Suspicious Process Activity

Recently while surfing around Youtube, my firewall popped up a security warning for me:

Name: svchost.exe
Publisher: Unknown Publisher
Type: Application
From: C:\WINDOWS\system32\svchost

Screenshot: http://img.photobucket.com/albums/v387/Jomaru/firewalled.png

Now I know svchost is a vital part of my system and should never be deleted, however when I give it the “okay” to run the program, the process doesn’t run, instead it starts up iexplorer.exe in the background (there’s no window popping up or anything), which is immediately marked to me as suspicious. I terminate the process and the warning pops up again. It’s an eternal loop right now, not sure of what to do because no scanner is picking anything up.

Running:
avast! Antivirus (of course)
SuperAntiSpyware
MalwareBytes

Everything is up to date, but I can’t quite shake the feeling that they’re missing something.
Folder Screenshot: http://img.photobucket.com/albums/v387/Jomaru/svchost.png

::Virus Total Log::

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.15 Trojan-Dropper.SuspectCRC!IK
AhnLab-V3 5.0.0.2 2010.04.14 -
AntiVir 7.10.6.77 2010.04.14 -
Antiy-AVL 2.0.3.7 2010.04.14 -
Authentium 5.2.0.5 2010.04.15 -
Avast 4.8.1351.0 2010.04.14 -
Avast5 5.0.332.0 2010.04.14 -
AVG 9.0.0.787 2010.04.14 Dropper.Generic.CKLO
BitDefender 7.2 2010.04.15 -
CAT-QuickHeal 10.00 2010.04.15 -
ClamAV 0.96.0.3-git 2010.04.15 Trojan.Spy-71263
Comodo 4603 2010.04.15 -
DrWeb 5.0.2.03300 2010.04.15 -
eSafe 7.0.17.0 2010.04.14 -
eTrust-Vet None 2010.04.14 -
F-Prot 4.5.1.85 2010.04.15 -
F-Secure 9.0.15370.0 2010.04.15 -
Fortinet 4.0.14.0 2010.04.12 -
GData 19 2010.04.15 -
Ikarus T3.1.1.80.0 2010.04.15 Trojan-Dropper.SuspectCRC
Jiangmin 13.0.900 2010.04.13 -
Kaspersky 7.0.0.125 2010.04.15 -
McAfee 5.400.0.1158 2010.04.15 Generic MSIL.c
McAfee-GW-Edition 6.8.5 2010.04.15 -
Microsoft 1.5605 2010.04.14 -
NOD32 5029 2010.04.14 -
Norman 6.04.11 2010.04.14 -
nProtect 2010-04-14.01 2010.04.15 -
Panda 10.0.2.7 2010.04.14 -
PCTools 7.0.3.5 2010.04.15 -
Prevx 3.0 2010.04.15 -
Rising 22.43.03.01 2010.04.15 -
Sophos 4.52.0 2010.04.15 -
Sunbelt 6178 2010.04.15 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.04.15 -
TheHacker 6.5.2.0.261 2010.04.14 -
TrendMicro 9.120.0.1004 2010.04.15 -
VBA32 3.12.12.4 2010.04.14 -
ViRobot 2010.4.15.2277 2010.04.15 -
VirusBuster 5.0.27.0 2010.04.14 -
Additional information
File size: 934748 bytes
MD5…: 2a9eb9df69037fbcd6fb00e9ef4e2439
SHA1…: 6a8876f14240027289618c1a8aa5cd6a26b92466
SHA256: 23ad5dc89dede02fe73d08f58f08834b9053c63e5feeca436ca08e0cbcbcf755
ssdeep: 24576:C7NFhfSyNbMTai8S1P9IntN+cpXsOQrUKdgzMMtSgMnZYqfxr:CHhfPE8G
PutEchPQrL2MxLnZYqfxr
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1752e
timedatestamp…: 0x4bb6ef5d (Sat Apr 03 07:33:49 2010)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2000 0x15534 0x15600 7.52 ab4db8ab950fbe34f1d5bd713b38097e
.reloc 0x18000 0xc 0x200 0.10 b395b055887e35c3c3b5037183392b9e
.rsrc 0x1a000 0x6186 0x6200 4.01 1e6a1ce3c7f78bc6c2f9ce89ecc16d5b

( 1 imports )

mscoree.dll: _CorExeMain

( 0 exports )
RDS…: NSRL Reference Data Set

pdfid.: -
trid…: Generic CIL Executable (.NET, Mono, etc.) (74.0%)
Windows Screen Saver (13.2%)
Win32 Executable Generic (8.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
sigcheck:
publisher…: n/a
copyright…:
product…: Trend Micro
description…:
original name: C:\Documents and Settings\nathu\Desktop\stub - Version 3.0 mini.exe
internal name: C:\Documents and Settings\nathu\Desktop\stub - Version 3.0 mini.exe
file version.: 4.0.0.0
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99

As a-squared dedects it, you could download and run a-squared free.
http://www.emsisoft.com/en/software/free/
asyn

Downloaded, installed, scanned. Hounded the scanned results and got rid of the stuff that was actually bad. Rebooted and everything’s actually worse. This scanner goes bye-bye now. =/

For a more in-depth of what’s going on now. I’m getting pop-ups from the A-Squared website, along with other “offered scanners” and while the background process for the program runs, my computer is slowed significantly, plus the instance where I was able to stop the random infinite-loop of the “svchost.exe” and “iexplore.exe” executables with SmitFraudFix, they came back after using the aforementioned software.

For free malware removal help with a-squared please go here:
http://support.emsisoft.com/forum/6-malware-removal-help/
asyn

oh god stop recommending a-squared it has lots of false positives.

Dichromaru, maybe you have smth like this threat:

http://www.threatexpert.com/report.aspx?md5=58ea7efbe3aad97f0d43a32ef96f2d58

Agreed. Don’t use a-squared… maybe MBAM?

+100 - A-Squared is the False Positive King

He already had Mbam on his system, as well as SAS… :wink: (see first post)

First Goto Control Panel and Delete all other anti-virus and waste software that you Don’t Need, Then Goto RUN type msconfig goto startup uncheck all un-wanted applications, then restart PC and install Avast. Always use a single Anti-Virus It will Never Slow down your PC. Never Use these false positive anti-virus Avast is a branded and Standard Program For Anti-Virus with Boot-Time Scan.

so dude

have you read through this topic yet?

yes, he Face Slow down Problem after svchost.exe problem so thats just a advice from me to fasten his PC. ok dude?

Dude just W…T…F…!? ??? ??? ??? :o You gave advice that anyone totally knows about. Actually, if you’d read the topic, you’d see dude has already done most of what you said. Fail.

oh yes W T F !! ???
Then Re-Install Windows!! Last Solution!! :o ;D

yes u do it

Guys, please calm down and relax… :wink:
As the OP didn’t post back here, the problem should be solved.
Peace and happiness… 8)
asyn