Sign in to follow this  
Followers 0
marenqo

svchost.exe killing me

25 posts in this topic

Happy Easter holidays everybody,

Since a few days I have a serious svchost problem. Its taking most of my 3gb of ram and when it does my pc crashes.

I have looked around on the Net for some time for possible solutions, but have not found anything that helped. Installed dozens of programmes (Kaspersky, IObit Security 360, Spyware Blaster, Malwarebytes' Anti-Malware, Combofix etc), but really nothing seems to help. Kaspersky Web anti virus tells me every now and then that it has blocked sites such as hxxp://fr0udsafetycheck0n.com and hxxp://jan2.cz.cc. I expect that might have something to do with it. It also could be windows update which behaves strangely, but here I also tried many of the advices given on the Net. When I try to update through IE, IE refuses to work properly and when I do get through I get an update error (0x80072EFE).

This is what HijackThis v2.0.4 gives me:

Scan saved at 15:42:36, on 23/04/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\idt\intelxpv_v103\wdm\STacSV.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\Windows Media Player\setup_wm.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\IObit\IObit Security 360\b_securityholes.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-602162358-1960408961-1801674531-501\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\ie_banner_deny.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\scieplgn.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1 .0FO\kloehk.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IS360service - Unknown owner - C:\Program Files\IObit\IObit Security 360\IS360srv.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

O23 - Service: Sony Ericsson PCCompanion - Avanquest Software - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe

O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wdm\STacSV.exe

Is there anybody that can/ wants to help me?

Many thanks in advance,

Marenqo

Edited by Tarun
Delinked the malicious sites.
0

Share this post


Link to post
Share on other sites

run VMMap. select the svchost.exe which causes the high memory usage, save the data and upload the saved data.

0

Share this post


Link to post
Share on other sites

I hope this was the correct svchost.exe. The increase in usage fluctuates, but when it has reached a 100 per cent the system freezes and I am forced to reboot

edit: its says: "You aren't permitted to upload this kind of file" Shall I upload it somewhere else?

edit: uploaded it here: http://www.mediafire.com/?4b2k8mneb45iu2n

Edited by marenqo
0

Share this post


Link to post
Share on other sites

the exe is fine (Workingset is 70MB)

0

Share this post


Link to post
Share on other sites

It must have been another one then, my pc is relatively quiet at the moment. Something forces it to over-perform and crash the system

0

Share this post


Link to post
Share on other sites
edit: its says: "You aren't permitted to upload this kind of file" Shall I upload it somewhere else?
FYI, you can ZIP/Compress (7-Zip, WinRAR, WinZip, or XP built-in) and upload that (it's the .EXT of .MMP that was rejected). Besides, it's preferable since it reduces the size of the "upload".

...And I see another member is helping (see above post). Odd consumption... A hidden "service"? You could maybe try MalWareBytes and/or SpyBot. Something is running that shouldn't be (malware - has to be). The "blocked sites" is the clue...

Edited by submix8c
0

Share this post


Link to post
Share on other sites

Could have zipped it indeed, did not think about it, sorry.

At some point one of my svchost.exe simply starts to increase gradually take over my pc, which starts making a lot of noise, programmes stop working etc. I think there is indeed malware somewhere, but I tried already so much (inc. MalWareBytes) and nothing seems to find anything. Kaspersky 6.0 warns of blocked sites, which are always the same, but I do not know how to track from where these are started. I googled those sites, but could not find anything. IE now has stopped working, Firefox is sluggish etc and windows update does not work.

0

Share this post


Link to post
Share on other sites

configure your system to generate a full crash dump:

zip the dump and upload it to mediafire.com

0

Share this post


Link to post
Share on other sites

I've found "redirectors" in the LSP before. You could search for "LSPFix", download it, run it (DON'T let it fix anything yet!), and list what's in the windows.

(FWIW) - P.S. Some antivirii think it's a virus/trojan because it alters the registry, so temporarily disconnect from the iternet (unplug) and temporarily disable AntiVirus.

0

Share this post


Link to post
Share on other sites

I received the following Generic Host Process WIn32 services error

szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : ntdll.dll

szModVer : 5.1.2600.6055 offset : 00022235

----------------------------

I will now look for LSPFix and create a a full crash dump (and zip it to here)

0

Share this post


Link to post
Share on other sites

the SDk is for app crashes. To get a Windows dump add the registry key and press the keyboard combination to get the crash dump at the time you get the issue again.

0

Share this post


Link to post
Share on other sites

the SDk is for app crashes. To get a Windows dump add the registry key and press the keyboard combination to get the crash dump at the time you get the issue again.

I downloaded the SDK (changed the registry keys) and pressed the key board combi, there was a reboot, but I don't know where I can find the log. Do you have any ideas? I tried: C:\WINDOWS\Minidump and , but that was empty and there was no WINDOWS\memory.dmp.

thanks

0

Share this post


Link to post
Share on other sites

I finally managed to create a dmp file and attached it in zip format. It was created after I booted up the PC, and I dont think it suffered from anything (no extreme memory usage)

Mini042311-01.zip

0

Share this post


Link to post
Share on other sites

Do you see the large Memory.dmp in C:\Windows? I need this file. Press the keyboard combination at the point where you get the high memory usage issue.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.