I have spent way too much time trying to resolve this one issue on a workstation. It has what I believe to be the Bagle.BB or a variation.

The system basically runs a process called svchost.exe (yes it is spelt right as I know there is a worm that reverses the c and v) that consumes 99% of the CPU power. It makes the PC extremely SLOW! IT also blocks access to www.trendmicro.com, www.mcafee.com, www.symantec.com etc. You get a cannot find the page screen. However, some pages do show up. You also cannot STOP the process, it gives a message that it cannot be stopped.

I believe it is in the registry and loads itself even when going into safe mode. I have run as many virus, trojan, worm removal programs.

I have read a variety of web postings on how to remove the worm/virus and none of the "files" or "dll's" show up in my registy in the place that they say they do.

I also read that reinstalling windows xp pro won't fix it as it is in the registry.

I considered trying to find a "Rescue Disk" to boot with, but since I cannot find the malicious files in the registry, not sure what I could run.


Any help, advice would be appreciated.

For more information, please read This article (http://www.f-secure.com/v-descs/bagle_bb.shtml)

Then go to Here (http://www.subratam.org/?page=removal) and download HijackThis and Killbox.

Install HJT and post a log back here as a response to this thread

Thanks Classic. I had read that website link about the Bagle. But it had no fix.

Here is the Hijack log from that pc.

Thanks for your help

Logfile of HijackThis v1.99.1
Scan saved at 11:20:59 AM, on 3/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\csifcsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system\rhhfjn.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\PDACPA\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PC Doc Pro - 3.1] C:\Program Files\PC Doc Pro\pcdocpro.exe /m
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
O9 - Extra 'Tools' menuitem: IE Privacy Keeper - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
O9 - Extra 'Tools' menuitem: IE Privacy Keeper - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\calsp.dll' missing
O16 - DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} (RSFTreeView Class) - [url]http://eformrs.com/FormOpen/RSFormsTV.cab[/url]
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - [url]http://www.plaxo.com/activex/PlaxoInstall.cab[/url]
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - [url]https://secure.stamps.com/download/us/registration/3_0_0_785/sdcregie.cab[/url]
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - [url]http://eformrs.com/RSLoginModule.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab[/url]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - [url]http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab[/url]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [url]http://207.188.7.150/22e4523a88546257bc00/netzip/RdxIE601.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - [url]http://toolbar.google.com/data/GoogleActivate.cab[/url]
O16 - DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} (RSFDisplay Class) - [url]http://eformrs.com/FormOpen/RSFormsDP.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab[/url]
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - [url]http://autos.msn.com/Components/Ocx/Exterior/Outside.cab[/url]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - [url]http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab[/url]
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - [url]https://accounting.quickbooks.com/v11.289/qboax7.cab[/url]
O16 - DPF: {DE0FA400-8EF7-11D3-8795-00A0C9EF9624} (RSFPageSave Class) - [url]https://eformrs.com/FormOpen/RSFSave.cab[/url]
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - [url]http://chat.yahoo.com/cab/yvwrctl.cab[/url]
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - [url]http://www.alwaysupdatednews.com/install/aun_0022.exe[/url]
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - [url]http://www2.incredimail.com/contents/setup/downloader/imloader.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C780166-5091-49EA-98BB-2DF15DA68E8D}: NameServer = 198.31.248.3,198.31.248.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C780166-5091-49EA-98BB-2DF15DA68E8D}: NameServer = 198.31.248.3,198.31.248.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C780166-5091-49EA-98BB-2DF15DA68E8D}: NameServer = 198.31.248.3,198.31.248.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WOW - C:\WINDOWS\system32\3tr.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FileCabinet Solution Print Service (FCPrintService) - Creative Solutions - C:\WINDOWS\csifcsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Not sure what I am to do with Killbox.

I have it loaded though.

We may need to use Killbox to kill the running process.

I will be away until after 10 this evening. Budfred will propably take a look at this as well.

