Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost is slowly eating my laptop...


  • This topic is locked This topic is locked
30 replies to this topic

#16 Fixer_27

Fixer_27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 18 August 2013 - 03:55 PM

HI Nasdaq, here's a picture from process explorer, with the svchost process hard at work eating CPU cycles.  wuauclt is the process responsible for win update, and I have 2, for some reason.

 

I still have no reliable internet

 

Winupdate still not reliable (wont work today)

 

For some reason, probably my own lack of knowledge, I am not accessing all this as "administrator".  I always thought I was, since there is only one account on this comp, but when I do a safe mode boot I get te choice.  Gotta go figure that out, maybe that's why combofix wont work?Attached File  svchost at work2.JPG   239.51KB   1 downloads

 

 



BC AdBot (Login to Remove)

 


#17 Fixer_27

Fixer_27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 18 August 2013 - 10:28 PM

Hi Nasdaq, here's another update.

 

I Have had a lot of trouble with the admin vs user accounts on the laptop.  My user account had admin priveledges, but sometimes when I attempted to suspend and restart processes, process expl would tell me the command to restart was not made with the admin account (?).  I miss DOS some days :)

 

So, I ended up with a new user account and the old one is toast and still I can only access the admin account in safe mode.

 

The new user account does not work nearly as well as the old one.  The internet access is very slow, svchost is still there being a pain, and now it is just hanging up for no reason.  And, of course, combofix will not run.  Any advice?



#18 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:35 PM

Posted 19 August 2013 - 08:57 AM


The wuauclt.exe file may be corrupted.

Let see what you have on your hard disk.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :filefind
    wuauclt.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt[/list] ===

    Lets check these settings also.

    Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
  • [/list]


#19 Fixer_27

Fixer_27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 19 August 2013 - 09:01 PM

Hi, here's the systemlook log:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 19:45 on 19/08/2013 by test luser
Administrator - Elevation successful

========== filefind ==========

Searching for "wuauclt.exe"
C:\WINDOWS\$NtServicePackUninstall$\wuauclt.exe --a--c- 111104 bytes [16:22 05/10/2012] [14:10 12/08/2004] 4126D27CECE4471E00E425411F7306B5
C:\WINDOWS\ServicePackFiles\i386\wuauclt.exe ------- 111104 bytes [16:29 05/10/2012] [11:42 14/04/2008] ED7262E52C31CF1625B65039102BC16C
C:\WINDOWS\system32\wuauclt.exe --a---- 53784 bytes [15:43 05/10/2012] [21:19 02/06/2012] 2E0B0A051FFAA86E358465BB0880D453
C:\WINDOWS\system32\dllcache\wuauclt.exe --a--c- 53784 bytes [15:43 05/10/2012] [21:19 02/06/2012] 2E0B0A051FFAA86E358465BB0880D453

-= EOF =-

===========================================================================================

 

and here's the output from FSS:

 

Farbar Service Scanner Version: 18-08-2013
Ran by test luser (administrator) on 19-08-2013 at 19:48:10
Running from "C:\Documents and Settings\test luser\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

========================================================

 

I did have the network cable unplugged on the laptop, but internet access on it is flaky now. 

 

Other things I noticed....The laptop suddenly informed me that I have auotmatic updates from windows.  I dunno how it figured that out with no internet connection.

 

I ran Rkill last night and it found "IFEO debugger" and deleted it.  Here's the log:

 

Rkill 2.6.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 0Checking for Windows services to stop:

8/18/2013 08:42:26 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

 * No malware services found to stop.

Checking for Windows services to stop:

Checking for processes to terminate:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * taskmgr.exe debugger. [IFEO Debugger Deleted]

Backup Registry file created at:
 C:\Documents and Settings\test luser\Desktop\rkill\rkill-08-18-2013-08-44-11.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1 localhost

Program finished at: 08/18/2013 08:45:44 PM
Execution time: 0 hours(s), 3 minute(s), and 17 seconds(s)

====================================================================

 

I'm going to try combofix again, and I'll post if I can get it to work.  Thanks for the continuing support. 



