marenqo Posted April 23, 2011 Share Posted April 23, 2011 (edited) Happy Easter holidays everybody,Since a few days I have a serious svchost problem. Its taking most of my 3gb of ram and when it does my pc crashes.I have looked around on the Net for some time for possible solutions, but have not found anything that helped. Installed dozens of programmes (Kaspersky, IObit Security 360, Spyware Blaster, Malwarebytes' Anti-Malware, Combofix etc), but really nothing seems to help. Kaspersky Web anti virus tells me every now and then that it has blocked sites such as hxxp://fr0udsafetycheck0n.com and hxxp://jan2.cz.cc. I expect that might have something to do with it. It also could be windows update which behaves strangely, but here I also tried many of the advices given on the Net. When I try to update through IE, IE refuses to work properly and when I do get through I get an update error (0x80072EFE).This is what HijackThis v2.0.4 gives me:Scan saved at 15:42:36, on 23/04/2011Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exec:\program files\idt\intelxpv_v103\wdm\STacSV.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\IObit\IObit Security 360\IS360tray.exeC:\Program Files\Trusteer\Rapport\bin\RapportService.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\plugin-container.exeC:\Program Files\IObit\IObit Security 360\is360.exeC:\Program Files\Windows Media Player\setup_wm.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\IObit\IObit Security 360\b_securityholes.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HiJackThis\HiJackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"O4 - HKLM\..\Run: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostartO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-21-602162358-1960408961-1801674531-501\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\ie_banner_deny.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\scieplgn.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1 .0FO\kloehk.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeO23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: IS360service - Unknown owner - C:\Program Files\IObit\IObit Security 360\IS360srv.exe (file missing)O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exeO23 - Service: Sony Ericsson PCCompanion - Avanquest Software - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exeO23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exeO23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\intelxpv_v103\wdm\STacSV.exeIs there anybody that can/ wants to help me?Many thanks in advance,Marenqo Edited April 28, 2011 by Tarun Delinked the malicious sites. Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted April 23, 2011 Share Posted April 23, 2011 run VMMap. select the svchost.exe which causes the high memory usage, save the data and upload the saved data. Link to comment Share on other sites More sharing options...
marenqo Posted April 23, 2011 Author Share Posted April 23, 2011 (edited) I hope this was the correct svchost.exe. The increase in usage fluctuates, but when it has reached a 100 per cent the system freezes and I am forced to rebootedit: its says: "You aren't permitted to upload this kind of file" Shall I upload it somewhere else?edit: uploaded it here: http://www.mediafire.com/?4b2k8mneb45iu2n Edited April 23, 2011 by marenqo Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted April 23, 2011 Share Posted April 23, 2011 the exe is fine (Workingset is 70MB) Link to comment Share on other sites More sharing options...
marenqo Posted April 23, 2011 Author Share Posted April 23, 2011 It must have been another one then, my pc is relatively quiet at the moment. Something forces it to over-perform and crash the system Link to comment Share on other sites More sharing options...
submix8c Posted April 23, 2011 Share Posted April 23, 2011 (edited) edit: its says: "You aren't permitted to upload this kind of file" Shall I upload it somewhere else?FYI, you can ZIP/Compress (7-Zip, WinRAR, WinZip, or XP built-in) and upload that (it's the .EXT of .MMP that was rejected). Besides, it's preferable since it reduces the size of the "upload"....And I see another member is helping (see above post). Odd consumption... A hidden "service"? You could maybe try MalWareBytes and/or SpyBot. Something is running that shouldn't be (malware - has to be). The "blocked sites" is the clue... Edited April 23, 2011 by submix8c Link to comment Share on other sites More sharing options...
marenqo Posted April 23, 2011 Author Share Posted April 23, 2011 Could have zipped it indeed, did not think about it, sorry.At some point one of my svchost.exe simply starts to increase gradually take over my pc, which starts making a lot of noise, programmes stop working etc. I think there is indeed malware somewhere, but I tried already so much (inc. MalWareBytes) and nothing seems to find anything. Kaspersky 6.0 warns of blocked sites, which are always the same, but I do not know how to track from where these are started. I googled those sites, but could not find anything. IE now has stopped working, Firefox is sluggish etc and windows update does not work. Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted April 23, 2011 Share Posted April 23, 2011 configure your system to generate a full crash dump:zip the dump and upload it to mediafire.com Link to comment Share on other sites More sharing options...
submix8c Posted April 23, 2011 Share Posted April 23, 2011 I've found "redirectors" in the LSP before. You could search for "LSPFix", download it, run it (DON'T let it fix anything yet!), and list what's in the windows.(FWIW) - P.S. Some antivirii think it's a virus/trojan because it alters the registry, so temporarily disconnect from the iternet (unplug) and temporarily disable AntiVirus. Link to comment Share on other sites More sharing options...
marenqo Posted April 23, 2011 Author Share Posted April 23, 2011 I received the following Generic Host Process WIn32 services errorszAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : ntdll.dllszModVer : 5.1.2600.6055 offset : 00022235----------------------------I will now look for LSPFix and create a a full crash dump (and zip it to here) Link to comment Share on other sites More sharing options...
marenqo Posted April 23, 2011 Author Share Posted April 23, 2011 I downloaded lspfix from here http://www.cexx.org/lspfix.htm, but it said that it could not find any problemsNow downloading SDK for windows for the crash, still will take a while Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted April 23, 2011 Share Posted April 23, 2011 the SDk is for app crashes. To get a Windows dump add the registry key and press the keyboard combination to get the crash dump at the time you get the issue again. Link to comment Share on other sites More sharing options...
marenqo Posted April 23, 2011 Author Share Posted April 23, 2011 the SDk is for app crashes. To get a Windows dump add the registry key and press the keyboard combination to get the crash dump at the time you get the issue again.I downloaded the SDK (changed the registry keys) and pressed the key board combi, there was a reboot, but I don't know where I can find the log. Do you have any ideas? I tried: C:\WINDOWS\Minidump and , but that was empty and there was no WINDOWS\memory.dmp.thanks Link to comment Share on other sites More sharing options...
marenqo Posted April 23, 2011 Author Share Posted April 23, 2011 I finally managed to create a dmp file and attached it in zip format. It was created after I booted up the PC, and I dont think it suffered from anything (no extreme memory usage)Mini042311-01.zip Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted April 24, 2011 Share Posted April 24, 2011 Do you see the large Memory.dmp in C:\Windows? I need this file. Press the keyboard combination at the point where you get the high memory usage issue. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now