virus possibly related to svchost.exe

A

architech

New member
Local time
6:20 AM
Messages
29
My computer has been running significantly slow of late, barely responding if I try to open an app, even if no program windows are open. There are multiple instances of svchost.exe running in the task manager, using over 50% of the memory, and again, nothing is running in the foreground. It is an HP desktop running Windows 7, 64-bit home edition. I have run numerous scans with Norton 360, Norton Power Eraser, Malwarebytes, TDSKiller, and AdAware, but no luck finding anything out of the ordinary. If I boot in safe mode it at least responds so I can download updates and run current versions of those scans, but in normal mode it is barely functioning. I have tried system restore to bring it back to a few weeks ago, but that hasn't corrected anything either. Any suggestions?
 

My Computer My Computer

At a glance

Windows 7 64 Bit
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 64 Bit
Download DDS from one of these links:
Mirror 1 Mirror 2 Mirror 3
  • Disable any script blocking protection
  • Double click the dds icon to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
Include the contents of both logs in your next reply.
The scan will instruct you to post Attach.txt as an attachment.
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
The text of both logs was too long to include as text, so they are both attached. Thanks for your assistance so far.
 

Attachments

My Computer My Computer

At a glance

Windows 7 64 Bit
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 64 Bit
architech,

AV: Ad-Aware Antivirus *Disabled/Outdated* {D87B6541-12A1-DAEA-0033-9B8057AAB996}
AV: Norton 360 Premier Edition *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 Premier Edition *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
FW: Ad-Aware Firewall *Disabled* {E040E464-58CE-DBB2-2B6C-32B5A979FEED}
Click to expand...

There are 2 Antivirus programs installed:
Ad-Aware Antivirus
Norton 360 Premier Edition

Please uninstall the Ad-Aware Antivirus, since it is Disabled/Outdated.


:info: Next, please use the Farbar Recovery Scan Tool
Download: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Select the version that applies to your system.
Save it to your Desktop.

Double-click the downloaded file to run it.
When the tool opens click Yes to the disclaimer.

Press the Scan button.

The tool makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).
:ar: Please provide the FRST.txt in your reply.

The first time the tool is run, it also makes another log: Addition.txt
:ar: Also post the Addition.txt in your reply.



:info: Next, download the Farbar Service Scanner

Save to the Desktop
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press: Scan
  • FSS creates a log, FSS.txt, on the Desktop.
:ar: Please provide the FSS.txt in your reply.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Resulting txt files have been attached. I didn't have time to run a system restart after uninstalling Ad-Aware but it was completed. Thanks again.
 

Attachments

My Computer My Computer

At a glance

Windows 7 64 Bit
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 64 Bit
Thanks for the reports.

Please do the following:

:info: Open notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'code');
Save it on the flash drive that has FRST64 and name it: fixlist.txt

Code: 
start
HKLM\...\Run: [] - [x]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] 
HKLM-x32\...\Run: [] - [x]
HKU\Mcx1-HPE-140F\...\Winlogon: [Shell] C:\Windows\eHome\McrMgr.exe [343552 2009-07-13] (Microsoft Corporation) 
BHO: No Name - {DBC80044-A445-435b-BC74-9C25C1C588A9} -  No File
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
Toolbar: HKLM-x32 - No Name - {8660E5B3-6C41-44DE-8503-98D99BBECD41} -  No File
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKCU - No Name - {8660E5B3-6C41-44DE-8503-98D99BBECD41} -  No File
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} -  No File
C:\$Recycle.Bin\S-1-5-21-1898693249-1059400390-102638630-1001\$3ff35caf2c36efa87d6fe421013a1c80
C:\$Recycle.Bin\S-1-5-18\$3ff35caf2c36efa87d6fe421013a1c80
C:\Users\Steve\AppData\Local\Temp\646514c8-e307-4540-af3c-2d501168128e.exe
C:\Users\Steve\AppData\Local\Temp\a6ce7c0b-87d1-4391-ae68-ffa072b0bd36.exe
C:\Users\Steve\AppData\Local\Temp\dba18370-d393-480c-b458-9473cd9d4add.exe
C:\Users\Steve\AppData\Local\Temp\NVI2_29.DLL
C:\Users\Steve\AppData\Local\Temp\ose00000.exe
end

NOTICE: This script is written specifically for this computer.
Running this on another computer may cause damage to the Operating System.

