svchost.exe and svchost.mdmp.exe and god knows what

hie, its been a frustrating couple of months, at first i was having this error where after connecting to the net, an error occurs everytime where it sez svchost.exe.mdmp. then after reformatting several times there still seems to be an svchost when i try to "end process" an automatic 50 second shut down begins. and the moment i insert my thumb drive, the svchost.exe.mdmp problem begins.

i realise that the thumbdrive contains the virus, so i dont insert it anymore after another reformat, but still i have horrible connection due to that one naughty svchost.exe that in the processes, but ive scanned the system with all anti viruses

1 Bit Defender (free)
2) AVG (free)
3 Avira (free)
4 Symantec (free)
5 FixIEdef (free)
6 Kaspersky (full paid version)
and a couple others all fully updated, but nothing can be detected, this is really frustrating

i use Windows XP Service Pack 2, please please sumbody help. ive attached a hijackthis log. i hope something comes out of it.

thank you so much and i apologise for this long post.

also please remember that the problem persists even after reformating (reformated about 30 times already) and even pulled the power and removed the RAM for a whole day in hopes to clear the memory.

- porkos -

 

Hi porky!
Welcome to Major Geeks!

We use some scans for removing viruses and others for diagnostic procedures. The way you have HijackThis installed won't give us any useful information to work with. Please go to the READ & RUN ME FIRST and work through the instructions paying attention to those which apply to your operating system. When you finish, please attach the requested logs. One of us will look at what's going on in your computer and see if this is a malware problem. From your description, it might be.

abri

 

before i do the hijackthis once more, in my luck i reinstalled the latest version of Kaspersky Antivirus (activated full version) and just once it said the following ;-

detected: riskware Invader Running process:C:\WINDOWS\system32\svchost.exe

but nothing seems to be quarantined but the report is there. and so is the problem. when i rebooted and rescanned again there was nothing detected.

this thing is playing a mind game with me.

i will try to redo the hijackthis log. this is hard work

thank you so much for your time.

 

i dont know why i cant edit but in addition to that comment, in the reports in Kaspersky it also sez the following

1/16/2008 6:09:44 PM Process C:\WINDOWS\system32\svchost.exe (PID: 2640): attempt to embed itself into another process was blocked.


sorry for the multiposts but i cant figure out where that edit button dissapeared too.

 

Hi porky,
I'm familiar with Kaspersky. It is a very thorough program. Although it's a very good program, it does not distinguish for the user between harmful and well-known good programs. Just go ahead with the instructions in the READ ME and we will come back to these issues later. If you find you are unable to work because of it (it may consider the MGTools worthy of a warning) then you may have to lower the settings for a time.
abri

 

these are the three logs according to the "read me post" another three in the next post.

 

ok this it.... please please help me! i need my computer back. hehehe

thank you so much for taking the time.

 

Hi Porky,
There are several issues here. First of all, do you have the most recent version of Kaspersky? There are some issues with warnings occurring due to a driver problem and this was corrected with v. 7. In the case of your mdmp file, I think that Kaspersky is recognizing something as a virus that is a dmp file produced when one of your programs crashes. One program which causes an mdmp file to be produced is HalfLife 2. I think before you break your head further looking for malware, it would be a good idea to see if your Kaspersky is the most recent and if not, try updating that first. The following is not related to your exact error message, but in comment 2 and comment 4 you can find links to the updating software, one normal and one without a scan for incompatible hardware. In this particular thread, there is mention of a bad driver being behind some issues with Kaspersky.

http://forum.kaspersky.com/index.php?showtopic=55287

abri

 

hey abri i m using the latest Kaspersky its v7 and has been updated, i always make sure thats done. what should i do?


when i say i reformated i mean i have reformated completly, erased the entire (all the partitions) hardisks. i know the thumbdrive is infected, so i never used the thumbdrive anymore.

its true i dont have a firewall other then the windows firewall which i keep turned off and i also turned of my anti virus (kaspersky v7) so it doesnt interupt the other scans. though i dont know what an "AS" is? if you mean anti spyware then AVG anti spyware is the only one i have.

and yes i m still having major issues even after total reformat and without inserting my thumbdrive. and i dont mean to sound paranoid, but occasionally when i type svchost in my browser (e.g. posting on this forum) the svchost error occurs

thank you so much for taking the time to solve this issue.

