Sign in to follow this  
Followers 0
marenqo

svchost.exe killing me

25 posts in this topic

Happy Easter holidays everybody,

Since a few days I have a serious svchost problem. Its taking most of my 3gb of ram and when it does my pc crashes.

I have looked around on the Net for some time for possible solutions, but have not found anything that helped. Installed dozens of programmes (Kaspersky, IObit Security 360, Spyware Blaster, Malwarebytes' Anti-Malware, Combofix etc), but really nothing seems to help. Kaspersky Web anti virus tells me every now and then that it has blocked sites such as hxxp://fr0udsafetycheck0n.com and hxxp://jan2.cz.cc. I expect that might have something to do with it. It also could be windows update which behaves strangely, but here I also tried many of the advices given on the Net. When I try to update through IE, IE refuses to work properly and when I do get through I get an update error (0x80072EFE).

This is what HijackThis v2.0.4 gives me:

Scan saved at 15:42:36, on 23/04/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\idt\intelxpv_v103\wdm\STacSV.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\Program Files\Windows Media Player\setup_wm.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\IObit\IObit Security 360\b_securityholes.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-602162358-1960408961-1801674531-501\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\ie_banner_deny.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\scieplgn.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1 .0FO\kloehk.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IS360service - Unknown owner - C:\Program Files\IObit\IObit Security 360\IS360srv.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

O23 - Service: Sony Ericsson PCCompanion - Avanquest Software - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe

O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wdm\STacSV.exe

Is there anybody that can/ wants to help me?

Many thanks in advance,

Marenqo

Edited by Tarun
Delinked the malicious sites.
0

Share this post


Link to post
Share on other sites

run VMMap. select the svchost.exe which causes the high memory usage, save the data and upload the saved data.

0

Share this post


Link to post
Share on other sites

I hope this was the correct svchost.exe. The increase in usage fluctuates, but when it has reached a 100 per cent the system freezes and I am forced to reboot

edit: its says: "You aren't permitted to upload this kind of file" Shall I upload it somewhere else?

edit: uploaded it here: http://www.mediafire.com/?4b2k8mneb45iu2n

Edited by marenqo
0

Share this post


Link to post
Share on other sites

the exe is fine (Workingset is 70MB)

0

Share this post


Link to post
Share on other sites

It must have been another one then, my pc is relatively quiet at the moment. Something forces it to over-perform and crash the system

0

Share this post


Link to post
Share on other sites
edit: its says: "You aren't permitted to upload this kind of file" Shall I upload it somewhere else?
FYI, you can ZIP/Compress (7-Zip, WinRAR, WinZip, or XP built-in) and upload that (it's the .EXT of .MMP that was rejected). Besides, it's preferable since it reduces the size of the "upload".

...And I see another member is helping (see above post). Odd consumption... A hidden "service"? You could maybe try MalWareBytes and/or SpyBot. Something is running that shouldn't be (malware - has to be). The "blocked sites" is the clue...

Edited by submix8c
0

Share this post


Link to post
Share on other sites

Could have zipped it indeed, did not think about it, sorry.

At some point one of my svchost.exe simply starts to increase gradually take over my pc, which starts making a lot of noise, programmes stop working etc. I think there is indeed malware somewhere, but I tried already so much (inc. MalWareBytes) and nothing seems to find anything. Kaspersky 6.0 warns of blocked sites, which are always the same, but I do not know how to track from where these are started. I googled those sites, but could not find anything. IE now has stopped working, Firefox is sluggish etc and windows update does not work.

0

Share this post


Link to post
Share on other sites

configure your system to generate a full crash dump:

zip the dump and upload it to mediafire.com

0

Share this post


Link to post
Share on other sites

I've found "redirectors" in the LSP before. You could search for "LSPFix", download it, run it (DON'T let it fix anything yet!), and list what's in the windows.

(FWIW) - P.S. Some antivirii think it's a virus/trojan because it alters the registry, so temporarily disconnect from the iternet (unplug) and temporarily disable AntiVirus.

0

Share this post


Link to post
Share on other sites

I received the following Generic Host Process WIn32 services error

szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : ntdll.dll

szModVer : 5.1.2600.6055 offset : 00022235

----------------------------

I will now look for LSPFix and create a a full crash dump (and zip it to here)

0

Share this post


Link to post
Share on other sites

the SDk is for app crashes. To get a Windows dump add the registry key and press the keyboard combination to get the crash dump at the time you get the issue again.

0

Share this post


Link to post
Share on other sites

the SDk is for app crashes. To get a Windows dump add the registry key and press the keyboard combination to get the crash dump at the time you get the issue again.