I'l work on a fix when I get back.

Thanks Classic. I looked at Killbox and I am guessing it allows you to kill running processes. As a heads up, when I look at it, I see about 5 svchosts.exe running (and I know some of them are supposed to). Is there a way to identify which is the malicious one? I can see which on in Task Manager as it shows 99 on the CPU.

Thanks for taking the time to help.

Please open an HJT scan and put checks by these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/22e4523a885462...ip/RdxIE601.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0022.exe

I am not sure what this one is for, do you know what WOW is??

O20 - Winlogon Notify: WOW - C:\WINDOWS\system32\3tr.dll

If you did not set these with a protection program or if you are not a network with an Admin who might have set them, check these:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then close all open windows except HJT and click Fix Checked...

Keep HJT open and choose Config... Click on Misc Tools and select "Delete on reboot" and enter this in the dialogue window:

C:\WINDOWS\system\rhhfjn.exe

Download LSPfix from the link in my signature for HJT and open it... Click "I know what I am doing" and move all instances of calsp.dll that you see to the Remove window... Do NOT move any others... Click through to fix and then find/delete: calsp.dll....

Reboot and post a fresh log... The svchost.exe is either not the problem or it is from something that is not showing in the log... After you post the new log, try running an online virus scan and see if it works... If not, go to the McAfee site and download Stinger... Install it and try running it... Post back with how things went...

Bud

I am going to do what you recommended. I will let you know that I did run Stinger when the problem first occured and it did not solve the problem. Whatever is causing the svchost.exe to run at 99% is getting loaded everytime windows starts and then it cannot be stopped in the task manager.

Another thing, whatever the problem is, it will not let access any websites that have anything to do with virus removal. Classic's link to an article describes many of the symptoms that I have, but the Article does not have any solution.

I will be back shortly with the results from your instructions. Thank you for taking the time to assist me with this problem.

I followed the directions completely. Attached is the fresh log. The CPU is still at max 100% and it is a svchost.exe that is causing it.

When you run TASK Manager here is what it says (in case this helps):

IMAGE USERNAME CPU MEM USAGE
svchost.exe SYSTEM 99 25,808K


Just so you know, I have to downloand the programs (HJT LSPFix) save to my server and slowly browse there from the infected machine and get them as the Explorer is basically unable to get to any websites.

I did restart in SAFE MODE and that svchost.exe does not seem to be running and I was able to get to www.trendmicro.com (Could not when running normal). I have STINGER running in SAFE MODE now.

Here is the Fresh Log
Logfile of HijackThis v1.99.1
Scan saved at 10:26:29 PM, on 3/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\csifcsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system\rhhfjn.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\PDACPA\Desktop\stinger.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\PDACPA\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PC Doc Pro - 3.1] C:\Program Files\PC Doc Pro\pcdocpro.exe /m
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
O9 - Extra 'Tools' menuitem: IE Privacy Keeper - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
O9 - Extra 'Tools' menuitem: IE Privacy Keeper - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
O16 - DPF: {009F119F-8723-11D3-8791-00A0C9EF9624} (RSFTreeView Class) - [url]http://eformrs.com/FormOpen/RSFormsTV.cab[/url]
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - [url]http://www.plaxo.com/activex/PlaxoInstall.cab[/url]
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - [url]https://secure.stamps.com/download/us/registration/3_0_0_785/sdcregie.cab[/url]
O16 - DPF: {227F25BE-BCDC-11D0-BA80-0000F6181652} (CLRMachineInfoCtl Class) - [url]http://eformrs.com/RSLoginModule.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab[/url]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - [url]http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - [url]http://toolbar.google.com/data/GoogleActivate.cab[/url]
O16 - DPF: {99140A4E-88C5-11D3-8793-00A0C9EF9624} (RSFDisplay Class) - [url]http://eformrs.com/FormOpen/RSFormsDP.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab[/url]
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - [url]http://autos.msn.com/Components/Ocx/Exterior/Outside.cab[/url]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - [url]http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab[/url]
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - [url]https://accounting.quickbooks.com/v11.289/qboax7.cab[/url]
O16 - DPF: {DE0FA400-8EF7-11D3-8795-00A0C9EF9624} (RSFPageSave Class) - [url]https://eformrs.com/FormOpen/RSFSave.cab[/url]
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - [url]http://chat.yahoo.com/cab/yvwrctl.cab[/url]
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - [url]http://www2.incredimail.com/contents/setup/downloader/imloader.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C780166-5091-49EA-98BB-2DF15DA68E8D}: NameServer = 198.31.248.3,198.31.248.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C780166-5091-49EA-98BB-2DF15DA68E8D}: NameServer = 198.31.248.3,198.31.248.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C780166-5091-49EA-98BB-2DF15DA68E8D}: NameServer = 198.31.248.3,198.31.248.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: FileCabinet Solution Print Service (FCPrintService) - Creative Solutions - C:\WINDOWS\csifcsvc.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Thanks again for the help. I will let you know what Stinger finds when it is done. Not sure why svchost.exe does not show in the log, but it does seem to be the problem. However, what we just did, seems to have made some things work in safe mode when they did not prior.

