Results 1 to 7 of 7
  1. #1
    Member loopy's Avatar
    Join Date
    Feb 2005
    Posts
    6
    Points
    0

    Default svchost.exe problems

    its kind of a long story and i dont want to sound like an idiot, i'll explain it the best that i can.
    I had viruses and spyware that i couldnt get rid of, so i decided to just delete everything. first i tried formatting it......I still had problems, never quite sure what was causing the problem. i made a nuke boot disk and succesfully erased everything. since i had all the software to reinstall, it seemed like a good solution, i still have the problem, and to be honest, it seems worse now. my zonealarm is telling me it has to do with my svchost. the main problem is that internet explorer loads really slow, my 4mb windows update is taking hours....and this game ive been playing is messing up. its a java applet and when i log in it has kind of a "hiccup". i walk 2 steps and he stops for a second then he takes 2 more steps. i noticed that if i have another java applet open, or a flash player, it gets rid of the hiccup. i just dont understand how i can still have the problem even after i deleted everything. if u have any information that would help me i would be very grateful, this problem has persisted for months and its driving me insane. :?

  2. #2
    Member galena1's Avatar
    Join Date
    Oct 2003
    Location
    Devon -UK
    Posts
    3,109
    Points
    429

    Default

    Hallo Loopy - Suggest you go here - http://www.help2go.com/article217.html and run through the various processes and then post a HiJack This Log to the end of this thread by clicking on 'Reply'. One of the experts here will take a look at it for you. Regards
    I know everything about nothing, nothing about everything and precious little about the bit in between.
    P4-3.0G - Seagate Barracuda 160 - Maxtor 120 - Antec Hard Drive Cooler - 1GRam - Radeon9800Pro - Sony Multi DriveDVDRW - Audigy2 6.1 - XPHome

  3. #3
    Member loopy's Avatar
    Join Date
    Feb 2005
    Posts
    6
    Points
    0

    Default

    my zonealarm firewall is telling me i have a ton of incoming medium rated blocks, all from different places, and a few outgoing medium rated from program svchost.exe to ns1.mindspring.com, dunno if that will help any but i remember seing that ns1 mindspring quite a few times in the past on zone alarm as well

    heres my hijack this log:

    it looks pretty clean to me, im trying a panda active scan right now though

    Logfile of HijackThis v1.99.0
    Scan saved at 2:56:48 PM, on 2/28/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\WINDOWS\System32\trillian.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis_923.zip\HijackThis.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 3 for hijackthis_923.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mor...on/search.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [Messanger] trillian.exe
    O4 - HKLM\..\RunServices: [Messanger] trillian.exe
    O4 - HKCU\..\Run: [Messanger] trillian.exe
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1109542344250
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A9C208D0-68DA-4821-80FD-0A410F29156C}: NameServer = 207.69.188.185 207.69.188.186
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

  4. #4
    Member DSR17's Avatar
    Join Date
    Feb 2005
    Location
    London, UK
    Posts
    360
    Points
    133

    Default

    I ran your log through the detective and it says you have some suspicious software.
    These are the two entries that it returns:

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    (Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    (Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

    Try checking these two and then pressing the fix checked button.
    I am not an expert in this field however so I would advise a second opinion before carrying this out. These do not look like anything that would cause the problem that you described, but could be removed. I would suggest trying some other methods first.

  5. #5
    Member loopy's Avatar
    Join Date
    Feb 2005
    Posts
    6
    Points
    0

    Default

    i found a virus and 1 low rated adware with panda active scan,

    the virus was w32/gaobot.blb.worm.
    succesfully disenfected :lol:

    the files that they suggest removing arent a real threat, so i dont want to remove them. my antivirus uses up more ram than those do so i dont think it will make a difference

    i'll see if that made a difference, thanx for the help

  6. #6
    Member DSR17's Avatar
    Join Date
    Feb 2005
    Location
    London, UK
    Posts
    360
    Points
    133

    Default

    Good, i agree about the two processes, better off left alone. Hope the scan fixed your poblem.

    Oh, I found this article that you may find interesting:

    svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. Note: svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down. To see more information about this vulnerability please look at the following Microsoft bulletin: http://www.microsoft.com/technet/sec.../ms04-011.mspx This is a registered security risk and should be removed immediately.

    Seems although svchost.exe is an integral part of windows it is a security threat. Hope Microsoft come up with an hotfix for that soon.

    Cheers.

  7. #7
    Member loopy's Avatar
    Join Date
    Feb 2005
    Posts
    6
    Points
    0

    Default

    im downloading the update, hopefully it will help

    *i finished the download, the problem still persists. Zone alarm has blocked many attempts that were medium rated, all on port 445 which is a network port according to them. i dont use a network therefore i am getting attacked from the internet somehow possibly spyware. ive done numerous spyware scans never found anything here is a list of the sources that are trying to access that port:

    ip.jps.net
    ip.lightspeed.net
    adsl-ip.dsl.irvnca.pacbell.net

    mostly lightspeed and jps

    *the ip is an ip address they are never the same adress so i just put ip

    im gonna search through the posts and see if anyone has had the same problem.