# svchost.exe causing 100% cpu every 10 seconds



## spetnaz69 (Jul 17, 2006)

Hi all, new to the sight but so far it has been very informative. I seem to have a problem with my system that is not uncommon. An svchost.exe process, I believe the sound driver, seems to have been infiltrated by some nasty buggers that dont want to die. I have currently running Panda Titanium and Ewido, neither of which has been able to deal with the problem. Specifically, the malware in question consumes 100% CPU every 10 seconds or so. If I end the svchost.exe process, the CPU usage returns to normal, but I have no sound. Any advice? 

Here is the hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 12:56:03 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Stealther\stealth27.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\will doyle\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\will doyle\Application Data\Mozilla\Profiles\default\ftkara3k.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\will doyle\Application Data\Mozilla\Profiles\default\ftkara3k.slt\prefs.js)
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {E8DA74EF-432F-4C25-9A7E-5532B1CF75B7} - (no file)
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S130.tmp"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Stealther.lnk = C:\Program Files\Stealther\stealth27.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O18 - Protocol hijack: res - {3050F3BC-90B5-11CF-BB82-00AA00BDCE0B}
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: IomegaAccess - Unknown owner - C:\WINDOWS\System32\iomegaaccess.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe


----------



## sUBs (May 5, 2005)

Sorry for the delay but we're a bit short handed at the moment. It's been sometime since the last hijackthis log is posted. If you still require assistance, please post a fresh hijackthis log. I'm subscribed to this thread & would be notified of your reply.


----------



## spetnaz69 (Jul 17, 2006)

*Updated HijackThis Log, and further problems*

Thanks for gettinh back to me, I can't imagine doing what you do daily as its driving me insane. So, still same problem, one of the svchost.exe process has been hijacked, but now for some reason my computer has no connectivity. Upon hitting th repair tab I get the error" Windows could finish repairing the problem because the following action cannot be completed: Renewing your IP address." Using the command promt, I queried the ip with ipconfig, tryed to renew that way, no go. I get the error RPC server is unavailable. That where I got stuck. So, heres a current log. Thank god for the laptop!

Logfile of HijackThis v1.99.1
Scan saved at 5:33:23 PM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\apvxdwin.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Stealther\stealth27.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\avciman.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimreal.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\will doyle\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\will doyle\Application Data\Mozilla\Profiles\default\ftkara3k.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\will doyle\Application Data\Mozilla\Profiles\default\ftkara3k.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {E8DA74EF-432F-4C25-9A7E-5532B1CF75B7} - (no file)
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O18 - Protocol hijack: res - {3050F3BC-90B5-11CF-BB82-00AA00BDCE0B}
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe



Best of luck


----------



## sUBs (May 5, 2005)

Please tell me what type of anitvirus programs you have on this machine. From your log, I see Panda & Symantec. That's is going to cause some conflicts. Alike firewalls, anti-virus programs have conflicts co-existing with each other & may produce unpredicatable results. This is just a guess but the removal of these antivirus should restore functionality to the machine


----------



## spetnaz69 (Jul 17, 2006)

*Antivirus conflict*

Howdy, I know the log says that norton is running, but I deleted it months ago and I thought it was gone. I only have panda running as far as I know. Go figure. I even tried to remove teh symantec stuff with hijack this.


----------



## sUBs (May 5, 2005)

Use the guide here & remove it properly

http://basconotw.mvps.org/SymRem.htm


----------



## spetnaz69 (Jul 17, 2006)

*Norton is toast*

Sorry about the delat in responding, Ive had connectivity issues and have been working too much. So, where were we. Ah, yes, here is a new hijack log, i think its all gone, I think.

Logfile of HijackThis v1.99.1
Scan saved at 6:56:33 PM, on 8/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\apvxdwin.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Stealther\stealth27.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\will doyle\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\will doyle\Application Data\Mozilla\Profiles\default\ftkara3k.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\will doyle\Application Data\Mozilla\Profiles\default\ftkara3k.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {E8DA74EF-432F-4C25-9A7E-5532B1CF75B7} - (no file)
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O18 - Protocol hijack: res - {3050F3BC-90B5-11CF-BB82-00AA00BDCE0B}
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe

Looking forward to hearing what youve made of it.


