svchost

My son is at college has something using all of his resources, called svchost he has run adaware and spybot in safe mode..............any suggestions

 

Thanks i will ask him and see how it goes

 

My son is going to join the site, easier than me relaying to him, nickname is furb

 

Post Tutorial Stats/Report

Trend Micro Scan - Nothing present
Symantec Security Check - NA Explained later
Avert Stinger - Nothing

CCleaner Results - 1,098.9 MB removed in 52 seconds

Adaware SE - 12 objects remove
---V2 Plugin (or whatever its name was) - System Clean
Spybot - Nothing
Spyware Blaster - I added some new protection

CWS - My system was clean
Kill2me - Look2me was removed if it was present
HSRemove - Nothing
AboutBuster - Nothing on first scan

I was unable to do the systamantec scan because of my problem. I am unable to get certain kinds of links to work. I'm now in need of more advice. I can post hijackthis logs and screen capures of a program I have called Process Explorer.

 

I will post the hijack this log a little later. I've got to do some of my homework - on another persons computer no less! I did make a new observation recently. When I was looking at the SVCHOST in question in process explorer I noticed that it would open up a tftp.exe. I checked my windows/system32 folder and there were generic tftp files present. I deleted them. I ran the process explorer again. SVCHOST once again started opening the tftp.exe. I went back to my system32 and more tftp files appeared. I'm not sure if this is supposed to happen or not.

Expect the hijack this log in 3 or 4 hours.

Thanks

 

I did my scan in normal mode. I closed everything I could without crashing the computer. I pus the Highjack This into its own folder in the program files directory.


Edit by chaslang: inline log change to an attachment. Please post all future logs as attachments.

 

My problem remains without any improvement.

 

I tried running the symantec scan from safemode. I was unable to get it to work. A side effect of my problem is the inability to use hyperlinks. Thus I was unable to get the thing to work. I could not even open the link in a new browser.

Ares is there by my own doing. I use it to share files. It does not seem to add any spyware.

Here is some back information on the problem. It all began last Thursday during a late night power outage. I woke up, and my computer was off. I noticed that it booted slow, but I did not think much of it. I went on to do my normal actions on the computer. I noticed how minimized windows did not go to the system tray. I also noted the slow speed my computer was running. I saw a new SVCHOST under my task manager. I usually had 3, but I had a fourth using all my CPU. I went to safe mode and ran a spyware scan thinking it would fix it. It did not. I did some research afterwards. I thought I had a viral SVCHOST. I deleted it. Bad move. This crippled my computer. I had to go into safemode and use a command prompt to copy SVCHOST out of my dll cache. It worked. The same old problems consisted. The system tray was malfunctioning. It took forever to boot the computer. I could copy but not paste in IE. I could not use hyperlinks. The CPU was still being hogged by SVCHOST. I did manage to pluge the CPU leak with Zone Alarm. My cpu usage is now low again, but the other problems persist.

I hope this information can lead some of you to more advice.

 

Alright.

I'll what I can do then.

 

I could figure out how to find the information I needed with Hijack This. I used a program called AnVir Task Manager instead. This is some of the information I learned.

Program Name - svchost.exe
PID - 844
CPU - 80%
Executable file - C:\Window\System32\svchost.exe
Discription - Generic Host Process for WIN 32 services

9/22 1:38 A.M. svchost.exe 844 started by services.exe
Data - C:\Windows\system32\svchost.exe -k rpcss

I can also list all the Files, Handels, DLL's, Threads, and Drives that this particular svchost is using.

Also is Softex Omnipass spyware?

 

Define using all his resources?

svchost.exe can easily reach over 20mb of memory useage.

Is this Windows XP Home, or Pro?

 

I'm using XP Home.

 

Ok, well, that makes it a little harder to narrow down without third party software.

Get Process Explorer from www.sysinternals.com

Locate the Process PID (It may have changed, so check it again.

Locate it in the list, right click on the svchost.exe and choose properties.

Click on the services tab.

This will tell you what services are using that process, and possibly locate your culprit.

You could then go through the tweaks at www.blackviper.com

 

The service the SVCHOST in question using is RpcSs or the remote procedure call. I observed something very interesting just now too. I mention that the SVCHOST would open up the tftp.exe. Under the image tab in process explorer I noticed something weird about the tftp.exe It's command line is the following - tftp.exe -i 10.102.133.137 get msnmsg.exe. I did some quick reading and it seems msnmsg.exe is some sort of virus. I could not locate it on my machine though.

 

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.DK&VSect=T
Its gotta be there, if its showing up as activating.

 

I did a brief search of my registry for "msnmsg". It didn't turn up any results. I did not check all of the registry addressed manually though.

 

Look for the file on your system, first.

 

I haven't had a chance to manually look through my folders. I'm going to be away fro the next three days too. I just don't want to let this tread die yet.

 

I can't do searches. Whenever I click the search icon under start is does not respond. I have no idea why, but it started when my problem started.

 

I didn't find it there.

However, I got a new virus scanner that some of said elsewhere may find my problem. I am going to run the scan later tonight.

 

I've fixed the problem. I apparently had a virus on my computer called Win32.Lemmy.u. I used a virus scan called Kaspersky to find it. The scan took like 9 hours, but it did fix the problem.

I do apperciate all the advice I got here. Thanks for the help!