svchost and starbar trouble

Welcome to Major Geeks!

While you have a few things to fix, you major problems may not be due to malware. They may be due to the choice of installing Norton. You should consider uninstalling all of the Norton/Symantec software which is most likely the reason your PC is getting bogged down. You can replace it with free tools given here:
How to Protect yourself from malware!

First a couple question from what I saw in your logs. These are not malware issues so if you cannot answer questions, you may need to research answers in the Software Forum. Why were the below proceses running?

Why does Encarta require all of the below and why does it need to load at all when your PC starts up?

Now let's fix a few problems.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Viewpoint Media Player
<-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log ( c:\combofix.txt ) for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

But before Norton, you had McAfee which can also slow your PC down a ton. Not as bad as Norton but it is still a resource hog. Thus installing Norton, may have taken you from bad to worse.

Does the software you installed from Norton/Symantec include a firewall? If so, you will need to uninstall Port Monster.

Looks that way.

Not according to your logs. Did you uninstall it before or after getting the logs? The below are in your HJT log:

Be careful with svchost.exe. There will always be several (even more sometimes) running and most of the time they are valid and required. Don't use Task Manager to look at them. Use HijackThis's process manager because it will show where they are running from. C:windows\system32\svchost.exe is valid. Anywhere else is bad. Task Manger will not tell you the path to the file and as such is not very useful.

It still could be Norton. Try uninstalling but double check your logs to make sure it all gets uninstalled. Norton can be as troublesome as malware to get uninstalled. After uninstalling Norton. Tell me how things are running.

Sounds like Norton may have been causing some problems for ComboFix but it appears to have run reasonably well in spite of this. Sometimes it is necessary to shutdown and even uninstall protection software (like Norton) inorder to remove malware issues. This happens becaue the protection software can view what we are trying to do as malware actions.

I will look thru your new logs and see whatelse there is to do but I still think that you should just first try what I suggested and that is Uninstall all of the Norton software and then tell me how things are running.

Also tell me how fast is your processor and what type? Also how much RAM do you have?

 

Okay I do see signs of a possible WareOut infection that needs to be removed. Please run the below procedure.

WareOut Removal

Attach the requested log from FixWareOut.


Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

And if you are sure that Encarta is not needed anymore, also fix the below lines.
O4 - HKCU\..\Run: [E07ZXLRD_926343] "C:\Program Files\Microsoft Encarta\Encarta Reference Library 2007 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [E07ZXLRD_9172718] "C:\Program Files\Microsoft Encarta\Encarta Reference Library 2007 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [E07ZXLRD_2323562] "C:\Program Files\Microsoft Encarta\Encarta Reference Library 2007 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [E07ZXLRD_11490828] "C:\Program Files\Microsoft Encarta\Encarta Reference Library 2007 DVD\EDICT.EXE" -m
O4 - HKUS\S-1-5-21-1060284298-1708537768-682003330-1004\..\Run: [E07ZXLRD_2323562] "C:\Program Files\Microsoft Encarta\Encarta Reference Library 2007 DVD\EDICT.EXE" -m (User '?')
O4 - HKUS\S-1-5-21-1060284298-1708537768-682003330-1004\..\Run: [E07ZXLRD_11490828] "C:\Program Files\Microsoft Encarta\Encarta Reference Library 2007 DVD\EDICT.EXE" -m (User '?')

After clicking Fix, exit HJT.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT
4. don't forget the log from FixWareOut

Make sure you tell me how things are working now!

 

Okay make sure you complete what I requested in message # 8 and then attach the requested logs.

 

You should seriously consider upgrading to 1 GB of RAM. 384 MB is way to low for Windows XP to run properly.

Not needed. The running process list is already in your HJT log and in fact your HJT log shows the below running.

C:\DOCUME~1\Simon\LOCALS~1\Temp\Div52.tmp\DivXInstaller.exe

Why is this running?

FixWareOut removed a few problems.

Now uninstall Windows Defender and then reboot. Is your PC running any better now?

 

That's 512K.

Indeed!!!!!


Did uninstall Windows Defender help at all?

 

Please describe exactly what your problems are but first do the below and then see if there are still problems.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Fixing Locked Desktop
Also you should right click on your Desktop and select Properties. Then click the Desktop tab and then the Customize Desktop button. Now in the next window that comes up click the Web tab. Make sure at the bottom that Lock desktop items is unchecked. Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too. Then click OK. Apply. OK.


Now also attach new logs from GetRunKey, ShowNew, and HJT if still having problems.

 

Much of what you are describing could still be related to inadequate RAM and also there is potential that the RAM that was used to replace yours does not have the required specs to properly operate in your PC. And in addition, the RAM could even be defective.