----------



## sUBs (May 5, 2005)

> consumes 100% CPU every 10 seconds or so. If I end the svchost.exe process, the CPU usage returns to normal, but I have no sound.


Does this still happen? 


Do a HijackThis scan & place a check next to these items and select "Fix checked": 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\
O2 - BHO: (no name) - {E8DA74EF-432F-4C25-9A7E-5532B1CF75B7} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O18 - Protocol hijack: res - {3050F3BC-90B5-11CF-BB82-00AA00BDCE0B}


----------



## spetnaz69 (Jul 17, 2006)

So, I fixed all of the things noted and it appears as if the bug is still there. i fixed and restarted and rescanned without recurrence. The svchost.exe process is still getting hijack and the connectivity is still nill. Here is a log of the post cleansing.

Logfile of HijackThis v1.99.1
Scan saved at 10:07:31 PM, on 8/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Stealther\stealth27.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\will doyle\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\will doyle\Application Data\Mozilla\Profiles\default\ftkara3k.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\will doyle\Application Data\Mozilla\Profiles\default\ftkara3k.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe

Anything else or am I screwed? The connectivty thing is weird. I called comcast and they had no advice, telling me that they had connectivity witht the cable modem. For some reason, the connection is not making it to the computer when the cable is plugged in. Same when I run it through a wireless router. My laptop cannot detect the signal from it. I dont think my laptop is compromised so I assume the problem is somewhere in the modem or cable. Any advice on that? 
Thanks


----------



## sUBs (May 5, 2005)

Please reboot to Safe Mode with Networking. Verify if your internet connectivity works there. If not, reboot to Normal Mode & have a look at Windows Event Viewer. It might give us a clue as to what is causing these issues

Go to Start > Run - type in *eventvwr *<Press Enter>











This is a picture of what the event viewer looks like. 
You will see *Application*, Security & *System* listed in the left pane. 
 In the left pane click on *Application*.
 Click the gray title *“Type”* at the top of the source name column in the right pane to sort by type name
Look for *“Error” *& double-click on the most recent 5, and evaluate the event description for any indication of the cause of the problem. 
 Make note of the Description, EventID and Source of these Event Properties.
 From the right pane, doubleclick on the line where it says error & you should get a window like the example below













 In the upper right corner of this picture, you should see 2 arrows. One is pointing up & the other, pointing down. 
There is another button below the 2 arrows. Click once on it. (this will copy some information to clipboard)
 Open notepad & paste the info in thereThis will copy the event information to the clipboard. Paste the information for each event here

Repeat steps 1-6 for *System*


----------



## spetnaz69 (Jul 17, 2006)

*No Connectivity in Safe Mode*

So I rebooted in Safe mode with networking and it was weird. I picked up a new modem from COmcast thinking that the hardware may be the problem. Still wont work, however, when I opened in safemode it brought me right to a comcast page where it downloaded a connection wizard. Upon running the connection wizrd ti failed on the last step even though it said it had established a connection. I love computers. So here are the logs from the event viewer.

The error logs from applications didnt look that pertinant, but the warning logs from system look like they refer to network stuff.

Hope it helps, im going nuts here trying to figure something else. 

