Win32:Patched-CK [trj] HELP HELP PLEASE

Viruses and worms
1

It’s affecting c:\windows\system32\svchost.exe, and I’ve done everything in my power to remove it. Avast CANNOT remove/delete/or anything. Scanned in safe mode and everything. I read the other posts but they didn’t help. I have a windows XP. Also did system cleanup with CCleaner. PLEASE HELP. I’m on my hands and knees here. Here’s a Hijack log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Samsung\Samsung Update Plus\SLUTrayNotifier.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\RunOnce: [Malwarebytes’ Anti-Malware] C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU..\Run: [kvz2b13di4s8zox7tc25yawdbsz6sf6xlidyg2jmb8xx] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\s5zq9foxvf0.exe
O4 - HKCU..\Run: [fp1q4sfugjsn7ggeon6vkv3v7ovravceufaljz15] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\irtg4dg3.exe
O4 - HKCU..\Run: [mtfogihriine7karwa5nkjzxpvb819h7cbor655my] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\nzx90smxo5m.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [j93dpmjmog64iwq9fpta4n0pemtnm3k06o6xvf1hbdtr] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\niv7qxcg.exe
O4 - HKCU..\Run: [xxdwzbx7p4e8zjshwfh27kevafa9o2k1gmd7agkq3q8wz8s] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\qlruca.exe
O4 - HKCU..\Run: [labfgx7fr89tzjbvea9idwun4fac06wmtrg] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\vgjxzy82b4e.exe
O4 - HKCU..\Run: [mowyjgygae8hygxm8aozismc0jxbfc] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\uxm3hw.exe
O4 - HKCU..\Run: [k6ktt0bad3vfeqiey0947v0fsmdy5gpcm9je73m9oz8b] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\i2vrm1fa9w79s.exe
O4 - HKCU..\Run: [zqbz9vh2pdfpgvg3punkl6dmcc7bwxt7n2pw0jpbf] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\jh16khd4y.exe
O4 - HKCU..\Run: [iirwfa2j1lc2zwl7n6jfxlwqgh0zdfj8l9z3ncpf7tbph6j278] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\yg3aktho.exe
O4 - HKCU..\Run: [b5imjnq3r7] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\fi3ydh.exe
O4 - HKCU..\Run: [bmatkdjzhbybj6q3judc3me1dghd4im1op] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\l1h2n3f.exe
O4 - HKCU..\Run: [ta443esc3njp92hfzjp26en34x4j8fg2z3diga5gmcjgivzl5i] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\etclkpv.exe
O4 - HKCU..\Run: [jfrzxzqt1713j58] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\qpaor9h8h.exe
O4 - HKCU..\Run: [g0uhbng3jk] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\bdtrn0of3.exe
O4 - HKCU..\Run: [px3rig7ip76k44] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\j3ma4e.exe
O4 - HKCU..\Run: [r967vc3v17x3mfcrf0] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\fgw4p3k0l2g.exe
O4 - HKCU..\Run: [gp778add2c3r] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\mvmjo4l.exe
O4 - HKCU..\Run: [qvfauwzzrz0rr73nbitxvrk6j] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\z3oz7odm0og7.exe
O4 - HKCU..\Run: [mdyn6mwtnawhk7not2vw7gbk06366b3wdbydwu1zq88h4wlbj] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\xmhpszf068.exe
O4 - HKCU..\Run: [s2cqbro1e8qyeni2p885i8coe23kxzj3ejki1xc29rsar] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\oe6mohdxqrju.exe
O4 - HKCU..\Run: [mllowwboxmand] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\xn3wour8w0.exe
O4 - HKCU..\Run: [ydsook0xqgpd3ze40fcsewj] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\pfv4ceg.exe
O4 - HKCU..\Run: [f69ygohaijn5h8s4rirpfsd3g2] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\ud7yp1n3b9.exe
O4 - HKCU..\Run: [fll0z7mjr8q14q06ofakka8wu9whntbds8ty] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\frehft.exe
O4 - HKCU..\Run: [w1kbj78wevdxgitj6sh52ungeo] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\mr7qd0jwr84r.exe
O4 - HKCU..\Run: [hkiazb7oanic93a51hne0q6e7] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\oaxvbzz.exe
O4 - HKCU..\Run: [ifuiemoeq4jfi3] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\g1yei7otqj.exe
O4 - HKCU..\Run: [ql9inexcggywny873ogevkg4xyst4vxohn0zanje] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\bilqn1d4rlx.exe
O4 - HKCU..\Run: [ki15r62nyzay6uv8n5q8adx1q] C:\DOCUME~1\Yinghz\LOCALS~1\Temp\shoyle3fpia.exe
O4 - HKUS\S-1-5-18..\Run: [o91kxpa9i] C:\WINDOWS\TEMP\t3dmkoz9itqpm.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [o91kxpa9i] C:\WINDOWS\TEMP\t3dmkoz9itqpm.exe (User ‘Default user’)
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O20 - AppInit_DLLs: fjnxhy.dll ,
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbXPgfec - cbXPgfec.dll (file missing)
O20 - Winlogon Notify: hgGaaXPf - hgGaaXPf.dll (file missing)
O20 - Winlogon Notify: khfEVOfD - khfEVOfD.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe

