Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Multiple problems on old Acer; need Malware Check

Started by TooNew2 , Sep 27 2013 12:45 AM

Please log in to reply

#16
23red

Posted 25 October 2013 - 08:59 AM

Trusted Helper

Malware Removal
1,797 posts

Hi TooNew2

Rebooting is much quicker now that AVG isn't checking every step.

Excellent

Microsoft S.E. was successfully installed but the updating afterwards was interrupted once when the "connection failed", supposedly. The second time, the updating succeeded but required half an hour! Its Home Page indicates the Real Time Protection is on, but upon rebooting, Windows Security Center tells me my system "might be at risk" since there's no firewall...don't they know each other and Bill Gates ?

Please turn on the Windows Firewall, to do this:

1. Click Start ~> Control Panel

2. Under Control Panel in the left side panel, click on Switch to Classic View

3. While in Classic View, doubleclick on Windows Firewall. The Windows Firewall window will open.

4. Check the box next to On [recommended]

5. Click OK

6. Close Control Panel

7. Please advise if you have any problems enabling the Firewall.

I ran the MSE quick scan and it found nothing. I assume that, because we ran the OTL full scan just before this MSE installation, it isn't needed/wanted again; correct me if I'm wrong.

OTL is not an antivirus. It's a scanner that looks in places where malware is known to hide. That's good MSE found nothing :thumbsup:

Thank you for the information.

The system is still trying to run Disc Check on startup, and one system SVCHOST.exe still causes 100% CPU usage a few minutes later, requiring that process to be ended. I assume the IP connection loss problem still exists but haven't checked today.

Ahh, which brings me to the next tool. Let's see what's going on with your services.

Farbar Service Scanner:

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

When you return, please:

1. Advise how the Firewall enabling went.
2. Farbar Service Scanner Log
3. A question if I may, do you use/need/want AOL on the computer? I'm seeing disabled parts which is why I ask.

#17
TooNew2

Posted 25 October 2013 - 11:20 AM

Member

Topic Starter
Member
177 posts

Hello, 23red;

For the firewall enabling, I first get a message that the service can't be displayed because the service isn't running,... and when I click Yes, I get a final message that Windows can't start the (ICS) service.
Before downloading and running the scan, I looked at msconfig and under Services, everything was checked except the Wireless Zero config. and Yahoo Updater; I think I've turned Google Updater off some while ago too, but believe Google tries (successfully) to override my wishes.

Here is the Services scan log:

Farbar Service Scanner Version: 24-10-2013
Ran by Tom (administrator) on 25-10-2013 at 09:13:05
Running from "C:\Documents and Settings\Tom\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".

System Restore Disabled Policy:
========================

Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is set to Demand. The default start type is Auto.
The ImagePath of cryptsvc service is OK.
The ServiceDll of cryptsvc: "%SystemRoot%\System32\cryptsvc.dll".

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Long ago, when a niece was living here and had the first computer in the house, the connection was by underground standard phone lines using AOL. Off and on, a sister was here too and eventually she had AT&T provide DSL. Later, the AOL service was discontinued. This computer was hers; I started using it about ten years ago and it was given to me when she left the area about 5 years ago. It's hardwired and so far, hasn't needed to go anywhere or use another connection elsewhere. The wireless is also purposely turned off.

If AOL isn't needed for anything besides a standard wired connection, being disabled is fine. Just in case of possible future need, I wouldn't remove it unless there was some good reason to.

BTW, does the "red" in your handle refer to a suntan?

#18
23red

Posted 27 October 2013 - 08:02 AM

Trusted Helper

Malware Removal
1,797 posts

Hi TwoNew2

From the errors you spoke of in the first post, it looks as though your hard drive may be failing. We'll try and correct what we can here. If errors can be corrected, and firewall, safe mode, system restore, etc can be enabled and buy you as much time as possible. Knowing that, please back up your important files (pictures, documents,etc.) in case the drive does fail. If you would like help with that, please ask.