 

Porky,
When you reformatted each of those times, did you always put back in the same programs? Are they all together on an image disk or do you have the original cd's of the software? If the programs you're installing are not on the original disks, then I would tend to think that you are reinfecting your computer not with the flash drive but with some other one of your reinstallation media. For instance, if you made an image disk with Acronis and your harddrive already had a problem, then you'll just keep installing the same thing over and over again. What happens if you only install the operating system and only that which you need to connect to the internet? Leave out the media players, the adobe, the nero, the soulseek, anything that isn't a requirement, just to get a connection. Do you still get the same problem then?
abri

 

yeash i m aware of it now, but i do keep these turned on ussually. and what i meant is when i type out the word svchost. like howi m typing the word right now on this post the error almost immidiatly pops up, its like its reading my browser.

i know now my errors of not protecting my pc, but with all these protection now. the problem is still there so this is not helping right now.


hey abri i did have a feeling that my programs might be causing the virus, so i never reinstalled any of the programs. nothing, after reformatting i just surfed the net without anything installed (except my anitvirus) and the problem still remains. but i download all the programs i install off the net, of which are very few ill list the programs i use.i download all these programs from their respective sites.

1)utorrent
2)soulseek
3)firefox
4)VLC player
5)Realplayer 11
5)Windows Live Messenger
6)Acrobat Reader
7)Ares

these are the only programs i install and use. this computer is not use for anythingelse.

 

Hi Porky!

The thing about typing in svchost and having an alarm go off is one of those eery expriences that we all hope can be attributed to coincidence. I spoke on the phone about tornados and the next time I went on line, I had spam about tornados. So, be assured I take your observation seriously.

What I would suggest is that you go to the How to Protect Yourself from Malware and go through the instructions there regarding which combination of software we recommend to protect your computer. I have had some people's eratic problems go away by installing a firewall, which would indicate that someone somewhere was getting into their computers. This may be your case as well. Try that. Do not do all the extra cleaning procedures. Simply look for the combination of software that will be the best for your machine and make sure they are installed according to the instructions. They are all free programs.

If you have the activation key for Kaspersky, download one of the free antivirus installation programs (like AVG or Avast) but do not install it. Simply put the installation program where you can find it. Then shut down your computer and disconnect it from the internet. Boot back up (while disconnected) and turn Kaspersky off by right-clicking on the icon and clicking on the choice to end it. After it stops the icon will disappear. Then go to Start / All Programs and go to the Kaspersky entry. Look for the uninstall / repair option and choose that. Choose to uninstall Kaspersky and take it out of your computer altogether including all the folders. Then install the free antivirus program you chose.

Now you should have a firewall, antivirus program and a couple of anti-spyware programs including Spywre Blaster.

RECONNECT to the internet. See how your machine is running with this new set of software. Does it make any difference to not have Kaspersky?

Next:

If you can get your hands on the bad svchost file, try to upload it and have it scanned at one of the following sites:
jotti or VirusTotal or virus.org, Kaspersky or at viruschief and let me know the results.

And finally, please go to Alternate Scans and scroll about halfway down the page to the rootkit scans and run 4 or 5 of those. Attach the results here.

abri

 

hie, i will follow what you told me, though i may not have tried combinations but i have tried several antiviruses. ill get on that right away. but before that i was going thru the Kaspersky report i noticed this in the reports. this has been repeating itself number of times, and often times kaspersky virus scan gets interupted and it stops. ill paste several parts of the report. i apologize if this is taking up space.


1/16/2008 6:13:34 PM Process (PID 492) tried to access Kaspersky Anti-Virus process (PID 740), but the action has been blocked by the Self-Defense component. No action on your part is required.

1/21/2008 5:00:47 AM Process (PID 988) tried to access Kaspersky Anti-Virus process (PID 2324), but the action has been blocked by the Self-Defense component. No action on your part is required.

1/21/2008 5:01:24 AM Process (PID 2312) tried to access Kaspersky Anti-Virus process (PID 2324), but the action has been blocked by the Self-Defense component. No action on your part is required.

1/21/2008 11:13:13 AM Process C:\WINDOWS\system32\svchost.exe (PID: 1612): attempt to embed itself into another process was blocked.


thank you for taking the time.