2

Welcome to the forums, camembert2000. :slight_smile:

Please post the complete HJT log including the headers and end.

Also, I hope you are using HJT version 2.0.2

http://www.filehippo.com/download_hijackthis/

3

avast can’t move it to the chest or delete it as it is an important system file.

So a repair of the infected file is really the only option try this tool.
DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, more so when used in safe mode.

4

Is it okay to download DrWeb CureIt since I already have Avast, and it’s not recommended to have two antiviruses on the same computer.

5

I wouldn’t have suggested it if it was.

It isn’t a resident tool when talking of two AVs we are talking about resident scanners.

6

SUCCESS!! I moved it to the chest. Should I delete it? Thank you for all your help.

7

I have to say I’m confused as the idea of using DrWeb CureIt was to repair the file and leave it in place.

WHY did you move it to the chest (surely aast didn’t detect it again) ?
How did you move it to the chest ?

Being an important system file I would have thought as per your first post “Avast CANNOT remove/delete/or anything” the same would be the case now.

Rush to delete and repent at leisure.
Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate (so why delete from the chest).

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

I had been hoping that you would also have done as CharleyO asked and posted a new hjt log as there some obvious issues that need resolved.

There is a ton of stuff being run from the temp folder so if you ran ccleaner you did it after the HJT log, which makes it worthless.

Since you have both SAS and MBAM installed I’m very surprised to see any of this c**p in the HJT log. So you should run both SAS and MBAM from safe mode where they are more effective.

8

DavidR alot ppl delete after in the chest or simply delete because they panic for the virus harm their pc or something lol i know its hard to let a virus on the chest lol

9

There is zero point of deleting after sending to the chest, you might as well cut out the middle man (the chest) and delete it straight away, which is IMHO crazy for the reasons already mentioned.

My problem being this is an important system file which in the first place avast wouldn’t send to the chest, yet here camembert2000 is now saying success it has gone to the chest ???

10

Eh peoples, svchost.exe is a generic host process name for services that run from dynamic-link libraries
On Xp systems there will be copies of it in
C:\WINDOWS\system32
and
C:\WINDOWS\system32\dllcache\

It is NOTmalware, although malware can ofcourse have any file name. To check if svchost.exe is malware or not, compare it with the original version on the Windows cd/dvd.

If malware detecting/removal software like e.g. avast, avg, Ad-Aware, Spybot (and many others) are detecting svchost as malware, first thing to do is checking the location. If it is not in one of the default locations, it is very likely malware. If it is in a default location, compare it with a original version of the file.

If the file seems legitimate copy and malware detecting/removal software flags it as malware there are basicly two options.

  1. It is a false positive
  2. Something using te svchost is malware

If 1 is the case, report it to the vendor of the software that is detecting it as false positive.
If it is option 2, find out what is uisng svchost and delete the culprit.
Formerly Sysinternals (now MS), has some very nice tools for this.

11

Eddy this win32:patched malware targets the system files (including this one) and when infected avast won’t move it to the chest or delete it because it is still required. The problem is replacing infected system files whilst in use.

