Svchost being naughty: What do you think?

Status
Not open for further replies.
Sorry for the late reply.

The two files have been removed, Checking the checksum of the quarantined version of the msxmle file shows a match to the one on the page you mentioned LookinAround.

@Momok, The reason for that is mostly because I can read them myself, or the logs show nothing out of the ordinary. SuperAntiSpyware and Malwarebytes come up clean, and the one HJT log that is in this thread is more or less current.
 
Then I'd have to request a combofix log, as clearly the infections do not show up on the existing logs. Combofix tends to show more in-depth information through its scanning, often times other programs are not able to detect these.
 
Ooh, combofix. I haven't heard that one in a while.

Will do.

Notes about the scan, I ran it from the administrator account, and I forgot to install the recovery console, but that has been since rectified.
 
Hi madboyv1

if you wouldn;t mind i have another request please
As of now, as i understand it, the 2 malware files have been removed and the correct spoolsv is in place.. Yes?, Aside from asking you do a little "housekeeping" i would also like to verify something i believe about spoolsv.exe to determine consistency. So. if OK, could you
  1. Please start by rebooting
  2. Start->Run, services.msc, scroll to Print Spooler service. Confirm its Status= Started and Startup Type=Automatic If not, change StartupType=Auto. Close services.
  3. Open CCleaner.
    • In the left margin it says Registry. Click it. (CCleaner does non-aggressive registry cleanup. Ive never had any problem with it.)
    • Click Registry Integrity (and make sure all boxes beneath it are checked)
    • Click Scan For Issues. When it prompts if you want to backup, say yes and give a directory. Let it clean/fix all the registry items.
    • Repeat the steps to clean registry until CCLeaner reports nothing to fix
  4. When all above is complete, could you run HJT again and attach result here
  5. THANKS!
 
I only found this entry (its a hidden folder) that should be deleted. Otherwise, your log looks clean.

C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
 
@LookinAround: Spooler service was set as it should be, CCleaner is my friend, I use its registry cleaner all the time. :p See attached HJT that you requested.

@Momok: I saw that a long time ago too, I was wondering what that was, but never did anything with it. It is deleted now.
 
are you referring to a new HJT for me? didn't see it in your post

(and glad to know of your existing affinity to CCleaner as well as the Explorer settings discussed a few posts ago) :grinthumb
 
!!GOTCHA!!

I overlooked a subtlety when first helping with your problem. But now that we know the answer... wanted to go back and double check.

The tip-off: Spooler Service doesn't go thru the typical startup process as your normal startups. Look at the O23 (i.e. startup) entries in your clean hjt log. !!THERE IS NO 023 ENTRY FOR spoolsv.exe!!

BUT not so for the logs when you had the infection
you'll find an O23 entry for spoolsv.exe (which is how the clever little devil gets started)
 
ha ha you must have had great satisfaction in catching that. :)

Now if I could get an answer about the hard drive issue I posted in storage and networking, I'd be an extra happy fellow.

Thanks a lot guys for the help.
 
Hi,

Please see http://www.castlecops.com/o23list-770.html on the O23.

It is actually a legit entry; not sure why it was fixed or gone now. Previously, the problem you had was a corrupt/infected(?) spoolsv.exe file. But now that you have replaced the file, the service can be reset to start normally.
 
Please see http://www.castlecops.com/o23list-770.html on the O23.
Click to expand...

Now that's interesting.....

momok:

I originally started down this path while looking at madboyv1's problem. I noticed i didn't have an O23 Spooler entry on my own HJT log

After your post, I took another look at my HJT log and see HJT doesn't show any of the many Windows service startups!

So now, I'm guessing, HJT only reports an O23 startup if it does NOT match an MS startup.. Which leaves a big question about the Castle Cops entry about spoolsv.exe.

Perhaps spoolsv.exe might sometimes be legitimately replaced by a vendor version? But even if so, the Castle Cops info (as is currently worded) invites a security leak? i dunno... Thoughts? Will see if i can followup
 
Actually that's not true. What HJT lists is the settings for 23 areas (thats y F1 - O23) where programs/services/processes are loaded on Windows boot up. If it does not show up, simply means that the service is not automatically set to start. Having many start up services and entries (O4s, O23s etc) will naturally slow down Windows boot up time, that's all.

Thus the entry in his HJT log is definitely legit, just that the file itself was either corrupted or infected. Infections that work this way (by copying malicious code onto existing legit files) are very rare though.
 
Every service defined with a Startup Type = Automatic is started on system boot. (You can get a nice report using Serviwin. Make sure its "View" is for services - as you can also have it display your drivers)

Doesn't appear HJT lists Windows own services (thankfully). I created a list of services on my system and trimmed it to show all the MS Windows services started on bootup (ie. StartupType=Automatic).(see attached).

/************ EDIT ****************/
Which is why one should look closely at an HJT entry for spoolsv.exe
 
Status
Not open for further replies.

Similar threads

L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni
liltxkg
Inactive Cleanup Help - File Explorer Freezing
Replies
6
Views
2K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back