This is normal and what you want. System Idle Process is not a real process. It is a measure of the time your processor is not doing any other tasks. Thus your processor was 99% free.

Killing a required svchost process will always cause this to happen.

 

Well that is a good sign anyway.

It's possible that something has corrupted your OS since we have not found any major malware issues other than WareOut but it has not been know to cause the kind of problems you are seeing.

I'm looking at your logs now. I'll let you know if I find anything.

 

I still do not see any reasons for you problems but I do have some steps for you to take.

First I suggest that you avoid saving so much stuff on your Desktop like you currently have. I suggest you move everything but .lnk files someplace else if you really need them. Even the GetRunKey and ShowNew folder should not be here as requested in the READ ME. The more you put on your Desktop the more you can impact your PC's performance. You Desktop has to get refreshed all the time, and the act of doing this can cause an antivirus prorgam (which you don't have right now since we uninstalled it) to scan each of these Desktop files everytime the Desktop refreshes. In addition, the Desktop is not really a safe place to save things you may need long term because malware likes to play around with your Desktop.

Now let's cleanup after Norton/Symantec a little.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

After clicking Fix, exit HJT.

Something else of possible concern is that you svchost.exe files appears to have been recently updated/changed. I see this

Code:

 
"C:\WINDOWS\system32\"
svchost.exe   22 Oct 2007       14336  "svchost.exe"

Do you have your Windows XP SP2 boot CD?

 

Also just to be on the safe side, let's check for rootkits. Run the below and attach the requested log.

Running GMER to detect rootkits


Do all of your symptoms/problems also occur if you boot in safe mode?

 

No rootkits were found which is good!

Okay I'm not sure exactly what is causing your problem right now but I would like to eliminate the possibility of two other programs loading at startup before we pursue potential issues with the svchost.exe file for no reason at all. Also I want to remove an unnecessary item from your HJT log.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

After clicking Fix, exit HJT.

Nopw please uninstall Webroot Window Washer and AVG Antispyware and then reboot. Does this have any signficant effect on your PC.

It is more a matter of choice with everyone on how they partition things. I would not have made your Windows boot partition that small. In fact with an 80 GB drive I would have just kept one partition, or I would have made two 40 GB partitions.

Maybe & maybe not. You are missing some additional info that should be on this Virtual Memory form. While the below will not match your settings, you get the idea of what should be on the form.

Next time I'm adding on to my house, I'll give you a shout.

 

Yes right now it would sound like it. However for your future use, the new RAM is a very good investment.

Yes but you need the svchost processes. Anything you kill would obviously have a inpack on perfomance. The question is why is this one svchost process causing such a big problem. It sounds like you have some kind of issue within the Windows OS or with a driver. This does not appear to be malware. Since it does not happen in safe mode, there is something that loads in normal boot mode that is causing the issue. I wanted to try using a Windows boot CD to boot to the recovery console so that you could replace the svchost.exe file with one from your CD just to see if it was somehow related. I was questioning the recent date change on your svchost.exe file. Are you sure that your CD is not a bootable CD? Have you ever tried to boot from it?

This could be the best alternative for you right now especially if you have no boot CD. But you will have to backup all of your data and you will have to have CDs to reinstall your OS and all drivers for your PC.

 

First before starting the below steps, create a new folder in the root of drive C and name the folder MGtmp. Thus you should have C:\MGtmp

Now I want you to put the Windows CD into your CD drive, but do not reboot to the CD yet. We are going to copy a file from it first. Once you have the CD in the drive, access the CD with Windows Explorer ( you run Windows Explorer by right clicking Start and selecting Explore). On the CD double click on the i386 folder to enter this folder. Scroll down to the svchost.ex_ (yes the underscore is correct) and right click on it and select copy. Then navigate back to the C:\MGtmp folder and then right click in the MGtmp folder and select paste. This should create a copy of the svchost.ex_ file in this temp folder. If this does not work, STOP and tell me. If it works, then continue. Leave this Windows Explorer window open monitoring the MGtmp folder.

Now click Start and select Run and enter cmd and click OK. This should open a command prompt window. In the command prompt window enter the below commands in black bold print

cd C:\MGtmp
expand svchost.ex_ svchost.exe
exit


Note: there are spaces after the cd, after the expand, and after the svchost.ex_
The exit command should close the command prompt. Now back in your Windows Explorer window we left open, check to see that you now have svchost.ex_ and schost.exe in that folder. If not, STOP and tell. It you do have both files, continue.


The Recovery Console Part

Now read thru the below to familiarize yourself with it and print it so you can refer to it while offline since you will now be able to browser once starting the below.

