Clean scans after Antivirus Pro 2009, now what?

[Husky44]

Follow on from Sunday's posts below: I performed the 8 steps successfully. I just ran MBAM and SAS again. Scans came up clean (See attached). Now to my 2 remaining questions:

1) I still have a svchost.exe file running that's consuming all available CPU capacity (99% in task manager). How do I stop this?

2) When I go to shut down using the "Turn Off" button (Windows XP Home Edition), I have a small shield like the Windows Security Manager logo on the upper right corner of the button along with a statement that says "Click Turn Off to install important updates and turn off your computer". Is this legit? Antivirus Pro 2009 counterfeited the Security Manager logo, so I'm a little leery of using this.

Is there anything I need to do to correct these two (possibly related, since they occurred after my infestation) problems? Is there anything else I should run?

Thanks for all the help! This has been a great site to find!

Greg

 

[mflynn]

Good job!

Yes that is a legit process for windows to ask for a Shutdown to install some updates. And will not install them if you reboot. So do it!

Now for the Svchost the following will show what each svchost is running and from where (perhaps a rogue running from wrong location)

Drag mouse and copy all inside the box below all (notice Slider)

@echo off
cd\
attrib svchost.exe /s >"%USERPROFILE%"\Desktop\Tasklist.txt
%SystemRoot%\system32\cmd.exe /c %windir%\system32\tasklist.exe /svc >>"%USERPROFILE%"\Desktop\Tasklist.txt
exit
exit

Then open a CMD prompt and paste directly to the black screen it should close the CMD prompt.

Now there is a new icon on the desktop Tasklist.txt. Post back contents of both!

Mike

 

[Husky44]

Good job!

Yes that is a legit process for windows to ask for a Shutdown to install some updates. And will not install them if you reboot. So do it!

Now for the Svchost the following will show what each svchost is running and from where (perhaps a rogue running from wrong location)

Drag mouse and copy all inside the box below all (notice Slider)

@echo off
cd\
attrib svchost.exe /s >"%USERPROFILE%"\Desktop\Tasklist.txt
%SystemRoot%\system32\cmd.exe /c %windir%\system32\tasklist.exe /svc >>"%USERPROFILE%"\Desktop\Tasklist.txt
exit
exit

Then open a CMD prompt and paste directly to the black screen it should close the CMD prompt.

Now there is a new icon on the desktop Tasklist.txt. Post back contents of both!

Mike

Mike: Thanks for the response. Ran the Windows updates. Also ran the command prompt script you provided above. You said "Post back contents of both". I've attached the text file produced, but not sure what else you were expecting?

Thanks,
Greg

 

[mflynn]

Is the high CPU hog still present??

Do the copy paste again as it did not run correctly, my mistake!

@echo off
cd\
attrib svchost.exe /s >"%USERPROFILE%"\Desktop\Tasklist.txt
tasklist.exe /svc >>"%USERPROFILE%"\Desktop\Tasklist.txt
exit
exit

Then resend!

Mike

 

[Husky44]

Not sure when you said "my mistake", if you wanted me to run the new script or the old one.

I couldn't attach the 2 task lists. It kept saying I'd already attached them, no matter what I named them. Here are the contents, pasted in:

first one was with the original script
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
C:\WINDOWS\ServicePackFiles\i386\svchost.exe
A C:\WINDOWS\system32\svchost.exe

second one is with the new script

C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
C:\WINDOWS\ServicePackFiles\i386\svchost.exe
A C:\WINDOWS\system32\svchost.exe


Hog is present; when I ran the script prior to the first reply, I forgot to restart my machine first, so I'd already killed it in task manager before I ran the script.

Thanks again.

 

[mflynn]

For some reason it is having a problem running the below line. Paste it to the cmd prompt and let me know the results.

tasklist.exe /svc >>"%USERPROFILE%"\Desktop\Tasklist.txt
exit

Mike

Edit: You have XP Home and Tasklist comes only with XP Pro. But works just fine in Home.

Go here download it http://www.computerhope.com/download/winxp/tasklist.exe

Once downloaded move it to the Windows folder.
Then run the paste operation again..

svchost can run multiple processes under cover. This will show us what.

Actually run it with the hog running. Kill it the hog and run it again and we can see the before and after.

Mike

 

[Husky44]

That made a difference!

Files attached. The one I thought would be the hog wasn't. Thanks for all your help!

 

[mflynn]

OK the process you killed PID (Process ID) #2716 was a cmd prompt.

Likely running in the background. Did you kill a svchost or a cmd.

