On 12/04/2011 I began to have problems with the computer.
I noticed that one instance of the svchost.exe file had a very
large memory usage and was constantly increasing in size. It
also used a large percentage of CPU time. Eventually
it grows beyond 1GB and the system becomes unusable.
The svchost process only runs away like this when I am connected to
the internet. When not connected, the system runs fine.
Output from Tasklist.exe is shown below. The svchost.exe instance
that is the problem is PID 1532.
Since 12/04/2011, one or more AVG components have crashed. I do not have details
beyond that but I clicked 'Yes' to send a report to AVG once or twice. Also since
then, AVG has intercepted several threats. I have done a full scan on my system, and
no threats are reported.
In looking on the internet, one suggestion was to disable Windows Update which I have done. Does anyone have any help with this problem? Thank you.
In looking at Process Explorer I see avgwdsvc.exe, avgam.exe and avgnsx.exe running. At this point I have not connected my network cable and the system is running okay. When I plug in the network cable about a minute later I see avgcsrvx.exe start and at the same moment the svchost process begins to run away. Could be coincidental or just the AVG software doing its job, but it the two things happen at the same time.
On startup now, I get several errors relating to svchost:
The application failed to initialize properly (0x0000005). Click OK to terminate the application.
I'm not able to go run a browser from the computer. So, I'm not able to make sure I have all critical Windows updates installed. I did run into a problem earlier in the week when trying to run Windows Update so it it possible that I do not.
"GMER has found system modifications caused by ROOTKIT activity"
The two log files are attached.
I am not able to run msinfo. I don't know if this is related to the problems found or not. The system has msifno.dll but no exe file of the same name.
Also please send us OTL scan results for further analysis of this issue.
1. Download the OTL utility and run it.
2. Select All in the Standard Registry frame.
3. Click Run Scan and wait for the scan to finish (it will take a few minutes).
4. Compress and provide us with the OTL.Txt file (opened automatically after the scan is complete; it is created in the same location OTL was launched from).
I am finally current with respect to Windows Update. I still am frequently getting the threat blocked message mentioned in the earlier post. Attached are two screen shots showing the message and the details and the output from OTL.exe.
We had detected several possibly positive files. Please add following files to password protected archive and send them to firstname.lastname@example.org
C:\Documents and Settings\All Users\Application Data\y4051468i1onf8wyt6238hkv4850u8sc6c765hfp3un5n
C:\Documents and Settings\Administrator\Local Settings\Application Data\y4051468i1onf8wyt6238hkv4850u8sc6c765hfp3un5n
C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
C:\WINDOWS\System32\d3d9caps.dat (please rename it to d3d9caps.dat.system32)
Then please rename these files to *filename.vir (i.e. appconf32.vir, etc..).
Also please update your AVG to a newest version (AVG 2012) because of better detection capabilities and then launch full computer scan and provide us with results and with new gmer scan results to make sure your computer is not infected by rootkits any more.