[Crustyoldbloke]

Hello again Ken

I see you elected to use the standard database and not the extended one. There is no way of knowing if the extended database would have found more.

Firstly, you need to get rid of all of these:

C:\Documents and Settings\Ken\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\alt.binaries.multimedia.binaries.erotica.broadband.dbx/[From [email protected]][Date 11 Jun 2006 21:47:53 GMT]/Eliza Infected: Trojan-Downloader.WMA.Wimad.h skipped
C:\Documents and Settings\Ken\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\alt.binaries.multimedia.binaries.erotica.broadband.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Ken\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\alt.binaries.multimedia.nospam.erotica.dbx/[From [email protected]][Date Mon, 31 Jul 2006 17:29:19 GMT]/Brittany Infected: Trojan-Downloader.WMA.Wimad.h skipped
C:\Documents and Settings\Ken\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\alt.binaries.multimedia.nospam.erotica.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Ken\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Deleted Items/01 Oct 2005 21:38 from eBay Inc:eBay Inc: Please Validate Your A.rtf Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Ken\Local Settings\Application Data\Microsoft\Outlook\archive.pst Mail MS Mail: infected - 1 skipped

You'll find them in your Outlook programme.

I don't know what these are:

C:\WINDOWS\CSC�000001 Object is locked skipped
C:\WINDOWS\CSC�000002 Object is locked skipped
C:\WINDOWS\CSC�000003 Object is locked skipped
C:\WINDOWS\CSC\d2�000011 Object is locked skipped
C:\WINDOWS\CSC\d3�000012 Object is locked skipped

They look like folders, but are very suspicious entries. Please report on the content.

[Advertisements]

I was able to delete the files you identified. I was unable to locate the C:\WINDOWS\CSC.... files. I'm not sure how to find them other than through the search function. I did select Search System Folders and Search Hidden Folders, but without success. Any suggestions?
Thanks,
Ken

[Ken of Texas]

I was able to delete the files you identified. I was unable to locate the C:\WINDOWS\CSC.... files. I'm not sure how to find them other than through the search function. I did select Search System Folders and Search Hidden Folders, but without success. Any suggestions?
Thanks,
Ken

[Crustyoldbloke]

Try setting your system to show all files; please see here if you're unsure how to do this.

[Ken of Texas]

I went to the CSC folder in the WINDOWS folder and found six folders and four files. The folders are labeled D1, D2, D3.... through D8. Only two of the folders contain any files, 00000011 in D2 folder and 00000012 in D3 folder. The four files in the CSC folder are displayed as System Files and are labeled 0000001, 0000002, and 0000003. One file is labeled csc1.tmp. When I open the files in NotePad there are a dozen or so characters but not meaningful in any way, although in one of the files is the word "kfleming" which is one of my passwords for email. I am unable to open the csc1.tmp file. I deleted the other files as you directed. There is still no change in the spiking when I reboot. I am disabling the svchost.exe file that spikes so I can work on the computer.
Ken

[Crustyoldbloke]

Hello again Ken

The CSC folder is "Client Side Caching", presumably this was created with your work network's recent change.

To disable this feature, you should be able to open My Computer, click on Tools > Folder Options... and then click on the Offline Files tab. You can then delete the files (Delete files...) and / or view the files (View files). To disable online files, deselect the option "Enable offline files" and click OK.

[Ken of Texas]

Well, I think I may have uncovered the source of the problem. I was curious as to what was causing the svchost.exe to spike so I downloaded Process Explorer and ran it when I re-booted the computer. The two processes under the svchost.exe that spkied were the same name - "wuauclt.exe" which I learned was automatic updates for MS. I went into the control panel and disabled the auto updates and everything is now fine. Does that mean the wuauclt.exe files are probably corrupted and need to be replaced? Is there still the possiblity that some virus is the cause and, lacking the desire to spend more time (yours and mine), should I just wipe my C drive and start over?

Ken

[Crustyoldbloke]

That makes sense to me, it was something I was planning to use. I wouldn't, for a moment think that the newly downloaded files are corrupt at all. I turned off auto downloads about two years ago for similar reasons. I just update when the mood takes me and I am not at the keyboard.

As for reformatting, that's like calling for an undertaker when you have a cold.

wuauclt.exe is legitimate in this folder: C:\Windows\System32

There will be copies (backups) in C:\Windows\Prefetch, C:\Windows\System32\dllcache and C:\Windows\ServicePackFiles\i386

If a search of your system shows an occurrence of the file anywhere else, let me know as it may be a CultB Trojan.

Hope that helps.

[Ken of Texas]

I think we have resolved the problem. As for the date order, I went into Regional Settings and reset the settings to United States and it corrected itself. Not sure what caused that to be corrupted, but it seems fine now. I've decided not to wipe the drive since I've cleaned the system and added some protection. Thanks for all of your help!
Ken

[Crustyoldbloke]

That's great to hear. Have you recently had "daylight saving time" adjustments?

I will leave this thread open for a few days in case of misfortune.

[Crustyoldbloke]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.