scan log.

 

Just completed....

http://forums.majorgeeks.com/attachment.php?attachmentid=48998&d=1164515589

 

The log did not attach properly. Please attach the log again.

 

.....

 

Panda is still finding that registry entry. Follow the instructions for Running AVG Anti-Spyware.

Post the AVG log when finished.

 

......AVG Scan (took awhile)

 

The AVG log is empty.

Panda is not reporting where in the registry it is finding SpyAxe, that is of little use to me. You can ignore the alert, as it is most likely a false positive or see what this new tool can do to resolve the issue.

Simply download RogueRemover from the link below. Unzip to a convenient location such as C:\RogueRemover. Navigate to the folder you unzipped the files to and double click on the file named RogueRemover.exe. Finally, select Scan and the program will walk you through the remaining steps.

Compatible with Windows 2000, NT, XP
Download RogueRemover (349 KB)

Note: The applications listed in RogueRemover are listed there only by opinion of the authors of RogueRemover. The users of RogueRemover are in no way forced, but suggested, to remove the detected applications.

 

Rogue Remover did not detect any items.

Thank you for your help.

If you don't mind me asking, what are the processes? explorer.EXE, svchost.exe,etc..

 

Here are some questions.

explorer.exe I have a file called explorer.exe in C:\WINDOWS, but I have a file called EXPLORER.EXE-02121B1A.pf in C:\WINDOWS\Prefetch that was created on Nov. 26,2006.

svchost.exe I have one in C:\WINDOWS\system32 and one in C:\WINDOWS\system32\dllcache. Both were created the same day/time. But, I have an SVCHOST.EXE-2D5FBD18.pf in C:\WINDOWS\prefetch that was created Nov. 25, 2006.

What are the processes?

 

Process File: explorer or explorer.exe
Process Name: Microsoft Windows Explorer

explorer.exe is the Windows Program Manager or Windows Explorer. It manages the Windows Graphical Shell including the Start menu, taskbar, desktop, and File Manager. By removing this process the graphical interface for Windows will disappear. This program is important for the stable and secure running of your computer and should not be terminated.

The legitimate EXPLORER.EXE resides in C:\WINDOWS.

The pf extension stands for Prefetch and are contained in C:\WINDOWS\Prefetch. These are files you have used and at boot Windows loads the files in this directory to speed access to the programs when you open them.

Process File: svchost or svchost.exe
Process Name: Microsoft Service Host Process

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated.

The legitimate SVCHOST.EXE resides in C:\WINDOWS\system32 and a copy is kept in C:\WINDOWS\system32\dllcache. SVCHOST is one of those files that is prefetched.

If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• If you are running Windows XP or Windows ME, do the below:
  • Go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

Safe surfing!

 

Thank you for your help.

 

You're welcome.