#20 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:35 PM

Posted 20 August 2013 - 08:29 AM

The files are good.

I check further on this file associated with the Windows updates, some suggest that this folder in bold be deleted.

C:\WINDOWS\SoftwareDistribution\DataStore

Restart the computer normally after the removal and it will be recreated.

Keep me posted.

#21 Fixer_27

Fixer_27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 20 August 2013 - 10:20 PM

Hi Nasdaq,

 

Well, i am actually writing this message on the laptop, so that's positive.  Unfortunately, it still takes FOR. EV. ER. to boot, and interrupts are keeping the the processor very busy.  I let svchost run and it downloaded an update, installed it and is now leaving me alone. I'm going to reboot and try Combofix, if I get it to run I'll post the log.



#22 Fixer_27

Fixer_27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 21 August 2013 - 08:11 AM

No luck with Combofix.  I logged into Windows update just to make sure I had the latest patches, and I tried to download/install a .Net update (28Mb).  It downloaded fine, but after 45 minutes I gave up trying to install it.  "interrupts" was grabbing 100% processor most of the time.  I could see "msiexec.exe" trying to run, but it was only getting 1-2% processor time.  I can't reduce the priority of the interrupt process, nor suspend it.  I'm guessing there is a driver problem?

 

Anyway, I'd say the laptop is 50% useable now, so that's a huge improvement.

 

Think it could be the DMA vs PIO thing?  That got my home computer's DVD burner ages ago.  Can't believe MSFT still hasn't patched that!


Edited by Fixer_27, 21 August 2013 - 08:25 AM.


#23 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:35 PM

Posted 21 August 2013 - 09:13 AM

Check your drivers.

Secunia Personal Software Inspector (PSI)
http://secunia.com/vulnerability_scanning/personal/
Secunia PSI is a security scanner which identifies programs that are insecure and need updates.

#24 Fixer_27

Fixer_27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 22 August 2013 - 08:48 AM

Ok, I checked all my drivers and they appeared fine.

 

I downloaded resetdma.vbs from winhlp.com and ran it.  It told me it reset my hard drive and dvd drive, I rebooted and interrupts is behaving itself again.

 

Then I ran secunia.  Wow, I have a boat-load of .NET updates!  I downloaded and installed the first 11, then halted the procedure as it was getting late.

 

I tried Combofix again, but it still does not run.  Will download and install the rest of the updates tonight and try again.

 

The only real problem I'm noticing now is that Combofix should run and it doesn't.  Havent had any weird HD activity or processes misbehaving, virus scans (Avast and MBAM) are clean.



#25 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:35 PM

Posted 22 August 2013 - 08:52 AM

Run ComboFix in Safe mode with Internet Connectivity.
Post the log if you can.

#26 Fixer_27

Fixer_27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 23 August 2013 - 12:47 PM

No luck.  Logged in as Admin in safe mode with networking, downloaded the newest version of Combofix.  It ran for about 2 minutes then hung the computer.  Makes a system restore point, changes screens to the  "scanning, may take 10 minutes" part, does not get to the "stage 1" state.  I did successfully run in on my desktop machine, nice to see that it does, indeed, work :)

 

Downloaded all windows updates, Secunia seems happy enough.



#27 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:35 PM

Posted 23 August 2013 - 01:06 PM

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful addons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#28 Fixer_27

Fixer_27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 26 August 2013 - 12:24 PM

HI, sorry, I was away from the computer(s) for the weekend.  I will get after this maintenance tonight and post back results.



#29 Fixer_27

Fixer_27
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 28 August 2013 - 09:55 PM

Hi Nasdaq,

 

All appears well here.  I have learned much from all this, and have made several changes to my security loadout.  Thank-you so much for your help!  Is there a way I can buy you a coffee?



#30 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:35 PM

Posted 29 August 2013 - 08:39 AM

We are good thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users