Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost issues, slow system, intrusion alerts


  • Please log in to reply
1 reply to this topic

#1 Mattor

Mattor

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 31 October 2010 - 01:18 AM

Hey guys, some virus/malware issues with my computer.

I'm running Windows XP.
I'll explain some of the symptoms that I know so far:

- A "don't send" error pops up around 10-15 minutes after starting the computer. "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience". When I click to see what the data error report contains, it says

Error signature
szAppName: svchost.exe
szAppVer: 5.1.2600.5512
szModName: ntdll.dll
szModVer: 5.1.2600.5755
offset: 00023845

- In Windows Task Manager, there are several svchost processes running. These are making the system really slow, and it is why I think any games I run have 'micro-stuttering' or 15-20 second freezes occasionally.

- "ayesexosu...dll" something like that was in some of the error reports, I deleted it (fingers crossed that one doesn't come back to bite me)

- If I use a program such as Piriform CCleaner, I look at the startup programs and "Qxicacan" located at "C:\WINDOWS \dedpxv2.dll" seems to re-enable itself everytime I turn the computer on. I assumed it was the issue so I disabled it on startup.

Things i've tried so far:

MalwareBytes Anti-Malware
Rkill
I downloaded Process Explorer to try and look more specifically at svchost.exe
CCleaner
Regcure.

I also have Norton Antivirus installed, and it has been very active lately. It frequently pops up saying there are intrusion attempts:

HIGH SEVERITY - "An intrusion attempt by kangojim1.com was blocked"
Risk name - HTTPS Tidserv Request 2
Attacking computer - kangojim1.com (193.27.232.72, 443)
Destination address - TOM (XXX.XXX.X.XXX, XXXX)
Source address - 193.27.232.72 (193.27.232.72)
Traffic address - TCP, https

"Network traffic from kangojim1.com matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SVCHOST.EXE

and another, among various other attempts.

HIGH SEVERITY - "An intrusion attempt by 91.216.73.60 was blocked"
Risk name - HTTP Tidserv Request
Attacking computer - 91.216.73.60, 80
Attacker URL - skolewcho.com/zA90iZBL7i5xtQo1dmVyPTMuOTYmYmlkPW5vbmFtZSZhaWQ9MzAwMDEmc2lkPTAmcmQ9MCZlbmc9d3d3Lmdvb2dsZS5jb20uYXUmcT0...

and one more, just then.

HIGH SEVERITY - "An intrusion attempt by 86b6b96b.com (91.212.226.6, 443)
Risk name - HTTPS Tidserv Request 2
Attacking computer - 86b6b96b.com (91.212.226.6, 443)
Destination address - TOM (XXXXXXXXXXXX)

And it originated from svchost.exe. Which makes me think something is up with svchost.exe, and none of the scanners I used have picked anything up.

If you guys can help me, I would really really appreciate it so much! thanks.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 PM

Posted 31 October 2010 - 09:28 AM

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.
  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.<- Important!!
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users