UPDATED INFO

Stinger still running in safe mode.

I can get to www.trendmicro.com but when I try to go to the free online scan (www.housecall.trendmicro.com) I get the white screen saying it cannot find the website and to check my interent settings (this is in safe mode too).

I think svchost.exe is just being used by the infection, it is not the actual problem... it is run by different programs which is why several are often running at the same time...

Your log is looking okay, but this is still there in Running Processes... If Stinger doesn't get it, see if you can find it and check Properties... Make sure it is only set to Archive and then see if you can kill it:

C:\WINDOWS\system\rhhfjn.exe

I was going to suggest running Stinger in Safe Mode so I am glad you are doing that... I don't recommend going online in Safe Mode because you likely do not have your firewall or AV running and may get even more infected... I suggest that you get offline, let Stinger run and then reboot to Normal mode and post back after that... I am going to bed soon, so I may not be able to get back to you tonight...

If Stinger doesn't do it we may need to look for a Rootkit...

Thanks Bud.

This is a workstation at my office. You might guess by my nickname my profession (Think taxes). :D I just need to get it running by Monday as a new person is starting then and needs that workstation.

I will follow your advice and let you know. Stinger has been running for a while and I usually head home about midnight, so I might not see it complete till the morning.

I understand what you mean now by the svchost.exe. Before I came back and read you message, I had tried to get to mcafee's site and it too came up Cannot Locate Server. Seems in safe mode, the svchost.exe does not consume the CPU power, but the web site blocking is still funtioning.

Thanks again for all your help.

If you are comfortable with the registry:

Go to

HKLM\Software\Microsoft\Windows\Cuurent Version\

Tell us what is in all of the
RUN
Run Once
Run Services

Keys.

DO NOT change them just report the info.

Classic I will get it for you in the morning. It is still running the mcafee virus scan (only one I had on that pc since I could not get to an online one).

I have no problems going in the registry and will give you the report.

Thanks

Sorry for the delay, I was not able to get to the PC. Following your instructions, here is a list of what I found in the Registry:

Go to

HKLM\Software\Microsoft\Windows\Cuurent Version\

Tell us what is in all of the
RUN
Default
KavPersonal50
MCAGENTEXE
MUPDATEEXE
NVCPDAEMON
PC DOCS (already removed was trial)
THGUARD (loaded to try and solve this problem)
ZONE LABS CLIENT
Run Once
Default REGSZ (Value not set)
Run Services
Default REGSZ (Value not set)

AS extra info, there were two Current Version Folders. One only had one item where the other had an extensive list of items.

The one with one item had the following

Current Version
Commonfilesdir c:\programfiles\commonfiles

Thanks for the help.