I noticed a lot of background dloading going on.. checked processes and noticed many many svchosts running... installed ProcessGurad and caught all this crap... what the heck is creating all these in my temp dir, then executing them.. 00:42:45 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\33exssd32e.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044] [EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exssd32e.exe 777 ] 00:42:46 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\60exmodex2.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044] [EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\60exmodex2.exe http://out.catchonlife.com/nw/r2.txt?jeaa-1_2790_1061 ] 00:42:46 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run [EXECUTION] Started by "c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exssd32e.exe" [4060] [EXECUTION] Commandline - [ svchost.exe ] 00:42:46 [MODIFY] c:\documents and settings\my-name-here\local settings\temp\33exssd32e.exe [4060] was blocked from modifying c:\windows\system32\svchost.exe [2628] 00:42:47 [EXECUTION] "c:\documents and settings\my-name-here\local settings\temp\33exmhdd.exe" was allowed to run [EXECUTION] Started by "c:\windows\system32\svchost.exe" [4044] [EXECUTION] Commandline - [ c:\docume~1\my-name-here_p~1.cor\locals~1\temp\33exmhdd.exe 777 ] 00:42:47 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run [EXECUTION] Started by "c:\docume~1\my-name-here_p~1.cor\locals~1\temp\60exmodex2.exe" [2204] [EXECUTION] Commandline - [ svchost.exe ] 00:42:47 [MODIFY] c:\documents and settings\my-name-here\local settings\temp\60exmodex2.exe [2204] was blocked from modifying c:\windows\system32\svchost.exe [3832] 00:42:47 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run [EXECUTION] Started by "Unknown Process" [1528] [EXECUTION] Commandline - [ svchost.exe
You have a trojan downloader that's using svchost to download malware from the web. I'm guessing it's using svchost to circumvent any firewall you may have since svchost is usually allowed as it's used for Automatic Updates. The trojan is used to make your machine a spambot. The site it tried to connect to contains a text document with links to the spam message and e-mail addresses to spam. I recommend posting to the part of this forum dealing with malware infections for help solving the problem.