1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Svhost infected? tons of them are running [pic inside]

Discussion in 'All Other Software' started by shadyklyde, Oct 14, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. shadyklyde

    shadyklyde Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    4
    My computer recently started slowing down. I notice about every minute a popup coming from my Spyware Doctor saying svchost is trying to access a file and it was denied. Then i checked my task manager and like 10 of them are running. Any ideas? Thanks.

    also im running win vista 32bit

    Here is the task manager:

    [​IMG]

    also now the pop up that is coming up:

    [​IMG]

    its coming up more frequent now.
     
  2. Smartguy01

    Smartguy01

    Joined:
    Oct 15, 2008
    Messages:
    451
    First Name:
    Ivan
    svchost.exe is a general windows process and it can appear to run more that one of them in the same time, for example I'm running 5 of them right now, but what has got my attention here is that one of your svchost processes is using 71,000KB of RAM memory, which is pretty high for svchost.exe, that spyware doctor report is also weird, i don't see any normal explaination for svchost trying to acsses WinRar. So it is a virus, run a full scan with your Spyware Doctor, and if you don't get rid of the extra svchost.exe s after removing all found threats, then post here.
     
  3. Stoner

    Stoner Banned

    Joined:
    Oct 26, 2002
    Messages:
    44,931
  4. shadyklyde

    shadyklyde Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    4
    Yeah i had already scanned, a full scan, and nothing came up. im not sure if this forum uses Hijack this files but if so i can post one of those if itll help. i got process explorer like stoner said and it all seems to point to programs. not sure what else to look for since ive never used that program before
     
  5. stantley

    stantley

    Joined:
    May 22, 2005
    Messages:
    7,091
    In Process Explorer go to View > Select Columns and put a check next to Image Path. Then look at each svchost.exe and make sure the path is C:\WINDOWS\system32\svchost.exe.

    Then right-click on each svchost.exe > Properties > Services tab, check the path of each service and make sure they are all C:\WINDOWS\system32.
     
  6. shadyklyde

    shadyklyde Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    4
    thanks, they are all located in system 32 folder. hmm.
     
  7. Smartguy01

    Smartguy01

    Joined:
    Oct 15, 2008
    Messages:
    451
    First Name:
    Ivan
    I asked for assistance on the HJT & Malware forum, to come here and help.
     
  8. shadyklyde

    shadyklyde Thread Starter

    Joined:
    Oct 14, 2008
    Messages:
    4
    wasnt sure if that was a hint to post one or not haha, but heres the HJT log.


    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Windows\RtHDVCpl.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Internet Download Manager\IDMan.exe
    C:\Program Files\AdsGone\AdsGone.exe
    C:\Windows\System32\svchost.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\MessengerDiscovery\MessengerDiscovery.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Internet Download Manager\IEMonitor.exe
    C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\BitZipper\BITZIPPER.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Windows Live\Mail\wlmail.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: ::1 localhost
    O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
    O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\RunServices: [Atheros Configuration Service] C:\Windows\System32\acs.exe -h
    O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\ADMINI~1\AppData\Local\Temp\IXP000.TMP\"
    O4 - HKLM\..\RunOnce: [wextract_cleanup1] rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\ADMINI~1\AppData\Local\Temp\IXP001.TMP\"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
    O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /S
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\AdsGone.exe
    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O22 - SharedTaskScheduler: Ave's FolderBg - {73526E5A-FD53-4BE7-B5E2-D3C89D7413DC} - (no file)
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
    O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

    --
    End of file - 6854 bytes
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/759184

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice