Hi,

I think i have some kind of virus on my computer but i'm not sure what
it is. I thought it could have been Welchia Worm because i have
several copies of Svchost running in task manager and one is a "local
service" one. But i ran the Symantec Fix it for that worm and it told
me i didn't have it.

When i try to kill the local service svchost the computer counts down
to getting shut down and the screen says something about it being
terminated by a RPC - remote call procedure...

Also when i try to access websites sometimes a window comes up saying
please check the name and try again as the website could not be found
and i have to keep pressing "enter" several times before it will let
me get to the site. Also my Norton Anti Virus seems unable to download
updates and My Windows security thing brings up a balloon everytime i
turn on my computer saying that the computer could be at risk because
the antivirus is disabled but i acrtually have it turned on and it's
listed as turned on in the security center.

Every once in a while the computer will come up with a blue screen
with white writing and say something about "BIOS" and "physical memory
dump" (??) and i then have to turn it off and back on again

Also when i'm typing in word or email or on the internet sometimes the
letters don't keep up on the screen, there is a lag. This never used
to happen.

Finally for some reason (and i don't know if this is connected) the
computer has started emitting a beep every time i click on something
(it is an ibm laptop- R40e so doesn't have a mouse, just buttons)i
have had to leave it on mute because it's so annoying

This is my log from hijack this:

ogfile of HijackThis v1.99.1
Scan saved at 1:13:30 AM, on 11/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\system32\tp4ex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\tp4cross.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.unimail.unsw.edu.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.unimail.unsw.edu.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security -
{9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton Internet Security\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security -
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BCONSET] regedit /s "C:\Program
Files\ThinkPad\ConnectUtilities\bconprof.reg"
O4 - HKLM\..\Run: [QCWLICON] C:\Program
Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BMMGAG] RunDll32
C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [aqttcegq] c:\windows\system32\aqttcegq.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair
Software\Anapod Explorer\anamgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft
ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
- C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft
ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - file://D:\AUTORUN\Flash\swflash.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner -
C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program
Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman
Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton Internet
Security\Norton AntiVirus\navapsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program
Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec
Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I am on a LAN for my ADSL internet connection with another computer in my house.

I have norton antivirus, spybot, adaware, and microsoft internet
security. None of then are finding anything.

Please let me know if any other info is neccassry. Please make sure
you explain carefully what i should do because i'm not much of a
techie

Thanks

---

Clarification of Question by lubs-ga on 10 May 2005 23:56 PDT

Thanks lauridsd-ga! 

I ran Housecall and it found nothing and i tried Norton again and was
able to download the updates. I guess the lesson is don't read random
computer advice on the internet if you don't understand what you are
doing because the reason i thought that i had Welchia Worm was
something i read on the net about how if you have multiples of svchost
and your computer shuts itself down when you close them then you have
a virus!

I ran the hard drive error check and it did it's thing but didn't show
me a report of what it found. I also defragged my computer. I only did
it 2 months ago but it was really fragmented so that helped a lot.
It's a lot faster now but the lagging thing is still happening a bit
from time to time (it's not very major) and the beeping when i press
mouse keys also hasn't gone away but i rang IBM and even they don't
know how to solve it

Thanks very much for your help, the stuff you suggested has definately
helped and i'm glad someone isn't monitoring my computer through some
virus and stealing all my info!!

Lubs

FYI, Svchost is a legitimate executable that is part of Windows XP and
it is normal to have several instances running in Task Manager at any
given time.  Unless your anti-virus software explcitly informs you
that you have the W32.Welchia.Worm virus, do not assume you have it,
or that svchost has anything to do with it.  See:
http://www.neuber.com/taskmanager/process/svchost.exe.html

Welchia can install itself with the same executable name
(svchost.exe), but if your anti-virus software is working and up to
date, it should be able to detect the actual virus versus the
legitimate windows executable.

When you kill a legitimate (non-virus) version of svchost.exe your
machine will  reboot.  (You manually killing the task is what Windows
is reporting as the Remote Procedure Call.) Don't do that anymore. 
:-)

Having to refresh several time to get to a web site is not, by itself,
indicative of a virus.  This is most likely a network problem
(specifically, an inability to reach a DNS (Domain Name Service)
server for that site (assuming that the actual web site is really up.)
 This can be caused by many things, including heavy network traffic,
etc.  If you see this a lot, you should probably talk to your ISP's
(Internet Service Provider) tech support and see if they can help
diagnose and fix it.

This is probably what is also affecting Norton Antivirus's inability
to download updates, which is what the Windows XP security app is
complaining about. Until the network issue gets resolved and you can
successfully download updates, you will continue to see this.

The BIOS related blue screens, the lag when typing, and the constant
beeping may or may not all be related to each other, but they do point
to some potentially serious problems with your computer. This could be
anything from simple fragmentation of hard drive data to intermittant
hardware failure (hard drive, memory, processor, video card,
motherboard, etc.) I normally troubleshoot the hard drive first as it
is the most likely, and one of the simplest things to fix / replace. 
I recommend running the Error-check on your hard drive (from My
Computer, right click the drive, choose Properties, and click the
Tools tab,) and then afterwards, run the Defragmentation tool as well.
 If the Error check finds lots of problems, it may indiciate that the
drive is failing, and that it is time to back up your data and replace
the drive.  If not, Defragmenting will hopefully improve the
performance of the machine, especially if it hasn't been done in
months / years. If neither of those things helps, you will have to dig
deeper to find the cause of the problem, and you may wish to consult
with a local hardware tech support provider if you are not comfortable
doing this yourself.

To definitely rule out a virus, you can always use an online virus
scanner (assuming you aren't still having network problems).  Free
online scanners such as Trend Micro's Housecall
(http://housecall.trendmicro.com/) are always up-to-date and are not
as easy corrupted by virsues themselves. (Some viruses are smart /
nasty enough to disable resident virus software. )

Hope all that helps.  Good luck.