Event Type:	Error
Event Source:	nview_info
Event Category:	None
Event ID:	1
Date: 8/4/2006
Time: 12:31:53 AM
User: N/A
Computer:	SPETNAZ
Description:
The description for Event ID ( 1 ) in Source ( nview_info ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: NVIEW : rundll32: Mutex Recovery Code - app released the mutex - back to normal operation.
.
Event Type:	Error
Event Source:	nview_info
Event Category:	None
Event ID:	1
Date: 8/4/2006
Time: 12:31:38 AM
User: N/A
Computer:	SPETNAZ
Description:
The description for Event ID ( 1 ) in Source ( nview_info ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: NVIEW : Platinum: Mutex Recovery on THREAD_DETACH! - InfoID:a04, TID:c28, Name:C:\Program Files\321Studios\Platinum\Platinum.exe - NView (and Mutexes) are now enabled again.
.
Event Type:	Error
Event Source:	nview_info
Event Category:	None
Event ID:	1
Date: 8/4/2006
Time: 12:31:53 AM
User: N/A
Computer:	SPETNAZ
Description:
The description for Event ID ( 1 ) in Source ( nview_info ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: NVIEW : Platinum: Mutex Recovery on THREAD_DETACH! - InfoID:a04, TID:f9c, Name:C:\Program Files\321Studios\Platinum\Platinum.exe - NView (and Mutexes) are now enabled again.
.
Event Type:	Error
Event Source:	nview_info
Event Category:	None
Event ID:	1
Date: 8/4/2006
Time: 12:31:53 AM
User: N/A
Computer:	SPETNAZ
Description:
The description for Event ID ( 1 ) in Source ( nview_info ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: NVIEW : rundll32: WAIT_TIMEOUT, LAST SUCCESS: (thread 0xc38) (cmdName:rundll32.exe) WindowManager.cpp 2985
.
These logs are from the Applications errors, it seems like the warnings from System logs are much more important for my purposes though.

They are as follows:
Event Type:	Warning
Event Source:	Dhcp
Event Category:	None
Event ID:	1006
Date: 8/11/2006
Time: 4:44:38 PM
User: N/A
Computer:	SPETNAZ
Description:
Your computer was unable to automatically configure the IP parameters for the Network Card with the network address 000B6A3E480C. The following error occurred during configuration: No connection could be made because the target machine actively refused it. .

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 4d 27 00 00 M'.. 

Event Type:	Warning
Event Source:	Dhcp
Event Category:	None
Event ID:	1005
Date: 8/11/2006
Time: 4:44:25 PM
User: N/A
Computer:	SPETNAZ
Description:
Your computer has detected that the IP address 67.161.155.105 for the Network Card with network address 000B6A3E480C is already in use on the network. Your computer will automatically attempt to obtain a different address.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Warning
Event Source:	Dhcp
Event Category:	None
Event ID:	1005
Date: 8/11/2006
Time: 4:44:25 PM
User: N/A
Computer:	SPETNAZ
Description:
Your computer has detected that the IP address 0.0.0.0 for the Network Card with network address 000B6A3E480C is already in use on the network. Your computer will automatically attempt to obtain a different address.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:	Warning
Event Source:	Dhcp
Event Category:	None
Event ID:	1003
Date: 8/11/2006
Time: 4:44:23 PM
User: N/A
Computer:	SPETNAZ
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 000B6A3E480C. The following error occurred: 
An operation was attempted on something that is not a socket. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 36 27 00 00 6'.. 

Event Type:	Warning
Event Source:	Dhcp
Event Category:	None
Event ID:	1003
Date: 8/11/2006
Time: 4:38:22 PM
User: N/A
Computer:	SPETNAZ
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 000B6A3E480C. The following error occurred: 
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 79 00 00 00 y...


----------



## sUBs (May 5, 2005)

> Your computer has detected that the IP address 67.161.155.105 for the Network Card with network address 000B6A3E480C is already in use on the network. Your computer will automatically attempt to obtain a different address.
> 
> Your computer has detected that the IP address 0.0.0.0 for the Network Card with network address 000B6A3E480C is already in use on the network. Your computer will automatically attempt to obtain a different address.
> 
> ...


