On 12/04/2011 I began to have problems with the computer.
I noticed that one instance of the svchost.exe file had a very
large memory usage and was constantly increasing in size. It
also used a large percentage of CPU time. Eventually
it grows beyond 1GB and the system becomes unusable.

The svchost process only runs away like this when I am connected to
the internet. When not connected, the system runs fine.

Output from Tasklist.exe is shown below. The svchost.exe instance
that is the problem is PID 1532.


Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 932 N/A
avgchsvx.exe 972 N/A
csrss.exe 1144 N/A
winlogon.exe 1168 N/A
services.exe 1216 Eventlog, PlugPlay
lsass.exe 1228 Netlogon, PolicyAgent, ProtectedStorage,
SamSs
svchost.exe 1408 DcomLaunch, TermService
svchost.exe 1488 RpcSs
svchost.exe 1532 AudioSrv, BITS, CryptSvc, Dhcp, ERSvc,
EventSystem, helpsvc, HidServ, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, w32time, winmgmt, wuauserv,
WZCSVC
svchost.exe 1668 Dnscache
svchost.exe 1736 LmHosts, RemoteRegistry, SSDPSRV, upnphost
spoolsv.exe 1912 Spooler
scardsvr.exe 1964 SCardSvr
svchost.exe 2028 WebClient
avgwdsvc.exe 176 avgwd
DataServer.exe 284 DataSvr2
dsNcService.exe 332 dsNcService
svchost.exe 600 HTTPFilter
inetinfo.exe 628 IISADMIN, SMTPSVC, W3SVC
jqs.exe 664 JavaQuickStarterService
avgam.exe 732 N/A
MDM.EXE 744 MDM
avgnsx.exe 824 N/A
sqlservr.exe 960 MSSQL$SQLEXPRESS
NicConfigSvc.exe 1644 NICCONFIGSVC
sqlwriter.exe 1832 SQLWriter
svchost.exe 2196 stisvc
tcsd_win32.exe 2288 tcsd_win32.exe
wmpnetwk.exe 2588 WMPNetworkSvc
AVGIDSAgent.exe 2692 AVGIDSAgent
wmiprvse.exe 2948 N/A
explorer.exe 3664 N/A
alg.exe 4004 ALG
Apoint.exe 2608 N/A
hkcmd.exe 2820 N/A
igfxpers.exe 3444 N/A
igfxsrvc.exe 3540 N/A
jusched.exe 2912 N/A
ZCfgSvc.exe 3956 N/A
iFrmewrk.exe 4000 N/A
stsystra.exe 1892 N/A
docmgr.exe 360 N/A
hidfind.exe 928 N/A
quickset.exe 1380 N/A
avgtray.exe 2120 N/A
ApntEx.exe 2220 N/A
netwaiting.exe 2840 N/A
ctfmon.exe 2916 N/A
REMINDER.EXE 2824 N/A
AVGIDSMonitor.exe 3408 N/A
avgrsx.exe 1480 N/A
avgcsrvx.exe 3056 N/A
notepad.exe 2760 N/A
cmd.exe 1372 N/A
tasklist.exe 3732 N/A
wmiprvse.exe 856 N/A

Since 12/04/2011, one or more AVG components have crashed. I do not have details
beyond that but I clicked 'Yes' to send a report to AVG once or twice. Also since
then, AVG has intercepted several threats. I have done a full scan on my system, and
no threats are reported.

In looking on the internet, one suggestion was to disable Windows Update which I have done. Does anyone have any help with this problem? Thank you.

- Steve

In looking at Process Explorer I see avgwdsvc.exe, avgam.exe and avgnsx.exe running. At this point I have not connected my network cable and the system is running okay. When I plug in the network cable about a minute later I see avgcsrvx.exe start and at the same moment the svchost process begins to run away. Could be coincidental or just the AVG software doing its job, but it the two things happen at the same time.

- Steve

Hello sjhapp,

First of all install all high priority windows updates.