Run FRST, and press the Fix button, just once, and wait.
The tool creates a report on the Desktop called: Fixlog.txt

:ar: Please post the Fixlog.txt in your reply.

There is also some work to be done in the services area, however, we'll tackle those after FRST is done.

Signing out for tonight though!!
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Fixlog.txt is attached. Depending on your response, this might be my last post for a few days. I am headed out of town this afternoon on business until Friday evening. I know you usually want a 48 hour response or the thread is closed, but just giving a heads up. Thanks again.
 

Attachments

My Computer My Computer

At a glance

Windows 7 64 Bit
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 64 Bit
No problem on waiting until Friday. Will not close the thread.


Let's see if the following tool can take care of the issues with the Services showing in the FSS report. If not, we will need to go at it manually.

:info: Since the following steps involve editing the Registry, please create new restore point before proceeding.
System Restore Point - Create
Select: Option Two

:info: Now, please download the ESET ServiceRepair tool:
http://kb.eset.com/library/ESET/KB%2...icesRepair.exe
(Direct link only available)
Save to the Desktop.
Double-click to run the downloaded file.

When the program runs, a prompt appears asking if you want to proceed.
Click: Yes
When the Services routine is Completed, you are asked to Reboot.
Click Yes to allow the reboot.

The tool creates a folder named CC Support on the Desktop.
:ar: Please provide the CC Support\Logs\SvcRepair.txt in your reply.


:ar: Next, please run the Farbar Service Scanner once again, and provide the FSS.txt in your reply.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Will be out for a while shortly, so, no need to rush. Take your time.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
All right, I am back in town and started up with what you posted. The desktop has been on about 55 minutes, but I can't create a system restore point. I have gotten the following on screen twice now after two attempts.
-----------------
The restore point could not be created for the following reason:

The creation of a shadow copy has timed out. Try this operation again. (0x81000101)

Please try again.
---------------------

As I said before, the machine is running at a crawl. I have been running the apps you have posted previously through a usb drive, but I am now waiting on a third attempt to create a restore point before I continue onward. Any suggestions if it times out again? Just take a chance without it?

Again, I apologize for the delay.
 

My Computer My Computer

At a glance

Windows 7 64 Bit
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 64 Bit
I was unable to to create a restore point after four attempts, but I was able to find out when the last restore point was automatically created through safe mode. It was this past Monday, so I just ran the ESET ServiceRepair tool, and FSS. Attached are the two reports.

Thanks for the help.
 

Attachments

My Computer My Computer

At a glance

Windows 7 64 Bit
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 64 Bit
Before we press on with the entries needing attention in the FSS report, let's check the computer for corruption in Windows system files.

Give this a try. The file was created by kronckew, one of our colleagues.

:info: Boot to Safe Mode.

Go to Start > All Programs > Accessories > Command Prompt
Right-click the Command Prompt, and select: Run as Administrator

At the Command Prompt, copy/paste (with the mouse) the following text inside the code box below, and press: Enter

Code: 
@echo off
rem delete old files
del /q %windir%\logs\cbs\cbs.log
del /q c:\sfcdetails.txt
rem run sfc
sfc /scannow
rem filter out non essential junk from the cbs.log
findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >c:\sfcdetails.txt 
rem open details in notepad
notepad c:\sfcdetails.txt
rem optional command to shut down & restart pc after running. this may be needed if
rem sfc replaces some critical files. uncomment (remove the 'rem') to activate.
rem shutdown -r
exit

When sfc is done, a file named sfcdetails.txt appears.

:ar: Please save the sfcdetails.txt file to the Desktop, and post it in your reply.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Multiple instances of svchost running is normal, I've got 12 of them going myself while typing this.

50% of RAM used would be normal on a 4gig system, as well with 7. [OP did not put in system specs]

What was the last thing done to the system when this issue started?

I'd look at device manager and see if it's showing any issues.
 