- L e x -

 

Hi Porky,

Yes, go ahead with the instructions I gave you for safely replacing Kaspersky with another antivirus program and see if you are still getting the same problems. The problem you were having with your flash (thumb) drive, indicate there's a driver problem, not a malware problem. I looked through your list of programs and none of them are problems. They are all software that works and isn't full of malware. I'm tending more and more towards the thought that your connection problem is not related to the warnings you are getting from Kasperky, but rather an actual connection problem. Having warnings from Kaspersky at the same time you're having connection problems could be interprested as malware problems, but it may be that Kaspersky is recognizing a non-malware issue as malware. I would like to see what happens when you install a two-way firewall.

abri

 

well i still think its a malware becuz often time not always but when i used to insert my thumbdrive. within a couple of minutes a message comes out saying, windows has finished installing drivers please restart... this sometimes causes the windows to crash completely or causes the svchost.exe.mdmp error to occur. but none the less it still occurs now even when i dont insert the thumb drive.

i probably should have mentioned this earlier, i m sorry its just gettin a bit complicated for a below average user like me.

also you mentioned something about a two way firewall. what companies offer this and are there good free ones? i checked in the "how to protect" page and didnt see anything called two way firewalls.


thank you so much.

 

after uninstalling Kaspersky and installing Avast (still dont know how to work this AV) i ran an AVG spyware scan and got a few things out... i m attaching the log here.


gosh this must be tiring all you people out. cant help but be very greatfull to everyone here.

 

after installing Sygate Personal Firewall. i kept getting this message whenever i rebooted the pc.

Generic Host Process for Win32 Services (svchost.exe) is being contacted from a remote machines (60.48.32.181) using local port 135 (EPMAP - Location service - Dynamically assign ports for RPC) do you want to allow this program to access the network?

i attached the details of this message below.

thank you very much

 

Hi porky,

Here is who that is. Is this somebody who should be having access to your computer?

http://samspade.org/whois/60.48.32.181

abri

 

thats the mother company of my Internet Service Providers, but ive called them to ask if its appropriate for this IP address to be accessing my computer, they seem to draw a blank i need to go down to the center and sumhow investigate this IP address.

this is just outta chance, but do you think that this should be allowed? becuz eversince i installed the firewall and didnt allow this IP to attach itself to the svchost. there has been no errors BUT! my internet connection has dropped close to 0, i get about 20kbps i think, if i m lucky, i can access this forum.


thank you so much !

- L e x -

 

Are you not getting the errors because you put the firewall in? Or are you not getting the errors because you changed from Kaspersky to Avast?

Have you considered trying a different internet service provider to see if you still have the same problems? Is that a possibility for you?

abri

 

i wish i could get a new ISP provider,i am working on that, i m going down to the center to find out whats going on, and there are no more errors but the internet connection declines badly, i cant even access google at times.

there are also other programs like NT Kernel n Systems, LSA Shells, should i be blocking these? is this why my internet connection drops so badly?

 

there also another thing called Application Layer Gateway Service, should i allow that?

hey Chaslang you told me to allow Generic Host Processes, and i have, but the firewall has been asking me before this that something is trying to attach itself to svchost. it keeps saying that svchost is being contacted from a remote computer, so is this normal? whatever it is, the svchost error doesn't occur anymore, but none the less my internet connection is horrible and for some reason my slsk just refuses to conenct and if it doest connect it instantly disconnets.

do you think its what abri suspected earlier? could it just be a driver error? when i first installed Sygate Firewall, i remember seeing in the Message Console, it said this computer is Hijacked. but it doesnt say that anymore.

my computer is behaving awfully strangely, i really appreciate all your efforts. thank you all very much.

 

after allowing NT Kernel, sygate firewall still blocks it, and could this be effecting my connection?

how do i unblock this?


i am posting my sygate log here. hope this helps in someway. i m becoming weary of this problem.


thank you all so much.

 

hie, i took your advice and am using Filseclab Personal Firewall Professional Edition. and have attached the logs, i m sorry i had to zip the files cuz they were to large.

filesec seems to be very thorough, but i have a feeling its blocking alot of essential OS programs, ive tried to unblock some, but it refused to unblock them. youre right, i honestly have no idea how to work a firewall.

as for kaspersky, ive checked and have no seen a firewall, though i can be extremly wrong about this. do you know how i may check? i dont see a single firewall option on kaspersky.

i have no router installed, but i have been using a modem for years with this PC without any problems, isit really necessary to swtich to a router?

thank you so much for your time.