[marenqo]

Happy Easter holidays everybody,

Since a few days I have a serious svchost problem. Its taking most of my 3gb of ram and when it does my pc crashes.

I have looked around on the Net for some time for possible solutions, but have not found anything that helped. Installed dozens of programmes (Kaspersky, IObit Security 360, Spyware Blaster, Malwarebytes' Anti-Malware, Combofix etc), but really nothing seems to help. Kaspersky Web anti virus tells me every now and then that it has blocked sites such as hxxp://fr0udsafetycheck0n.com and hxxp://jan2.cz.cc. I expect that might have something to do with it. It also could be windows update which behaves strangely, but here I also tried many of the advices given on the Net. When I try to update through IE, IE refuses to work properly and when I do get through I get an update error (0x80072EFE).

This is what HijackThis v2.0.4 gives me:

Scan saved at 15:42:36, on 23/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Windows Media Player\setup_wm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IObit\IObit Security 360\b_securityholes.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-602162358-1960408961-1801674531-501\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\scieplgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1 .0FO\kloehk.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - Unknown owner - C:\Program Files\IObit\IObit Security 360\IS360srv.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Sony Ericsson PCCompanion - Avanquest Software - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wdm\STacSV.exe

Is there anybody that can/ wants to help me?

Many thanks in advance,


Marenqo

This post has been edited by Tarun: 28 April 2011 - 03:03 PM
Reason for edit: Delinked the malicious sites.

[MagicAndre1981]

run VMMap. select the svchost.exe which causes the high memory usage, save the data and upload the saved data.

[marenqo]

I hope this was the correct svchost.exe. The increase in usage fluctuates, but when it has reached a 100 per cent the system freezes and I am forced to reboot

edit: its says: "You aren't permitted to upload this kind of file" Shall I upload it somewhere else?

edit: uploaded it here: http://www.mediafire...4b2k8mneb45iu2n

This post has been edited by marenqo: 23 April 2011 - 12:05 PM

[MagicAndre1981]

the exe is fine (Workingset is 70MB)

[marenqo]

It must have been another one then, my pc is relatively quiet at the moment. Something forces it to over-perform and crash the system

[submix8c]

marenqo, on 23 April 2011 - 12:02 PM, said:

edit: its says: "You aren't permitted to upload this kind of file" Shall I upload it somewhere else?

FYI, you can ZIP/Compress (7-Zip, WinRAR, WinZip, or XP built-in) and upload that (it's the .EXT of .MMP that was rejected). Besides, it's preferable since it reduces the size of the "upload".

...And I see another member is helping (see above post). Odd consumption... A hidden "service"? You could maybe try MalWareBytes and/or SpyBot. Something is running that shouldn't be (malware - has to be). The "blocked sites" is the clue...

This post has been edited by submix8c: 23 April 2011 - 12:38 PM

[marenqo]

Could have zipped it indeed, did not think about it, sorry.

At some point one of my svchost.exe simply starts to increase gradually take over my pc, which starts making a lot of noise, programmes stop working etc. I think there is indeed malware somewhere, but I tried already so much (inc. MalWareBytes) and nothing seems to find anything. Kaspersky 6.0 warns of blocked sites, which are always the same, but I do not know how to track from where these are started. I googled those sites, but could not find anything. IE now has stopped working, Firefox is sluggish etc and windows update does not work.

[MagicAndre1981]

configure your system to generate a full crash dump:

http://www.msfn.org/...g-memory-dumps/

zip the dump and upload it to mediafire.com

[submix8c]

I've found "redirectors" in the LSP before. You could search for "LSPFix", download it, run it (DON'T let it fix anything yet!), and list what's in the windows.

(FWIW) - P.S. Some antivirii think it's a virus/trojan because it alters the registry, so temporarily disconnect from the iternet (unplug) and temporarily disable AntiVirus.

[marenqo]

I received the following Generic Host Process WIn32 services error

szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : ntdll.dll
szModVer : 5.1.2600.6055 offset : 00022235

----------------------------

I will now look for LSPFix and create a a full crash dump (and zip it to here)

[marenqo]

I downloaded lspfix from here http://www.cexx.org/lspfix.htm, but it said that it could not find any problems

Now downloading SDK for windows for the crash, still will take a while

[MagicAndre1981]

the SDk is for app crashes. To get a Windows dump add the registry key and press the keyboard combination to get the crash dump at the time you get the issue again.

[marenqo]

MagicAndre1981, on 23 April 2011 - 03:01 PM, said:

the SDk is for app crashes. To get a Windows dump add the registry key and press the keyboard combination to get the crash dump at the time you get the issue again.

I downloaded the SDK (changed the registry keys) and pressed the key board combi, there was a reboot, but I don't know where I can find the log. Do you have any ideas? I tried: C:\WINDOWS\Minidump and , but that was empty and there was no WINDOWS\memory.dmp.

thanks

[marenqo]

I finally managed to create a dmp file and attached it in zip format. It was created after I booted up the PC, and I dont think it suffered from anything (no extreme memory usage)

Attached File(s)

•  Mini042311-01.zip (2.16K)
  Number of downloads: 2

[MagicAndre1981]

Do you see the large Memory.dmp in C:\Windows? I need this file. Press the keyboard combination at the point where you get the high memory usage issue.

[marenqo]

Please find attached, the first time the attaching did not work

Attached File(s)

•  Mini042311-01.rar (1.93K)
  Number of downloads: 2

[marenqo]

Any news on this? My pc has been infected now for over a week and I have been posting on my different forums, unfortunately without success of resolving this....

[allen2]

Of course, you didn't do what MagicAndre1981 asked. If you don't post a full memory dump generated at time the you get the peak of memory usage, then nobody can know what going wrong on your computer. Don't blame on others your lack of knowledge and abilities.

[Tripredacus]

MagicAndre1981, on 23 April 2011 - 12:56 PM, said:

configure your system to generate a full crash dump:

http://www.msfn.org/...g-memory-dumps/

zip the dump and upload it to mediafire.com

Here is the memory dump instructions again.

Also, I fixed the typo in the topic title, seeing the word "svshot" was killing me

[Tarun]

It would be worthwhile to run sfc /scannow. You could also use Dial-a-fix since you're on XP.