Windows All-In-One:

Work your way through these steps, one at a time. If you Step 2 or Step 3 won't run correctly, go ahead and skip to the next step. Let me know if you have problems in any of these areas, please.

• Please download Windows Repair (all in one) from this link. Click the Direct Download link below Mirror 4 and save it to your Desktop.

• Double click the downloader to Install the program. You may delete this icon after you're done installing if you wish.

• Double click the Tweaking Icon to open the Program. You will be presented with this screen:

Posted Image

• Click on the Step 1 tab

Posted Image

• Click the Download and Scan System button to allow Malwarebytes to scan your system. Remove all it finds.
• Once complete, then:

• Click on the Step 2 tab.

Posted Image

• Click on the Check button. Let it check the drive for file system for errors. If No Errors Found on the Drive, proceed to Step 3.

• If Errors are found, please click the Do It button to restart the computer and repair file system errors.

• Once complete, then:

• Click on the Step 3 tab.

Posted Image

• Click on the Do It button and let it check System Files for errors.

• Once complete, then:

• Click on the Step 4 tab.

Posted Image

• Click the Backup button to backup the Registry.

• Once complete, then:

• Click on the Step 5 tab.

Posted Image

• Click the Start button. A new window will open.

• Click Unselect All then check the boxes checked from the following image.

Posted Image

• On the lower right of the window put a Check in the Restart/Shutdown System When Finished box.

• Click also the Restart System radio dial.

• Now click Start

•. Upon completion, Windows will restart.

Once it does, please run again Farbar Service Scanner as in Post 16 and post the results. We'll see how it did.

Please let me know how it goes

#19
TooNew2

Posted 29 October 2013 - 06:57 PM

Member

Topic Starter
Member
177 posts

Hi TwoNew2

From the errors you spoke of in the first post, it looks as though your hard drive may be failing. We'll try and correct what we can here. If errors can be corrected, and firewall, safe mode, system restore, etc can be enabled and buy you as much time as possible. Knowing that, please back up your important files (pictures, documents,etc.) in case the drive does fail. If you would like help with that, please ask.

Greetings, 23red;

This is just a quick note to let you know I haven't just drifted away. The SVCHOST has been fullscaling more then once during the two times on Saturday and again twice today that I have started the computer, so I've mostly stayed off while I got ready for more backing up (and took care of other chores). I already had much of my data backed up but am trying to be be sure everything I want is. Some months ago, I picked up a discarded hard drive and had a friend check it yesterday; he didn't run a malware scan, which I will, but he did find it has mostly some music from a few characters named Bach, Beethoven and Mussorgsky :thumbsup:

, using maybe 10% of the 300 gigs it can hold, so I want to try backing my operating system and perhaps much more onto it. How do I make sure I copy the license in case I ever needed to replace the hard drive?
I do have the Microsoft Backup utility already installed, although I didn't (knowingly) use it in the past to put data on discs or stick drives.

I will be following the directives in your last post once I succeed in this current task which I hopefully won't need any help doing. :unsure:

Does this mean you get a few days of vacation from your training, or are just less overloaded with cases?

#20
TooNew2

Posted 30 October 2013 - 10:49 PM

Member

Topic Starter
Member
177 posts

Hello again, 23red;

I scanned the external hard drive with both SAS and MSE and found no problems, next I deleted some garbage, only then realizing the drive uses the NTFS whereas I have FAT32 on my system. Can I reformat it to the FAT32? Does it need to be wiped clean beforehand?, If so, how is it best done? It does have Night On Bald Mountain, which I wouldn't mind keeping...

Meanwhile, I backed up my System State on a memory stick, together with an extra copy of the main activation file (Wpa.dba). I find the backup file (Wpa.bak) is missing; I understand it is supposed to be a copy of the original unaltered activation file and that its being missing isn't uncommon.
I also remembered my Documents on D got deleted somehow a few years ago; does it normally serve as backup for My documents, or is it supposed to be a second different file?

