Need help...

[Probzzie]

Hey all my first post here (hurray)
OK. I have a Toshiba 300 Netbook and this problem occurred when Avast! was unregistered on the system.. so let me explain the problem.

First of all I was directed to this site by a topic that was similar to the problem I am currently having Avast! 5 (recently activated) detect and block Malicious URL. Happens 3-6 times every reboot and the spontaneously while browsing. The URL is blocked and the process is C:\Windows\System32\Svchost.exe.
In the other fix it had mentioned User.ini as the culprit. Before i read that i ran Combo fix and it said it was deleted. However that wasn't true as I got the same URL blockage.
It seems to be getting worse now.
Windows update will not automatically update
I try to run Hi-Jack This gets an error: The dependency service or group failed to start.
Avast! Full scan and Boot-Time Scan runs clean, as well as Malware bytes.
Manually installed Malicious Removal Tool (KB890830) Everything runs clean as a whistle and I'm certain that it isn't.


A few svchost.exe.mui were discovered recently if that helps. being I cannot open HJT I'm unable to provide logs. Please just respond with any additional information needed.

[Probzzie]

I got it to run Here's a HJT Log

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\windows\system32\igfxext.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=16796S&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.toshiba.ca/welcome
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll (file missing)
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [HWSetup] "C:\Program Files\TOSHIBA\Utilities\HWSetup.exe" hwSetUP
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
O4 - HKLM\..\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
O4 - HKLM\..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
O4 - HKLM\..\Run: [TWebCamera] "C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
O4 - HKLM\..\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe
O4 - HKLM\..\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\windows\system32\ThpSrv.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

--
End of file - 7448 bytes

[Tarq57]

Hi, Probzzie, welcome to the forum.

I'm going to guess you are using Vista, based on the reported "dependency or group failed to start". This is a known problem with HjT and Vista.

Unfortunately HjT has not been maintained by TM; no real development has taken place for probably about a year, so it's not really up to the job any more.

It can point to common problems (and does here, see below) but you need to post the full log, which includes the OS info etc at the beginning of the log.

The problem could well be the presence of Norton Internet Security installed on the computer. You need to uninstall this - whether it is active or not - and run the removal tool available here or here. (It's the same tool; different download sites.)

Leftovers of a previous AV can and do cause problems; this might explain yours. Let us know how you get on.

[Probzzie]

Hey thank for the welcome and hasty reply. (once again avast shows another great quality)
Ok so Its windows 7 actually and I have been trying to remove Norton with not luck and freezes when in add remove programs and there is no uninstall file.
Can this be the issue that is making svchost.exe attempt connect to malicious URLS?
Also windows has never been updated....not once.. (not mine)

[CharleyO]

***

Welcome to the forums, Probzzie   

The reason Tarq57 had to guess at your OS is that you did not include the top part of the HJT log that gives important information. That top part is also needed to correctly analyze your HJT log.


***

[Probzzie]

    I'm so sorry the owner of the laptop did not let me finish the work on the laptop... Angers me.... However you can tell me if what I did may have fixed the problem or just minimized it till a later date..
Okay so from the top. The first and most obvious problem that was on the Windows 7 Machine was that svchost.exe continuously tried to connect to malicious sites when connected to the internet. Windows had never received an update. Every scan I ran came up clean.
    When i was reading forum topics on-line I read that malicious files sometimes hide in the systems folders: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\IE.5\Temporary Internet Files
  I started in safe mode. Combo fix found (twice) Userinit.exe. After it deleted and restarted the messages still came up

Deleted all the files and folders in this address C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\IE.5\Temporary Internet Files
 and at the moment avast found and chested a virus.
Restarted ran for awhile with no warnings.

Left me with the windows update which did not fix after svchost.exe problem was solved...... Typing in the error I was receiving into the google search bar brought me to a site that advised me of Norton Internet Security interrupting windows update (especially if not uninstalled completely) also a TDSSKiller.exe offered by Kaspersky. I installed TDSSkkiller and it found and rid of one rootkit. I then downloaded and ran a Norton Removal Tool. I then  follwed a cmd process that fixed the 800e030efe error and advised me to delete all updates and reinstall them (bonus considering it never was updated). It then restarted the computer and connected to windows update and downloaded the updates.

Nowdoes it seem like I have cured my own problem? Like i said it never got the chance to run a full scan or HJT log before he retrieved it back....... He doesn't seem to think its all that big of a deal. Do you think hes safe surfing? Did I rid of the problem?

[Tarq57]

Probably. Who can say?
None of the detection results (except possibly the TDS killer one) mean anything conclusive when there are two AV's installed.
Removing Norton and running the tool I linked you to should have been the first thing to do, then post a full HjT (or similar) log. Deleting the temp files would have been good.

No use crying over any milk that's spilled now, though. As I said, he is probably ok, but if that rootkit was for real, I would have wanted to do more tests and have someone seriously knowledgeable look over the logs.

I wouldn't be emailing that friend any information that you wanted kept private, either, but I'm a bit fussy like that. In short, I would not trust that computer.

[Probzzie]

Tommorrow I can retrieve the logs as i saved them all.
I'm not 100% on the name of the rootkit it identified but it was infecting a .sys file

[Tarq57]

Probzzie,

If there is any doubt in your mind, or your friend's mind, as to the integrity of the machine, it might pay you to look at this post (and the associated thread) started by Essexboy. He's one of the experts here - possibly the expert here - regarding this sort of thing. Follow the recommended steps, and post the results (MBAM and OTL logs) if you want this progressed.

[CharleyO]

***

Just from looking over the HJT log without a real analytical test, the below items should be fixed using HJT.

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll (file missing)

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

None of the registry entries above have anything to do with the problem. They are just junk entries since the files are missing.


***