Hello-
I'm a newbie; found you folks vie googling when things went south. It's obvious you know your stuff... so:
I followed all of Howard's instructions at https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/. Logs are attached.
Any help would be appreciated- I'm not even sure what went wrong, and am not sure now if I have a keylogger or something, particularly because of the mystery FAD.sys that was found but does not scan as a virus. Other files often associated w/FAD.sys I cannot find on my system... so I don't know what to think.
Thanks for any help!
Neil
Details:
I run symantec firewall & antivirus, always updated, always have windows updates, etc- pretty paranoid. But:
No problems before I tried this update. But I had been surfing/working/email etc for hours before trying to update, so it's possible this is not just a microsoft glitch.
After trying Microsoft update Tue, the update failed- while searching for my updates, the system would freeze. Tried again. Failed again. Each time, due to some svchost.exe process eating up 100% processor time. Deleting that process restored things to working, but it got worse- couldn't do the update, then it started just happening when I rebooted, even if I just used Firefox. Deleting the svchost process that was eating the 100% always solved things.
When svchost was going nuts, it read (using command/tasklist /svc):
svchost.exe process #200 “services” are” Audiosrv, Browser, Cryptsvc, Dhcp, EventSystem, helpsvc, lanmanserver, lanmanworkstation, Netman, NLA, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, srservice, TapiSrv, Themes, TrkWks, W32Time, winmgmt, wscsvc, wuauserv.
After killing that process, it would restart (without using too much bandwidth); then it would read:
svchost.exe proc #2204 “services” are “EventSystem, helpsvc, RasMan, Schedule, SENS, TapiSrv, Themes, winmgmt
Did a Windows Defender quick scan. Nothing found.
Ran Microsoft's security analyzer/online thing, which found no bad files but did fix 347 registry entries... of course, I've never looked at my registry, and the computer's 2 years old with many things installed & uninstalled, so I don't know if that's unusual.
After that, I was able to do Office Update (nb: this was hours later; maybe microsoft got things working by then?). Then Microsoft Update for the XP part (I have XP SP2). Then a virus scan, which showed nothing (Symantec or Windows Defender). Svchost would use up 100%, then drop back down (it did not before- once at 100% it stayed there).
Being paranoid, I stared searching the web for svchost issues, found a thread here, and it led me to follow all the instructions.
Everything was basically clean, as far as I can tell, except that ComboFix found (& quarantined) FAD.sys in c:/windows/system32/drivers. When I scan the quarantined file w/Symantec, though, it does not read as a virus or anything.
All logs attached (well, the five most interesting; let me know if you need the others & I'll post them. Only allowed 5 at a time). Not sure what to make of this, and I'd appreciate it if someone could take a look and tell me if I'm compromised. The file "whatIdid.txt" lists everything int he order i did it, & distinguished the hijckthis (before) and (after) files.
Many thanks!
I'm a newbie; found you folks vie googling when things went south. It's obvious you know your stuff... so:
I followed all of Howard's instructions at https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/. Logs are attached.
Any help would be appreciated- I'm not even sure what went wrong, and am not sure now if I have a keylogger or something, particularly because of the mystery FAD.sys that was found but does not scan as a virus. Other files often associated w/FAD.sys I cannot find on my system... so I don't know what to think.
Thanks for any help!
Neil
Details:
I run symantec firewall & antivirus, always updated, always have windows updates, etc- pretty paranoid. But:
No problems before I tried this update. But I had been surfing/working/email etc for hours before trying to update, so it's possible this is not just a microsoft glitch.
After trying Microsoft update Tue, the update failed- while searching for my updates, the system would freeze. Tried again. Failed again. Each time, due to some svchost.exe process eating up 100% processor time. Deleting that process restored things to working, but it got worse- couldn't do the update, then it started just happening when I rebooted, even if I just used Firefox. Deleting the svchost process that was eating the 100% always solved things.
When svchost was going nuts, it read (using command/tasklist /svc):
svchost.exe process #200 “services” are” Audiosrv, Browser, Cryptsvc, Dhcp, EventSystem, helpsvc, lanmanserver, lanmanworkstation, Netman, NLA, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, srservice, TapiSrv, Themes, TrkWks, W32Time, winmgmt, wscsvc, wuauserv.
After killing that process, it would restart (without using too much bandwidth); then it would read:
svchost.exe proc #2204 “services” are “EventSystem, helpsvc, RasMan, Schedule, SENS, TapiSrv, Themes, winmgmt
Did a Windows Defender quick scan. Nothing found.
Ran Microsoft's security analyzer/online thing, which found no bad files but did fix 347 registry entries... of course, I've never looked at my registry, and the computer's 2 years old with many things installed & uninstalled, so I don't know if that's unusual.
After that, I was able to do Office Update (nb: this was hours later; maybe microsoft got things working by then?). Then Microsoft Update for the XP part (I have XP SP2). Then a virus scan, which showed nothing (Symantec or Windows Defender). Svchost would use up 100%, then drop back down (it did not before- once at 100% it stayed there).
Being paranoid, I stared searching the web for svchost issues, found a thread here, and it led me to follow all the instructions.
Everything was basically clean, as far as I can tell, except that ComboFix found (& quarantined) FAD.sys in c:/windows/system32/drivers. When I scan the quarantined file w/Symantec, though, it does not read as a virus or anything.
All logs attached (well, the five most interesting; let me know if you need the others & I'll post them. Only allowed 5 at a time). Not sure what to make of this, and I'd appreciate it if someone could take a look and tell me if I'm compromised. The file "whatIdid.txt" lists everything int he order i did it, & distinguished the hijckthis (before) and (after) files.
Many thanks!