There are many topics on this malware and a lot of people have tried renaming it and hoping windows replaces it on reboot with a copy in the dllcache you mention. Using Live CDs and trying to replace it with a clean copy, or replacing from a command prompt on boot into command window.

However the DrWeb CureIt has in the past has a good deal of success in repairing the infected file, making replacement unnecessary.

12

O4 - HKUS\S-1-5-18..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User ‘SYSTEM’)

Sorry couldn’t help myself from posting but I don’t think that belongs there

13

It isn’t the only thing by a long way.

The whole HJT log is full of issues one of the worst I’ve seen for a while, but we really need a fresh one after running SAS and MBAM from safe mode as previously mentioned.

14

Yes, there are too many bad entries in the above HJT log which is why I asked for the complete log and to make sure it is the newest version of HJT.

15

Hi DavidR and CharleyO,

We have discussed this issue many times and on occasions before and essexboy and oldman always taught us also here to first do a scan when all the infection is still there on the victim’s machine and only after the HJT log is being analyzed to start to do the cleansing with scanners and tools and fixes. Else we cannot get to a good analysis of the infections.
First diagnosis then operation or cure period,

polonus

16

We have a start point, the first HJT log as it appears raw, e.g. no scans of anything as it is a train wreck.

17

Okay, here’s an updated hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:42 PM, on 3/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\Run: [o91kxpa9i] C:\WINDOWS\TEMP\t3dmkoz9itqpm.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [o91kxpa9i] C:\WINDOWS\TEMP\t3dmkoz9itqpm.exe (User ‘Default user’)
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O20 - AppInit_DLLs: fjnxhy.dll ,
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: cbXPgfec - cbXPgfec.dll (file missing)
O20 - Winlogon Notify: hgGaaXPf - hgGaaXPf.dll (file missing)
O20 - Winlogon Notify: khfEVOfD - khfEVOfD.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)
O23 - Service: SNM WLAN Service - Unknown owner - C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe


End of file - 3956 bytes

18

Running it from safe mode doesn’t show processes that would be running in normal mode so is less useful for analysis.

Even in safe mode these are still running and should be fixed in HJT, the files found (search using windows explorer) and a) uploaded to virustotal and b) sent to avast for analysis (see below)

O4 - HKUS\S-1-5-18..\Run: [o91kxpa9i] C:\WINDOWS\TEMP\t3dmkoz9itqpm.exe (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [o91kxpa9i] C:\WINDOWS\TEMP\t3dmkoz9itqpm.exe (User ‘Default user’)

O20 - AppInit_DLLs: fjnxhy.dll ,

These are still listed but the files are gone and should also be fixed in HJT.
O20 - Winlogon Notify: cbXPgfec - cbXPgfec.dll (file missing)
O20 - Winlogon Notify: hgGaaXPf - hgGaaXPf.dll (file missing)
O20 - Winlogon Notify: khfEVOfD - khfEVOfD.dll (file missing)

Suspect files: Upload the file/s to VirusTotal (VT) mentioned above, Send a sample to avast if multiple detections at VT and Fix in HJT (see below)

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic, the URL in the Address bar of the VT results page.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.

Once you have done that reboot and run HJT in safe mode and post the contents of the log.

What is your Firewall ?
As you don’t appear to have an active one - It should be capable of blocking unauthorised outbound Internet Connections.

19

camembert2000,

Please run HJT from a normal startup. Too many things are not running in safe mode.

When you posted the first (but incomplete) HJT log, it was from normal mode. Why safe mode this time?

David,

With respect to you, the first HJT log was incomplete and from an old version of HJT. So, imho, it was not a good start point. We need a good start point with the most up to date version of HJT run from normal start up.
We have neither yet.

20

We don’t know if it was an old version or not as there were no headers to confirm that.

I mentioned we need to see a log from normal mode but it seemed pointless to wait until camembert2000 did that to deal with some serious issues. Over 24 hours later and still no response, so I don’t feel waiting that long is helping. If my system is in that state (it wouldn’t be though), I wouldn’t sleep until I had it resolved. I know people have different priorities, work/school, etc. but with a seriously compromised system that has to be a high priority (it seems those trying to help have a higher priority than camembert2000).