Anyway, I'd still like to back up more files which are larger than the remaining space on the stick drive, so will wait to hear about the hard drive.

BTW, the system has mostly been behaving again, once the first SVCHOST closing is over... :whistling:

#21
TooNew2

Posted 03 November 2013 - 08:43 PM

Member

Topic Starter
Member
177 posts

Hello, 23red;

In Step 1, two Trojans were found in the Registry.

In Step 2, a new dark Command window was superimposed over the Tweaking window and finally had a last entry of “** is complete. Convert lost chains to files (Y/N)? “ Errors had been noted earlier in that file so I clicked the “Do It” button on the Tweaking window, the system restarted, disc checking began and I eventually got the terminal message that Windows had been closed, and nothing worked. Four of the five codes listed were the same as before. Had to finally shut down with the On button.

On rebooting, I didn’t allow Disc Checking the second time time. This time I found all the Desktop icons were completely reshuffled and to the left side; all folders in a column. The SVCHOST offscaling happened sooner and a single click of the On button didn’t close the system down; a long hold-down was required.

I would like to backup the Icon arrangement and use it to restore my order, rather than having to do it manually. How do I find the correct file?

Step 3 seemed to work correctly. When the Checking Progress window disappeared and my system showed no sign of activity, I went to the next step.

During Step 4, I noticed a quick message saying it was using a fall-back method rather than the Shadow Copy Service.

In Step 5 under 2, I noticced it had Reset Permissions listed for C, D and F but not E, the onboard disc drive. F is the new external hard drive and it wasn’t connected at the time. This step was much slower than the others; I started at 10:18, watched it for half an hour, then checked it periodically. When I looked at 11:21, the screen was dark, the system activity light remained ‘permanently’ off , and the system didn’t respond to keystrokes. The unit was warm and the fan went on and off over the next six or seven minutes, when I finally shut it down with a long hold of the ON button.

I restarted a while later at 11:43 and it tried to run the Disc Check but I stopped it. The icons were where they’d been recently reset, the Tweaking program was still open and it seemed to be working on: Computer\C\Windows\sys32\config\default. The Tweaking Uninstall window was still onscreen. There were now 7 SVCHOST.exe processes listed in the Task Master and IIRC, one was very active for quite a while. It finally went offscale again at 12:01 and stayed there a few minutes whereupon I shut the system down with the On button.

When I restarted again at 5:08, the Tweaking window was still open but not the Tw.Uninstaller nor the Backup window. Once again, one SVCHOST went offscale at about 5:13 and I quickly ended just that process.

During this long series of processes, particularly with Step 5, I wasn't positive I hadn't manually ended something that was actually still running, although it didn't seem so.

Here is the result of the Farbar Scan with the same settings as last time:

Farbar Service Scanner Version: 24-10-2013
Ran by Tom (administrator) on 03-11-2013 at 17:58:04
Running from "C:\Documents and Settings\Tom\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".

System Restore Disabled Policy:
========================

Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Is there a log which would identify the "Trojans" of step 1? AVG used to misidentify some of my SolidWorks program as 'trouble' and I'm always curious anyway.

Not much, if anything, seems to have changed.
Is there any chance some of these last operations didn’t run correctly and that a second try might work better? Now I’d know what to expect and to watch for better.

I do have some very old restore discs which came with the system. Would it make sense to backup all the Windows Updates and anything else new since then, then try running those discs to reinstall the main program?

FWIW, yesterday I was able to upload some data and pictures to the external hard drive with its still-original NTFileSystem, and then seemingly be able to read them back. The disc drive still didn’t recognize a disc for the purpose of writing, but reading seems fine.

Awaiting further instructions. Any detailed explanations of what has or should have occurred are welcome.

Thanks again,

TooNew2

.

Edited by TooNew2, 03 November 2013 - 08:46 PM.

