svchost panda dislpayin it as dangerous

To help us to best help you, please follow the steps below closely and in the order given and do not skip anything. If you have any difficulty, please post back letting us know what steps you have completed, what you found while doing the scans if anything along with details about any problems you may have encountered in completing the steps. The more details you can provide the better. Don't be afraid to ask for additional help if you don't understand something!

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message.(Do NOT copy/paste the log into your post).

 

You show no real big problems in your log. However you appear to have very little running which is unusual.
Are you still have problems? If so, please explain CLEARLY what the problems are.

Is the below your expected Start Page?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.mytalktalk.net

All P2P file sharing programs can be dangerous! Do you know that Ares contains adware - see this: http://www.slyck.com/prog.php?id=2
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h


These next two lines should be fixed. They are Alexa related.
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Do you recognize the below IP addresses to be valid? Are they for your ISP?
O17 - HKLM\System\CCS\Services\Tcpip\..\{048904CC-1E26-4A86-8AED-5D7F8BF97811}: NameServer = 62.24.199.10 62.24.199.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{048904CC-1E26-4A86-8AED-5D7F8BF97811}: NameServer = 62.24.199.10 62.24.199.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{048904CC-1E26-4A86-8AED-5D7F8BF97811}: NameServer = 62.24.199.10 62.24.199.20

 

You need to write complete sentences and use the actual messages you are getting from your AV program and/or firewall.

lsaas - Are you sure this was what it said? Or was it lsass.exe
svchgost - Are you sure this was what it said? Or was it svchost.exe

lsass.exe and svchost.exe are required programs for Windows. They are not a virus unless they are running from a different directory than what they are supposed to be running from. If they are running from c:\windows\system32 , they are more than likely okay.

Is English a second language for you?

 

I still see nothing wrong! When exactly is this popping up? Why does it thing svchost.exe is calling cmd.exe.

Notice how I use capital letters and punctuation. That makes messages easier to read. Please try using it. Your sentences all blur together.

 

You never completed all the steps of the READ ME FIRST. If you feel there is really some kind of infection here, you should run ALL steps EXACTLY as written and in the order written.

Have you run a full scan with Panda from a safe mode boot?

 

Not according to your HijackThis log. At a minimum you did not run either of the two online scans.

 

First, the READ ME tells you if you cannot connect in safe mode to run in normal mode.

Second, the READ ME also requests that you tell us the results of what you ran and any problems you may have encountered.

Run the scans now! Also go to the section title Alternative Scans and try running them.

 

I do not follow the above message.

But do you have all of you Microsoft updates other then Win XP SP2? Are you sure?

 

Yes they do! They patch security wholes and other problems which prevent you from running into other issues. They do not necessarily fix whatever your current problems is but they are necessary.

You should not be surfing if you are running any scans. It is best to run scans with nothing else going on. Close all unnecessary applications. And if running online scanners, only have open one browser window that they are running in.

 

Which scans have you tried?
And what do you mean by crashing? Do you get an error message? If so, exactly what.

 

You just said you had all your updates. Are you talking about some other updates other than Windows?

 

No!!!!! Notice what your log says:

Logfile of HijackThis v1.99.1
Scan saved at 18:26:47, on 06/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

You are running Windows XP SP1

You do not have the updates! And I wonder if you have the other patches.

 

Please run the below (while disconnected - unplug cable)

avast! Virus Cleaner Tool
McAfee AVERT Stinger
Symantec W32.Sasser Removal Tool
Symantec W32.Blaster.Worm Removal Tool
Symantec W32.Mydoom@mm Removal Tool
W32.Gaobot Removal Tool

 

You know that this kind of exchange of messages is a waste of my time.

Are you kidding me? Why the heck would you say you have all the updates? Do you really think we care that you have them but did not install them? That is useless.

That's like saying I read the READ ME and downloaded all the programs and then not running them.

You need to disconnect your cable so nothing can talk out the interface while we trying to fix problems. Many malware programs do that to make it difficult to remove.

Install your updates and run the stuff I gave you. When you complete them come back and give the results.

 

Make sure you "install" the updates. Check your OS and IE versions afterwards and make sure they have updated. If you do not have WinXP SP1a, try downloading and installing it from the SP1A network version
http://www.microsoft.com/windowsxp/...p1/network.mspx

 

If you just formatted your system, why are you getting virus problems so quickly.
Are you running without an updated AV and without a firewall.

I thought we said not to install SP2. Why didn't you use the link I gave you for SP1a?

It means you still need your Windows updates!

http://www.esecurityplanet.com/alerts/article.php/3364941
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.8.html


http://www.webservertalk.com/message932921.html
http://www.securityfocus.com/infocus/1548
http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

 

See message #35

 

You shouldn't need anymore. Install your updates and show me a HijackThis log.

 

Did you install the SP1a update? I would expect your HJT log to show

Platform: Windows XP SP1a (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 XP SP1a (6.00.2900.2180)



The only items in your log that can be cleaned are due to MS putting in some Alexa stuff:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

 

Do you mean you turned off the AV part of Panda or the firewall?


Are you able to boot in safe mode with Network support? If so, does this happen in safe mode?

Note: You do not need to run HSRemove or about;buster you do not and have not had one of those hijack problems.