My Computer My Computer

At a glance

Windows 7 Ultimate Retail Box (64-bit install...AMD FX-8350 CPU v1.15 (or 1.0F) BIOS was requ...8G CAS-7 G-Skill DDR3 @1333 (2 fours) [mobo n...Radeon HD 7950 [3 gigs of GDDR5] MSI Twin Fro...
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self Built Custom
OS
Windows 7 Ultimate Retail Box (64-bit installed) + Service Pack 1
CPU
AMD FX-8350 CPU v1.15 (or 1.0F) BIOS was required!
Motherboard
MSI 890FXA-GD70
Memory
8G CAS-7 G-Skill DDR3 @1333 (2 fours) [mobo nonOC max rec'd]
Graphics Card(s)
Radeon HD 7950 [3 gigs of GDDR5] MSI Twin Frozr model
Sound Card
Realtek High Definition Audio (onboard mobo, ALC-889 chip)
Monitor(s) Displays
2 WS LED Monitors: One LG One Viewsonic
Screen Resolution
1920 by 1080
Hard Drives
SSD for OS: Samsung 840 Pro
SSD for VM and utilities: Adata SX900
7200 RPM SATA HDs for the rest: Hitachi and Seagate
PSU
Corsair TX850 - 850W max, in service since August 2010.
Case
Thermaltake Armor A90
Cooling
Thermaltake Spin Q CPU Cooler, in service since August 2010
Keyboard
Logitech G11
Mouse
Logitech M310 Wireless
Internet Speed
100 Megabit broadband supposedly upgraded from 50 (Cable)
Antivirus
Bitdefender Internet Security 2014 suite
Browser
Pale Moon 64-bit main, also IceDragon, Opera, and Maxthon.
Other Info
CompTIA A+ certified (220-800 series) in July 2013.
File sfcdetails.txt is attached.
 

Attachments

My Computer My Computer

At a glance

Windows 7 64 Bit
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 64 Bit
Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.[/*]
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".[/*]
  • The tool will open and start scanning your system.[/*]
  • Please be patient as this can take a while to complete depending on your system's specifications.[/*]
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.[/*]
  • Post the contents of JRT.txt into your next message.[/*]
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
Junkware Removal Tool run and file JRT.txt is attached.
 

Attachments

My Computer My Computer

At a glance

Windows 7 64 Bit
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 64 Bit
Phew!!
OMG.gif



Now go back to cottonball's instructions for sfcdetails.txt file and post it in your reply.
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
Command run again and file sfcdetails.txt is attached.
 

Attachments

My Computer My Computer

At a glance

Windows 7 64 Bit
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 64 Bit
Let's merge a missing Action Center key into the Registry:

Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.
Click to expand...

:info: Please open Notepad by pressing the Windows key and the R key at the same time.
In the Open area, type: notepad
Copy and paste all the text inside the code box below to Notepad:

Code: 
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}]
"AutoStart"=""

In Notepad, go to File > Save As
Save the file to: Desktop
Save the file as: fixac.reg
Save type as needs set to: All files

On the Desktop, double-click: fixac.reg
Confirm the prompt to merge to your Registry.
Click: OK

Restart the computer.

On the Desktop, right-click fixac.reg, and select: Delete

Also empty the Recycle Bin.

:info: Once again, press the Windows key and the R key at the same time.
In the Open area, type: services.msc
In the Services console, make sure Security Center is there, and:
Startup Type is set to: Automatic (Delayed Start)
Service Status is set to: Started

Do the same for the Windows Update service.

:ar: Run the Farbar Service Scanner once again, and post its results.
 

My Computer My Computer

At a glance

Windows 7 Home Premium
Computer type
PC/Desktop
Computer Manufacturer/Model Number
An ol' eMachines
OS
Windows 7 Home Premium
Internet Speed
Fine for me...I'm retired!
Still running slow when attempting to do any steps or scans (took over an hour to perform the above), but results of the Farbar Service Scanner are attached. Thanks again.
 

Attachments

My Computer My Computer

At a glance

Windows 7 64 Bit
Computer type
PC/Desktop
Computer Manufacturer/Model Number
HP
OS
Windows 7 64 Bit
You must log in or register to reply here.

Similar threads

Solved High CPU Usage Due to svchost.exe
Replies
5
Views
8K
ThrashZone
ThrashZone
Solved BSOD 0x0000007a possibly related to HDD issue?
Replies
6
Views
2K
ICIT2LOL
ICIT2LOL
Solved Lost Control Of Internet To svchost.exe (netsvcs)
Replies
3
Views
2K
GokAy
GokAy
Random BSOD, possibly related to new SSD? (Win 7 Pro OEM)
Replies
8
Views
3K
Boozad
Boozad
Solved Random BSOD possibly related to Kernel-Power
Replies
11
Views
3K
th3r3n3g4d3
T
Back
Top