#22
23red

Posted 05 November 2013 - 07:05 PM

Trusted Helper

Malware Removal
1,797 posts

Hi TwoNew2

Checking on a few of your queries, in the mean time:

Please copy the Malwarebytes Log here so we may take a gander at it.
Open Malwarebytes, click on the logs tab:

Posted Image

Double click on the line of the log with the date the tool was run to open it.
Click Edit ~> Select All all will be highlighted, paste here, please

#23
TooNew2

Posted 05 November 2013 - 11:17 PM

Member

Topic Starter
Member
177 posts

Hello, 23red;

Last night I took a look at some of the logs in the Tweaking Window! They'd probably be interesting to me if I had any idea what they meant.... :lol:

I have two copies (two different lines) in the Malwarebytes log which have a different number after the date in line 8 and only one having MBAM in capital letters. The times run are exactly the same ( 11/3/2013 12:27:09 AM). The first log shows no action taken about the Trojans, the second log shows action.

Here's the first one:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.03.01

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 7.0.5730.13
Tom :: ACER-2E68C49B20 [administrator]

11/3/2013 12:27:09 AM
MBAM-log-2013-11-03 (00-50-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 286470
Time elapsed: 22 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

And the second log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.03.01

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 7.0.5730.13
Tom :: ACER-2E68C49B20 [administrator]

11/3/2013 12:27:09 AM
mbam-log-2013-11-03 (00-27-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 286470
Time elapsed: 22 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#24
23red

Posted 08 November 2013 - 01:43 PM

Trusted Helper

Malware Removal
1,797 posts

Hi TwoNew2

Lets see if we can get those services running:

OTL Fix

Please double click on Posted Image

on your desktop to open OTL.

Under Posted Image

in the textbox at the bottom, please paste in the following text:

:Commands
[CreateRestorePoint]
:OTL
[2007/03/21 08:20:24 | 000,300,680 | ---- | C] (CA, Inc.) -- C:\Documents and Settings\All Users\Application Data\arclib.dll
[2013/03/03 20:14:39 | 000,000,036 | ---- | C] () -- C:\WINDOWS\avgui.INI
:Files
net start sharedaccess /c
net start Dhcp Service /c
net start sharedaccess Service /c
net start Srservice Service /c
net start wscsvc Service /c
net start wuauserv Service /c
ipconfig /flushdns /c
:Commands
[Reboot]

• Push the Posted Image

button.
• OTL may ask to reboot the machine. Please do so if asked.
• If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).
• A massage box Posted Image

will pop-up.

• Click the OK button and a report will open.
• If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).
• Copy and Paste that report in your next reply, please

Please run Farbar Service Scanner as before after OTL and post those results also please

When you return, please
OTL fix log
FSS log

#25
TooNew2

Posted 08 November 2013 - 07:49 PM

Member

Topic Starter
Member
177 posts

Hello, 23red;

I followed the instructions running the OTL fix and got a message asking to reboot, which I allowed. On rebooting, as usual, it tried to run a Disc Check which I cancelled. Also, as usual lately, Tweak.com, its Uninstall and its Registry Backup windows all opened and were closed by me. Then the SVCHOST went off-scale, earlier than recently, and I didn't catch it as soon as normal (in order to 'end [the] process') so left it running a minute or so to see if it would end on its own, before shutting down the whole system and rebooting again. I didn't get the message telling me the fix was complete and asking about opening the log; I copied it from the location in your post.

When I ran the FARBAR scan, I had the same boxes checked as before.

Below are the two logs you requested.

========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
C:\Documents and Settings\All Users\Application Data\arclib.dll moved successfully.
C:\WINDOWS\avgui.INI moved successfully.
========== FILES ==========
< net start sharedaccess /c >
The Windows Firewall/Internet Connection Sharing (ICS) service is starting.
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net start Dhcp Service /c >
The DHCP Client service is starting.
The DHCP Client service was started successfully.
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net start sharedaccess Service /c >
The Windows Firewall/Internet Connection Sharing (ICS) service is starting.
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net start Srservice Service /c >
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net start wscsvc Service /c >
The Security Center service is starting.
The Security Center service was started successfully.
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net start wuauserv Service /c >
The Automatic Updates service is starting.
The Automatic Updates service was started successfully.
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.69.0 log created on 11082013_170520

Farbar Service Scanner Version: 24-10-2013
Ran by Tom (administrator) on 08-11-2013 at 17:21:47
Running from "C:\Documents and Settings\Tom\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".