I'm not familiar with cable but let's try this.....
Enter your *Control Panel* and double-click on *Network Connections*

Then right click on your *Default Connection*
Usually Local Area Connection for Cable and DSL

Left click on *Properties*
Double-Click on the *Internet Protocol (TCP/IP)* item
Select the radio dial that says *Obtain IP Address Automatically*
Select the radio dial that says *Obtain DNS Servers Automatically*
Press OK twice to get out of the properties screen and reboot if it asks

If this doesnt do the job, I'll move the thread to Networking forum where it may be addressed better


----------



## spetnaz69 (Jul 17, 2006)

*Good idea, but no dice*

Ive actually already tried that fix,nothing seems to work. On a positive note, the new modem I got seems to work when run throught the wireless to my laptop. I still cant connect with the desktop though, curses. I am still having the issue with the hijacked svchost.exe sound process also. Som i am definately interested in starting a thread in the networking forum to further explore the dilema. You dont thing the two problems are tied together do you?

Any more help would be appreciated.
Semi-connected in Colorado


----------



## sUBs (May 5, 2005)

Thread moved from HJT log help


----------



## spetnaz69 (Jul 17, 2006)

*SVC.HOST.EXE still killen me, what gives?*

I dotn know where the tread got shifted to and what help the shift will give me. Any advice on the svchost.exe problem? As that is the main problem I am facing.


----------



## sUBs (May 5, 2005)

Oops.. forgot about your svchost error. Let's see if we can narrow it down. Bear in mind that this is no longer a malware issue. It's more likely thta one of your drivers is causing conflicts

Download, unzip & launch Process Explorer from Sysinternals : http://download.sysinternals.com/Files/ProcessExplorerNt.zip

In the main window, you should see several instances of svchost.exe. 
Select the one that's using the most cpu cycles & double click it to bring up the properties page. 
Under the 'Services' tab, select each service & click the 'Stop' button. 
Wait a few seconds & see if the CPU cycles goes down. 
If not, stop another service & keep doing that till you have identified the service that's causing the spikes.

Let me know how you fared.


----------



## spetnaz69 (Jul 17, 2006)

*Connectivty achieved in Safe Mode*

So, back to the connectivity issue. Now that my connection is good again, I am able to connect in Safe mode. What does that mean? I am also checking to see which instance of svcgost.exe is sucking all my juice with that link of yours.
Thanks


----------



## spetnaz69 (Jul 17, 2006)

*Process Identified*

So, I was able to identify the process that was causing the cpu to get maxed, and stopped the process. Now what?


----------



## sUBs (May 5, 2005)

It helps if you tell me which is it


----------



## sUBs (May 5, 2005)

Came across this & I feel it's pertinent. Quite a few folks are experinecing troubles with internet disconnections & svchost after a recent Windows update. Best you read up: http://support.microsoft.com/default.aspx?scid=kb;en-us;894391


----------



## spetnaz69 (Jul 17, 2006)

*Sorry about that*

I guess its pretty useless to you to know I killed the bad process without knowing what it is, so, one more time.
The process shos up as C:\\WINDOWS\System32\svchost.exe k netsvcs, which shows up as a Microsoft program. Any advice? It seems like i could tell a lot more about it if I knew more about the Process Explorer.


----------



## sUBs (May 5, 2005)

May have found the source of your problem. Many folks were experiencing this lately & this appears to be the probable scenario

Some new worm is making it's rounds, exploiting unpatched machines & causing these buffer overruns. It's more prevalent during the day when more infected machines are on the network.

Machines that were affected:

* Those that had auto-updates switched off

* Those that had the firewall disabled. Many had weak AV programs

* These errors more frequently in the daytime.

Solution:

Re-enable autoupdates. It's that easy. Most people have it off, in hope of bypassing Msoft's recent anti-piracy move.

Either that or manually download each updates..especially this one

http://www.microsoft.com/downloads/...b6-03ff-4636-861a-46b3eac7a305&displaylang=en


----------



## spetnaz69 (Jul 17, 2006)

*Update solution*

Well, I did have auto update on when this whole thing started, but it appears as if the updates in question never made it onto my machine. I installed the one update that you said was very important last messege. It appears as if it was unsuccessful at eliminating the buffer overruns. Any other ideas?


----------

