Svchost.exe is killing me

[JDStraughan]

I get a Visual Studio debugging messages every 2-3 minutes saying I have an unhandled exception error in svchost.exe [SOMENUMBER ].

This began after the lasted WinXP automatic updates - dont know if that is coincidence or not.

When it happens - my desktop resets, the task bar goes to 'Win95 beige' and my system runs like a 286 with no math co-processor...

I have 1.4TB - so it takes a while to scan, but here is what I have done since this first happened (+/- 30 Hours at time of post)

Here is what I have done in an attempt to correct:
-Restored to restore point 2 updates ago
-SpyBot S&D - clean
-Adaware 2007 - clean
-TrendMicro Housecall - clean
-Removed every program I could from add/remove programs without loosing my essential software
-Removed all unused drivers (old printers, etc)
-Panda AntiRootkit - clean

I have run ComboFix and have attached the log file.

I know this is my first post here - I apologize for making my first post a question - and I hope to find a place where I can help others when and where I can.

Thanks!

Jason

 

[JDStraughan]

Update:

CC Cleaner - done
AVG - AntiSpyware - done - clean
HijackThis! - renamed and scanned, log file attached

Still getting same error - computer still running slow

Please help...

 

[JDStraughan]

Now attaching:

SmitFraudFix v2.301 - rapport.txt
Ran VundoFix.exe, VirtumundoBeGone.exe, and FindAWF....

..Still all messed up...

Can someone please help??

Even a post that lets me know if I am asking in the wrong place or something?

 

[JDStraughan]

Now nothing is loading in my systray and it is taking 10+ minutes to get a START menu to open....

I have never seen a computer do anything like this.

I have 36+ views on this topic - can anyone reply with anything please??

 

[Blind Dragon]

Hi JDStraughan,

I am looking through your logs. Just so you know everyone here is volunteering their time to help, so please don't rush this.

*Try to only post once between replies, you can use the edit button.
*Don't bump the thread unless it takes more than 24 hours to get a response
*Don't PM me unless it takes 48 hours for a response

Why? Because I am looking at lots of logs and I get email notifications when replies come, it makes it too difficult to keep track of who is being helped.

So as of right now, everytime you reply I will get an email notification.

I need to know what country you live in?

This thread is for the use of JDStraughan only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[JDStraughan]

I live in the USA

 

[Blind Dragon]

You may want to print these instructions because you will be asked to reboot during the fix

Download and Run FixWarout
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Remove bad HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
  O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\JMan\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
  O17 - HKLM\System\CCS\Services\Tcpip\..\{15DF1D8A-AF18-45DB-9465-79EFC828C305}: NameServer = 10.11.75.1
  O17 - HKLM\System\CS1\Services\Tcpip\..\{15DF1D8A-AF18-45DB-9465-79EFC828C305}: NameServer = 10.11.75.1
  O17 - HKLM\System\CS2\Services\Tcpip\..\{15DF1D8A-AF18-45DB-9465-79EFC828C305}: NameServer = 10.11.75.1

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

 

[JDStraughan]

1st of all: thanks for helping and for your time.

I have run the program listed, and attached the log file and the HijackThis file.

My system is running even slower now. Symptoms:

Takes 10+ minutes for pointer to go from hourglass on boot (only over taskbar)
After this 10-20 minute waiting period, the taskbar turns beige
Nothing loads in the system tray - except networking
svchost.exe fails every 2-4 minutes
a good portion of my software does not work
svchost fails constantly in safe mode also.

 

[Bobbye]

Question for Blind Dragon about this hijack log:

Why are his processes listed like this: C:\WINT2\System32\smss.exe

Instead of this: C:\WINDOWS\System32\smss.exe

Is there any significance in this?

 

[JDStraughan]

My Windows folder is WINNT2

That is why System32 resides in that folder...

 

[Blind Dragon]

your log says WINT2 not WINNT2

I did notice it, but I honestly couldn't find a lot of information on that. It does look a little suspect, but I am not aware of any infection that does this.

When it happens - my desktop resets, the task bar goes to 'Win95 beige' and my system runs like a 286 with no math co-processor...

That is the weird part.


Did you change the name of the windows folder?

Has it always been named that?

Also do you have a USB drive inserted in this machine?

 

[JDStraughan]

Yes, I named the windows folder that on install.

It has always been that.

Installed 18+ months ago.

No usb drives.

 

[Blind Dragon]

Log looks clean

I can think of 2 things that are causing your issues. 1 you have a program on your computer that is looking for a device that isn't there. 2 - More likely, it is not a coincidence that this happened after microsoft update.

1. Deactivate the Windows Automatic Update (all options)
2 Reboot
3 Verfy that the Sound devices are loaded (ie start volume control)
4. Update Windows manually from the MS Win Update site. www.update.microsoft.com (must use Internet explorer)

If the above doesn't fix your problem

Click on the “Start” button then “Run” and enter the following command into the “Run” dialog box
· regsvr32 wuapi.dll
You should then receive a message to say it was successful. The above process then needs to be done for each of the following commands:-
· regsvr32 wups.dll
· regsvr32 wuaueng.dll
· regsvr32 wucltui.dll
· regsvr32 atl.dll
· regsvr32 msxml3.dll

 

[Bobbye]

I would wonder how you could rename system folders? And how the system would interact with an improperly name system folder.

 

[Blind Dragon]

The system folder has the correct name, it is just the path that is different.