System Restore Disabled Policy:
========================

Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Edited by TooNew2, 08 November 2013 - 07:53 PM.

#26
23red

Posted 09 November 2013 - 09:09 AM

Trusted Helper

Malware Removal
1,797 posts

Hi TwoNew2

Alrighty.....Lets try this again:

OTL Fix

Please double click on Posted Image

on your desktop to open OTL.

Under Posted Image

in the textbox at the bottom, please paste in the following text:

:Commands
[CreateRestorePoint]
:OTL
[2007/03/21 08:20:24 | 000,300,680 | ---- | C] (CA, Inc.) -- C:\Documents and Settings\All Users\Application Data\arclib.dll
[2013/03/03 20:14:39 | 000,000,036 | ---- | C] () -- C:\WINDOWS\avgui.INI
:Files
net stop Dhcp Service /c
net start Dhcp Service /c
net stop sharedaccess Service /c
net start sharedaccess Service /c
net stop Srservice Service /c
net start Srservice Service /c
net stop wscsvc Service /c
net start wscsvc Service /c
net stop wuauserv Service /c
net start wuauserv Service /c
ipconfig /flushdns /c
:Commands
[Reboot]

• Push the Posted Image

#27
TooNew2

Posted 09 November 2013 - 09:40 PM

Member

Topic Starter
Member
177 posts

Hello, 23red;

I did as instructed and again got the series of quickly appearing and disappearing Command windows followed by the request to Reboot.
The results were much the same as before except for not getting the three tweaking-related windows when reopening; this time I tried to catch the SVCHOST and close it at about the 3 minutes mark, but it opened slightly faster and the closing again resulted in the left desktop icons being rearranged. The previous two reboots, the SVCHOST has reappeared a second time later on. The first time, I closed the whole system after the typing response got slow, but the last time I tried continuing to write this response in the site window and finally had to stop and reboot again. This time I’m drafting the response in MS Word to be copied onsite later.

Also, I again did not get the second message about the OTL Fix being complete. Any chance that window only normally appears if the system does not reboot?

BTW, I think sometimes the SVCHOST offscalling is related to the automatic updating of the Microsoft Security Essentials, which seems to not be possible to change or set to do manually. It seems not tied to the Windows Update or Microsoft Update control windows either.

Are you still researching my questions about using the original or some very early install/backup discs, or where the desktop icon arrangement files are?

Below are the requested files for OTL and FARBAR.

========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
File C:\Documents and Settings\All Users\Application Data\arclib.dll not found.
File C:\WINDOWS\avgui.INI not found.
========== FILES ==========
< net stop Dhcp Service /c >
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net start Dhcp Service /c >
The DHCP Client service is starting.
The DHCP Client service was started successfully.
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net stop sharedaccess Service /c >
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net start sharedaccess Service /c >
The Windows Firewall/Internet Connection Sharing (ICS) service is starting.
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net stop Srservice Service /c >
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net start Srservice Service /c >
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net stop wscsvc Service /c >
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net start wscsvc Service /c >
The Security Center service is starting.
The Security Center service was started successfully.
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net stop wuauserv Service /c >
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< net start wuauserv Service /c >
The Automatic Updates service is starting.
The Automatic Updates service was started successfully.
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Tom\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Tom\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.69.0 log created on 11092013_180728

Farbar Service Scanner Version: 24-10-2013
Ran by Tom (administrator) on 09-11-2013 at 18:16:14
Running from "C:\Documents and setting\Tom\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".

System Restore Disabled Policy:
========================

Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#28
23red

Posted 11 November 2013 - 12:07 AM

Trusted Helper

Malware Removal
1,797 posts

Hi TwoNew2

Desktop Icons:

When you right click on a blank section of your Desktop

A small window pops up....