I downloaded the SDK (changed the registry keys) and pressed the key board combi, there was a reboot, but I don't know where I can find the log. Do you have any ideas? I tried: C:\WINDOWS\Minidump and , but that was empty and there was no WINDOWS\memory.dmp.

thanks

0

Share this post


Link to post
Share on other sites

I finally managed to create a dmp file and attached it in zip format. It was created after I booted up the PC, and I dont think it suffered from anything (no extreme memory usage)

Mini042311-01.zip

0

Share this post


Link to post
Share on other sites

Do you see the large Memory.dmp in C:\Windows? I need this file. Press the keyboard combination at the point where you get the high memory usage issue.

0

Share this post


Link to post
Share on other sites

Any news on this? My pc has been infected now for over a week and I have been posting on my different forums, unfortunately without success of resolving this....

0

Share this post


Link to post
Share on other sites

Of course, you didn't do what MagicAndre1981 asked. If you don't post a full memory dump generated at time the you get the peak of memory usage, then nobody can know what going wrong on your computer. Don't blame on others your lack of knowledge and abilities.

0

Share this post


Link to post
Share on other sites

configure your system to generate a full crash dump:

zip the dump and upload it to mediafire.com

Here is the memory dump instructions again.

Also, I fixed the typo in the topic title, seeing the word "svshot" was killing me

0

Share this post


Link to post
Share on other sites

It would be worthwhile to run sfc /scannow. You could also use Dial-a-fix since you're on XP.

0

Share this post


Link to post
Share on other sites

Sorry for the delay, I was on the Kaspersky channel. They don't know what it is there either and I uploaded a million of things there. Fortunately I am not the only one and they are working on it

Please find the zipped file here: http://www.mediafire.com/?bm0ztu36736502r

BTW: I cant do a sfc /scannow, because I don't have the CD here, windows was preinstalled.

0

Share this post


Link to post
Share on other sites

the dump is damaged, I can't read the data:


Kernel Complete Dump File: Full address space is available

************************************************************
WARNING: Dump file has been truncated. Data may be missing.

Unable to read KLDR_DATA_TABLE_ENTRY at 8b3b33a0 - Win32 error 0n38
GetContextState failed, 0x80070026


0: kd> !vm

*** Virtual Memory Usage ***
Physical Memory: 783871 ( 3135484 Kb)
00000000: Unable to get page file
00000000: Unable to get paged pool info
unable to get nt!MmTotalFreeSystemPtes
unable to get nt!MmTotalPagesForPagingFile
unable to get nt!MiSpecialPagesNonPaged
unable to get nt!MiSpecialPagesNonPagedMaximum
Error reading free nonpaged PTEs 00000004
unable to get nt!MmSpecialPagesInUse
Available Pages: 666391 ( 2665564 Kb)
ResAvail Pages: 695793 ( 2783172 Kb)
Locked IO Pages: 0 ( 0 Kb)
Free System PTEs: 0 ( 0 Kb)

********** Running out of system PTEs **************

Free NP PTEs: 0 ( 0 Kb)
Free Special NP: 0 ( 0 Kb)
Modified Pages: 4353 ( 17412 Kb)
Modified PF Pages: 0 ( 0 Kb)
80564d20: Unable to get pool descriptor
NonPagedPool Usage: 0 ( 0 Kb)
NonPagedPool Max: 65536 ( 262144 Kb)
PagedPool Usage: 0 ( 0 Kb)
PagedPool Maximum: 92160 ( 368640 Kb)
Unable to get Session WsListEntry
Session Commit: 0 ( 0 Kb)
Shared Commit: 2278 ( 9112 Kb)
Special Pool: 0 ( 0 Kb)
Shared Process: 2202 ( 8808 Kb)
PagedPool Commit: 10330 ( 41320 Kb)
Driver Commit: 4535 ( 18140 Kb)
Committed pages: 61417 ( 245668 Kb)
Commit limit: 755565 ( 3022260 Kb)


ProcessCommitUsage could not be calculated

so I can't see the process memory usage of the svchost.exe. Do you really only have 768MB RAM? Try to upgrade the RAM.

0

Share this post


Link to post
Share on other sites

so I can't see the process memory usage of the svchost.exe. Do you really only have 768MB RAM? Try to upgrade the RAM.

Have you tried both dumps? Were both of them damaged? If so, what to do now?

No, I have 3gb but had to limit the size, otherwise the file would be 2gb big

0

Share this post


Link to post
Share on other sites

don't limit the size. Compress it with 7z (LZMA2 - ultra). This reduces the size a lot.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.