Is this issue occurring while AVG is disabled? More information how to temporarily disable AVG components can be found here.

Please provide us with Msinfo output (while computer is connected to the Internet) and crash dumps for further analysis of this issue.

To make sure that your computer is not infected please provide us with both Gmer scan results.

Thank you
___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us

On startup now, I get several errors relating to svchost:
The application failed to initialize properly (0x0000005). Click OK to terminate the application.

I'm not able to go run a browser from the computer. So, I'm not able to make sure I have all critical Windows updates installed. I did run into a problem earlier in the week when trying to run Windows Update so it it possible that I do not.

"GMER has found system modifications caused by ROOTKIT activity"
The two log files are attached.

I am not able to run msinfo. I don't know if this is related to the problems found or not. The system has msifno.dll but no exe file of the same name.

Thank you.

Hello sjhapp,

You are unfortunately infected by tdl4 rootkit. In order to solve this issue, please restore your master boot record in offline mode as described here.

Than please run Anti-virus scan from AVG Rescue CD.

If the C:\WINDOWS\system32\wxvault.dll will not be detected as infection by AVG Rescue CD please send this file to virus@avg.com for furhter analysis as described here.

Also whether it will not help to resolve the issue, please run disk management tool from C:\Windows\System32\diskmngmt.msc and provide us with screenshot of the system volume partitioning.

Thank you


___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us

I restored the master boot record, and things have improved. I don't have the svchost.exe file running away as was described earlier.

I ran into a problem running the scan from AVG Rescue CD. The program seems to hang on the following file:
C:\WINDOWS\Temp\avg-952d2b3c-ba23-4a48-9465-dc2c7e5fe536.tmp

This is what I can see on the display from the scan:
/mnt/sda2/WINDOWS/Temp/avg-952d2b3c-ba23-4a48-9465-dc2c7e5fe536.tmp:_2_fdp.se0401-dni_jn_sfdpspf

No infections were detected up to this point.

Since I am not sure of the infection status of wxvault.dll, I will send it to you as a precaution.

The diskmngmt.msc screenshot is attached.

Also, I am getting qmkhaulmala.com/index.php threat detection every few minutes while online.

Thank you.

- Steve

Hello Steve,

Can you please provide us with screenshot of the mentioned detection which occur every few minutes?

Also please send us OTL scan results for further analysis of this issue.

1. Download the OTL utility and run it.
2. Select All in the Standard Registry frame.
3. Click Run Scan and wait for the scan to finish (it will take a few minutes).
4. Compress and provide us with the OTL.Txt file (opened automatically after the scan is complete; it is created in the same location OTL was launched from).

Thank you.
___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us

I am finally current with respect to Windows Update. I still am frequently getting the threat blocked message mentioned in the earlier post. Attached are two screen shots showing the message and the details and the output from OTL.exe.

Thank you for your help on this.

- Steve

One last file..

Attached is the file that seemed to cause a problem with the AVG Rescue Disk scan (see earlier post).

Hello sjhapp,

We had detected several possibly positive files. Please add following files to password protected archive and send them to virus@avg.com

C:\WINDOWS\system32\appconf32.exe
C:\Documents and Settings\All Users\Application Data\y4051468i1onf8wyt6238hkv4850u8sc6c765hfp3un5n
C:\Documents and Settings\Administrator\Local Settings\Application Data\y4051468i1onf8wyt6238hkv4850u8sc6c765hfp3un5n
C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
C:\WINDOWS\System32\d3d9caps.dat (please rename it to d3d9caps.dat.system32)

Then please rename these files to *filename.vir (i.e. appconf32.vir, etc..).

Also please update your AVG to a newest version (AVG 2012) because of better detection capabilities and then launch full computer scan and provide us with results and with new gmer scan results to make sure your computer is not infected by rootkits any more.

Thank you.


___________________AVG TeamHow-To articles | FAQ | Free SupportWe Protect Us