The top line in the window says arrange icons by

Click on arrange icons by. It will aid in keeping the wondow open.....

Are there any items with a check mark by them?

If Autoarrange is checked, Windows will put them in it's order and make them stay there.

If not checked, you may put them anywhere you wish by dragging them.

If Align to grid is checked, they will only be allowed to be put in grid formation. Straight lines up and down.

If not checked, you may put them anywhere you wish by dragging them.

If no items are checked in this area, you should be able to put your icons where you wish and reboot and they should still all be where you left them.

There are settings also for Name, Size, Type and Modified.

If any are checked, they'll lock that way: by Name, Size, Type and Modified. If none are checked you may move them around. They will not arrange by Name, Size, Type and Modified.

Based on your query, if you want them to stay where you put them, make sure all items are unchecked.

Roboot for changes to take effect.

Move them where you want, Reboot again to check if they stay.

When you do that, right click on the Desktop again and make sure all items are unchecked.

Play with it

Let me know how it goes.

I'd would lik you to please run a rootkit scan:

ASWMBR

• Download aswMBR.exe to your desktop.

• Double click the Posted Image

icon on your Desktop.

• It may ask if you want it to Download latest virus definitions at startup. Click yes

Posted Image

Click Scan button to start scan.

Posted Image

•On completion of the scan if the scan, click save log, save it to your desktop and post in your next reply.

When you return please let me know how your icons are doing
and post the mbr scan log

Thank you

#29
23red

Posted 11 November 2013 - 10:42 AM

Trusted Helper

Malware Removal
1,797 posts

Hi TwoNew2

In addition I'd like to check something:

Create another user and see if it runs more efficiently:

Create New User

1. Log in to Windows with your regular account.

2. Click Start ~> Control Panel ~> Double click User Accounts

3. Click Create new account

4. Type a name for the account click Next

5. Pick an account type: Computer Administrator

6. Click Create Account

7. Reboot into that account browse around and let me know how it runs as compared to your normal account at this time.

Thank you

#30
TooNew2

Posted 12 November 2013 - 09:55 AM

Member

Topic Starter
Member
177 posts

Hello and thanks again, 23red;

Yes, I am familiar with the Desktop Menu and do use the “Align to Grid” and “Show Desktop Icons” options, but no others. My normal icon arrangement includes the leftmost four columns being filled except for one empty space in the sixth row of the third column, and some icons on the top of the fifth column. When I need to “End Process” for that one largest SVCHOST.EXE and do it quickly, about one minute later the screen ‘blinks’ twice and the items in the Taskbar, which are normally white letters on a blue background, momentarily change to black on white and then go back to normal.
If I am not quick enough, both of these happen but also the icons on the lower part of those first four columns drop down one or more spaces or move to the top of the next-to-the-right column, resulting in the sixth row from the top being empty in those first five columns. Almost as if the system didn’t “see” that row … but it doesn’t happen to icons on the right or middle of the screen.
On the few occasions when all the icons have been rearranged, I assumed the desktop arrangement file had been lost or disabled so the system reverted to some default arrangement. This only happened if I ended the SCVHOST well into its ‘offscaling’ but not if I close the whole system instead.
In either case, once the icon arrangement has been changed, it will remmain in that changed arrangement when I reboot, showing the file has been permanently modified by my ending the runaway SVCHOST process. I have been manually dragging the icons back to the wanted position each time this unwanted rearrangement has occurred.

I set up a new user account and then shut the whole system down and restarted. I still first get the usual attempt at disc checking, and after selecting the new account but before doing anything else besides opening Task Manager, get the SVCHOST.EXE offscaling sgain. When I quickly “End Process” for it there, log off and “Switch Users” to my old account without restarting, the SVCHOST problem is not reoccurring (so far), indicating it’s a system problem rather than being tied to the user account.
So far, I haven’t done any browsing on the new account. Will try to get to that later today, if it's still wanted.