1. Put the Windows XP CD into the CD ROM tray and close the tray. You may get a popup window asking about installing Windows XP. If you do, just close that window.
2. Then restart your computer
3. This should cause your computer to boot from the CD instead of the hard drive..(if not your you'll need to enter the BIOS and set the boot order so the CD ROM is first in the list.)
4. You should get a "Press any key to boot from CD" message! Press a key to do that otherwise it will by pass the CD boot.
5. After it boots up, you will see it load a bunch of files (be patient it can take a little while) and eventually you will see a menu where you can select the "Recovery Console" by pressing R It is normally the middle item in the list. Press R
6. You will see a list of possible Windows partitions with numbers next to them. Select your Windows Installation (which is C:\Windows) by typing the number next to it (which should be 1) and press enter.
7. It will ask you for the Administrator password is next (so make sure you know it). It you never gave it a password it is probably blank. If it is blank, just press enter. If you have set one then type it in and hit enter. It will tell you if you enter the wrong password.
8. When you enter the correct password you will get a prompt that looks like this: C:\WINDOWS>

Now from this command prompt window, here are some things I want you to do. Enter the below commands in the order given. I will add comments in purple.

cd system32 <-- the prompt should change to C:\WINDOWS\SYSTEM32>
ren svchost.exe svchost.bad <-- this will rename the current file
copy c:\MGtmp\svchost.exe <--- this should copy into the system32 folder the file we created earlier. Make sure you get a message indicating 1 file was copied
cd dllcache <-- the prompt should change to C:\WINDOWS\SYSTEM32\dllcache>
copy c:\MGtmp\svchost.exe <--- this should copy into the system32\dllcache folder the file we created earlier. Make sure you get a message indicating 1 file was copied
exit <--- this will exit the Recovery Console and boot to Windows

If your PC still boots to the CD, remove the CD and reboot.

After reboot, attach a new log from ShowNew also tell me if there is any change at all to your problems. If not, click Start and select Run and enter cmd and click OK. This should open a command prompt window. In the command prompt window enter the below commands in black bold print

sfc /scannow

The above will run a system file check looking for potentially bad or corrupted system files. If may ask for your Windows CD so be ready to put it back into the CD drive if it asks for it.

Did any of the above help?

 

Do the svchost.ex_ and svchost.exe file exist if you look in the C:\MGtmp folder right now in normal boot mode. Also if you right click on the svchost.exe file and select Properties, which Attributes are checked.?

Run this right now anyway and tell me what happens.

Hate the socks!

 

Hmmm! When you did the cd system32 did the prompt change to C:\WINDOWS\SYSTEM32> as I said it should

I grew up as a Yankee fan and I play on a team named after the Yankees.


Let me know the results of the sfc \scannow also attach a new log from ShowNew.

 

That just means that based on what it checks for that nothing was found or that it automatically just fixed anything it needed to fix.

When you did the ren svchost.exe svchost.bad command at the recovery console did it complain at all. The reason I ask is that I do not see a file named svchost.bad in your system32 folder. That would mean that the rename did not work.

 

Do you know how to copy (while in normal boot mode) the svchost.ex_ file into the c:\windows\system32 and c:\windows\system32\dllcache folder without me explaining? If yes, please do that now.

 

That means that it did repair something automatically. Are you still noticing problems with excess CPU use on svchost.exe ?

This would more than likely be denied because multiple svchost.exe process will be running and thus the file could not be overwritten. This was the reason for wanting to copy it after booting to the Recovery Console. Windows is not running when you boot this way. Thus the svchost.exe process and all other Windows process are not running which makes it possible to repair/replace them.

Did you get the svchost.ex_ copied to system32 and to dllcache? Look with Windows Explorer to make sure they are there.

 

You can use safe boot mode to do this steps since you said it runs better in safe mode.

 

Okay so did you get the svchost.ex_ file copied to both folders.

It's now 3 to nothing!

 

Okay I thinking about how to approach the next steps.

3 to 1

 

Okay you will use the same procedure to boot to the Recovery Console but use the below set of commands in black print. Purple is again just comments.

cd system32\dllcache <-- the prompt should change to C:\WINDOWS\SYSTEM32\dllcache>
del svchost.exe <-- delete the current file in this folder
expand svchost.ex_ svchost.exe <-- creates a new svchost.exe from your original
dir svchost.exe <-- should show you the svchost.exe file if created properly
cd .. <-- yes the dot dot is correct. This should cause the prompt should change to C:\WINDOWS\SYSTEM32>
ren svchost.exe svchost.bad <-- this will rename the current file.
expand svchost.ex_ svchost.exe <-- creates a new svchost.exe from your original
dir svchost.exe <-- should show you the svchost.exe file if created properly
exit <--- this will exit the Recovery Console and boot to Windows

If your PC still boots to the CD, remove the CD and reboot.