Go back into taskmgr click View then Select columns. Then make sure boxes beginning at PID and the next 5 are checked. This will allow you to see the PID and more info. Note: PID's can change after a reboot, but will stay the same unless stopped and restarted.

OK I need to take a deep look at your startups.

So do the below:

http://www.tombraiderhub.com/download/ardiag.exe
when run give it a couple minutes it will produce a text file post the contents back here.

Mike

 

[Bobbye]

This may assist in dealing with what you are seeing:Looking over your Tasklist: Identifying the processes:
And a note on using the msconfig utility:

After Start> Run> msconfig> Selective Startup> Startup tab> UNCHECK the processes you don't want to start on boot> Apply> OK> Reboot> you will get a nag message that can be ignored and closed after checking 'don't show this message again'. You must remain in Selective Startup to retain the changes. Anytime you make a change this way, the nag message presents on the reboot and can be handled the same.

A note on changing the Startup Type for a Service:

Start> Run> services.msc> right click on the Service> Properties> make the change on the Startup Type> ALWAYS check the 'Dependency tab'

Norton processes: There are processes running from three different versions of Norton:

1. DefWatch.exe: another, but different version of Norton> Norton Anti-Virus Corporate Edition> Detects out-of-date virus definitions for and runs the Defwatch Wizard. Only required if you don't update the virus definitions manually on a regular basis
2. ccEvtMgr.exe : Part of Norton AntiVirus 2003.
CTSVCCDA.EXE 1060 Creative Service for CDROM Access
3. ccSetMgr.exe : Part of Norton AntiVirus 2004 Known to be high resource user.
4. ccApp.exe - OK. For the AV

All related to HP Digital Imaging. None need to be on Startup:

Most if not all the HP "helper" programs are not necessary - some make it a bit easier to access HP provided features by placing an icon to access them in the taskbar.
Start - Run - type: msconfig (press Enter)> Selective Starup> Startup tab - you can disable all of thre HP processes listed there., can always use msconfig to enable them again if you find something you need isn't working.
5.svchost.exe : hpqcxs08> this is for HP Solutions. Resetting the Service ( hpqddsvc) to Manual instead of Automatic will stop the process from running at startup but allow it to launch manually when needed.
6. hpqtra08.exe: HP Digital Imaging Monitor > does not need to run unless you are using it.
7.hpqste08.exe : HP Imagine> does not need to startup

Relating to Java:

8. jqs.exe: JavaQuickStarterService> can be Disabled.
Start> Run> services.msc> right click on the Service> Properties> set Startup type to Disabled
9. jusched.exe: Java updater. Disable as follows:
Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> answer Yes when asked if you're sure> Apply> OK

How to turn off Machine Debug Manager in Office XP

10. mdm.exe : machine debug manager>
#Open Internet Explorer.
# On the Tools menu, click Internet Options.
# Click the Advanced tab.
# Click to select the Disable script debugging check box, and then click OK.
# Close Internet Explorer.

11. ZuneBusEnum:Zune Bus Enumerator aids in wireless sync> Service can be set to Manual Startup
12.BCMSMMSG.exe : BCM voicemodem driver. Required for dial-up if you have one of these modems
The following are all related to CyberPatrol Internet Security Software.

Known to be high resource users:
13.cpserver.exe
14.cpACtrl.exe
15.cpCCtrl.exe
16.CPHQ.exe

17.cpkbinst.exe : Comodo Firewall
18.CTSysVol.exe : Creative Volume Manager.> only needed when using Creative.
19 ctfmon.exe> Office
20.GoogleToolbarNotifier.exe> updates. Should be disabled and removed from Registry.
21.msmsgs.exe: Messenger
22.wcescomm.exe: Active sync for use with Windows CE based palm PC
23.rapimgr.exe : Microsoft ActiveSync Module> noted for excessive use of resources.
24.iPodService.exe: This service is used by Itunes for using your Ipod. If you do not use Itunes you can disable this service. It does not need to start on boot.
25.iexplore.exe: Internet Explorer
26.wmiprvse.exe: Windows Management Instrumentation Provider Service.

Please see the information on the site below about this process. It is not usually seen in the Task Manager: http://searchtasks.answersthatwork.com/tasklist.php?File=WMIPrvSe
27.taskmgr.exe: running now

28.cmd.exe: Command Prompt. Has it's uses but should only be listed when being used.
29.tasklist.exe : the extra program you're running to learn what these processes are.

This is only meant to be a guide for you. All of the processes ARE legitimate but many of the processes listed here do NOT need to start on boot. They can be UNCHECKED on Startup and/or their Service can be reset to Manual.

NOTE: As noticed, I have not dealt with those processes showing as svchost.exe.