I noticed the new scan indicates it found some Malware, an “infected” “agrsmdel.exe” file.
Here is the log of that scan.

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-11-11 15:23:21
-----------------------------
15:23:21.453 OS Version: Windows 5.1.2600 Service Pack 3
15:23:21.453 Number of processors: 1 586 0x2402
15:23:21.453 ComputerName: ACER-2E68C49B20 UserName: Tom
15:23:22.015 Initialize success
16:08:45.734 AVAST engine defs: 13110901
19:09:29.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:09:29.843 Disk 0 Vendor: TOSHIBA_MK1031GAS AA204A Size: 95396MB BusType: 3
19:09:30.015 Disk 0 MBR read successfully
19:09:30.015 Disk 0 MBR scan
19:09:30.125 Disk 0 unknown MBR code
19:09:30.156 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 3004 MB offset 63
19:09:30.171 Disk 0 Partition 2 80 (A) 0C FAT32 LBA MSWIN4.1 46084 MB offset 6152895
19:09:30.593 Disk 0 Partition - 00 0F Extended LBA 46304 MB offset 100534770
19:09:30.640 Disk 0 Partition 3 00 0B FAT32 MSWIN4.1 46304 MB offset 100534833
19:09:30.656 Disk 0 scanning sectors +195366465
19:09:30.812 Disk 0 scanning C:\WINDOWS\system32\drivers
19:10:04.578 Service scanning
19:10:20.781 Service MpKsl77a6eaae C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{17319910-F8FC-4ABA-9FAC-D9AF13131373}\MpKsl77a6eaae.sys **LOCKED** 32
19:10:40.515 Modules scanning
19:10:48.609 Disk 0 trace - called modules:
19:10:48.640 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:10:48.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865cfab8]
19:10:48.656 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006c[0x865d6210]
19:10:48.671 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8655d940]
19:10:49.187 AVAST engine scan C:\WINDOWS
19:10:52.875 File: C:\WINDOWS\agrsmdel.exe **INFECTED** Win32:Malware-gen
19:11:37.703 AVAST engine scan C:\WINDOWS\system32
19:14:11.265 File: C:\WINDOWS\system32\agrsmdel.exe **INFECTED** Win32:Malware-gen
19:15:22.328 AVAST engine scan C:\WINDOWS\system32\drivers
19:15:47.046 AVAST engine scan C:\Documents and Settings\Tom
19:30:55.671 AVAST engine scan C:\Documents and Settings\All Users
19:45:59.890 Scan finished successfully
19:52:04.281 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Tom\Desktop\MBR.dat"
19:52:04.296 The log file has been saved successfully to "C:\Documents and Settings\Tom\Desktop\aswMBR.txt"

I’ve been ‘carving’ a large Redwood trunk into huge planks and hauling them home, so have sore wrists. Would have been easier :lol:

to have carved the standing trunk into a large GEEK totem pole in honor of the volunteers here! :cheers:

Thanks again!

--------------------------

5:10 PM

[I decided to add to this last post rather than start a new one since the second one would end up on a new "page" and the first might be overlooked; in any case, this puts them both together.]

------------------

Hello again, 23red;

Well, I tried using the new user account some more and aside from needing to set various user preferences, etc. I see no great difference between it and my normal account.

On both accounts, I am getting lots of activity from MSMPENG.EXE even though I currently have Windows Defender disabled. Is this process also part of the Microsoft Security Essentials? On two or three occasions today when I checked the Task Manager, I saw high activity there shortly before the largest System SVCHOST went permanently off scale and I needed to shut the system down. In fact, it just did it again as I typed this but this time I watched the TM while it happened and tried to end the SVCHOST process quickly...and was too late. My Icons are again reorganized (i.e. with an open 5th row on the left).
I am again wondering if this occurred while MSE was (at least in this case) updating.

Can't think of anything else of significance to report.

Edited by TooNew2, 13 November 2013 - 07:53 PM.