Svchost infected

[YuriRuler90]

I've been wondering for a while now why my comp has been running so slow, and went into Task Manager.

Seems that my svchost.exe is taking up 98% of my CPU for at least 15 minutes after startup, eventually slowing back down to 0%. If I end the svchost, it appears to be the controller of the sound devices.

I have avast! antivirus, and it can't find anything.
I also use SpyBot S&D, and it can't find anything.

I've cleaned anything that looks bad in my HJT log, and this is the rest of it.

Code:

Logfile of HijackThis v1.99.1
Scan saved at 5:03:38 PM, on 8/19/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk.disabled
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[jholland1964]

We always recommend that you go here READ ME Before Posting A Request For Assistance!
and follow all the steps there BEFORE running HJT. Please complete those steps given there that you have not yet completed.

Please re-enable all items that you have disabled via msconfig and run a new HJT scan and save that file as a text file and copy/paste it here .

We have no way of knowing what items you fixed with the original HJT scan. If you have a copy of that we need that too.

[YuriRuler90]

Going through this on my laptop now, doing steps on main computer.

I have not touched msconfig, and all the settings I have have been there for months. This is the first time I've run HJT on this computer. I have however, turned off options with S&D before.

Here's the steps.

1. Done.

2.

• Ran S&D, found two cookies, and killed both.
• Windows Defender, cannot run, as I have SP 1.1, and SP2 does not run with my wireless all too well.
• Crap Cleaner deleted a bunch of Internet cache stuff.
• Ad-Aware SE Personal, updated definitions right away, and ran. Found a couple of old IE tracking cookies on my second HD, but nothing else.

3. Already got HJT.

4. Nothing weird in Add/Remove Programs.

5. Enabled.

6. Done, nothing found.

7.

• Ran Panda scan, and as soon as it ran, avast! disabled it. One of the files it tried to run was on the virus list. Heh.
• Ran BitDefender, and it found nothing.
• Trend Micro also said nothing.

8. Disabled both network connections, and ran Safe Mode.
Ran S&D, Ad Aware, and Crap Cleaner, and all they did was clean my temp files, but found nothing.


Here's the HJT log, with only my antivirus running and firefox.

[jholland1964]

I honestly see nothing in your log which would indicate a virus, trojan, malware/spyware. I only see two instances of svchost.exe running in your log which is sort of rare in itself. Each instance of Svchost process [you see in Task Manager] launches a list of services. Multiple instances of Svchost.exe can run at the same time. Four or five instances of svchost.exe is normal. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. In normal conditions multiple instances of Svchost.exe run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
You say that at start up svchost.exe may use 98% CPU and then drops ot 0%..it looks to me like it is doing it's job which is loading the services needed to run the computer.

You say in your last post....

Ran Panda scan, and as soon as it ran, avast! disabled it. One of the files it tried to run was on the virus list. Heh.

Not sure what you mean by...one of the files it tried to run...it was not trying to run the file...it was scanning to see if the file was on your computer. By letting avast! run during the scans you were not getting an accurate scan by those online programs. Especially if avast turned it off.

The HJT scan also showed that you are not running a firewall. This is a must today. Now I will say that HJT does not detect the built in Windows firewall so if you ARE using that then that is fine.
I also would advise that you update to XP SP2.

[YuriRuler90]

You say that at start up svchost.exe may use 98% CPU and then drops ot 0%..it looks to me like it is doing it's job which is loading the services needed to run the computer.

.

Yeah, I know all about svchost. I usually DO have 5, with the giant one usually starting up 40 or so services. It should NOT however, take 10-15 minutes at a maxed out CPU to start it.

[jholland1964]

Sounds like you have too many services starting up. That many do not show in your log however...that many svchosts or that many services.

[jholland1964]

Download WinPFind

• Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program.
• Now click Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
• When it is done, it will show the results of the scan. Right Click in the window and choose Select All. Then Right Click again and select Copy which will copy to the contents of the log to your clipboard. Then open a notepad window and paste in the log by pressing CTRL-V. Save it to a file and upload the text file here as an attachment.

Now Please Bear In Mind. Not All Files Found are bad files. It is to be noted that WinPFind searches for files with specific patterns and not the "bad" file itself. Hence, the result of WinPFind scan will also contain legitimate files too.
Do nothing but run the scan and post the results here.

[YuriRuler90]

Okay, here it is.

[jholland1964]

Even though you say you are not using msconfig to disable anything your HJT log is quite small AND the WinPFind log shows that items ARE being disabled with msconfig.
Please go in and re-enable everything. Please make sure there is a checkmark in Normal Services - Load all device drivers and services
Then reboot the computer. Run a new HJT scan

[YuriRuler90]

I haven't touched msconfig dangit.