Problem seems to be with svchots.exe in the task manager, its taking up cpu usage and alot of memory. I have tried the standard fixes for svchots.exe (disabling windows auto update), but it has no effect. I have ran 4 different aware removal programs and 2 antivirus programs none have helped any so this is my only option left, and im not sure what should/shouldn't be on this log.

Logfile of HijackThis v1.99.1
Scan saved at 19:15:48, on 27/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\AVerTV Hybrid + FM PCI\AVerQT.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ray Liddle\Desktop\cwshredder.exe
E:\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Web Camera
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickTV6.lnk = C:\Program Files\AVerTV Hybrid + FM PCI\AVerQT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144094275703
O17 - HKLM\System\CCS\Services\Tcpip\..\{889E0896-E2D6-4F0E-96A7-AE140DA1B988}: NameServer = 62.241.163.200,62.241.163.201
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: wmplayer - {BA3A4DD6-E1DC-4951-ACED-FFCC665E30DE} - C:\WINDOWS\wmplayer.dll
O21 - SSODL: wmsound - {CFB389EF-8AC1-457F-AEDB-829CF8380BD9} - C:\WINDOWS\wmsound.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Problem seems to be with svchots.exe in the task manager, its taking up cpu usage and alot of memory.

Multiple instances of 'C:\WINDOWS\system32\svchost.exe' are normal. Excessive CPU usage is not. Click at the top on the CPU column heading in the TAask Manager until you get a sorted list that is highest to lowest CPU utilization. What is the highest CPU and memory use by a svchost.exe file? Please describe the nature of the problems you appear to be having.



You appear to using two (2) real-time antivirus tools (running components are showing up for AVG and NOD32) which could be creating serious issues for your PC (conflicts and incompatibilities). It may be best to just uninstall one of them.



You are not running HijackThis (HJT) from a desired location. You really need to setup a dedicated folder for HJT items to avoid horrible clutter and/or potential lost backup issues.

It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.

• Create a new folder in your C: Drive.
• Name the FOLDER HijackThis (or HJT) such as C:\Program Files\HijackThis or C:\HJT and
• Move the HijackThis.exe file into the newly created FOLDER.
• Run HJT from there (and revise your shortcut accordingly).

HIDDEN FILES: To make sure you can see any and all hidden files, please follow the directions here



Submit the following file(s) to VirusTotal for their immediate evaluation and feedback. Use any of the following methods, as appropriate:

• Locate FULL FILE PATH if not apparent. Use Start (BUTTON)>Search, [WINDOWS+F] keys, or F3 key (from desktop).
• Copy & Paste the FULL FILE PATH in the input BOX
  -- OR --
• Navigate to the file in question.

Post those results in your next reply (if malware findings were indicated) for:

C:\WINDOWS\wmplayer.dll
C:\WINDOWS\wmsound.dll (may not exist)

I had both anti virus programs installed to run a scan, usually stick with just 1.

The svchost.exe uses about 10% of cpu usage but takes up 20,000k of memory (this number increases the longer is left running.) I can close it from task manager and it stops the hard drive running but after about 30seconds to 1 minute it just starts up again and slows the pc down again.

Results for the file you wanted me to check, should i remove this ?
File wmplayer.dll
Antivirus Version Last Update Result
AhnLab-V3 2007.7.31.1 2007.07.31 -
AntiVir 7.4.0.54 2007.07.31 -
Authentium 4.93.8 2007.07.30 -
Avast 4.7.1029.0 2007.07.31 -
AVG 7.5.0.476 2007.07.30 -
BitDefender 7.2 2007.07.31 -
CAT-QuickHeal 9.00 2007.07.31 Trojan.Agent.gen
ClamAV 0.91 2007.07.31 -
DrWeb 4.33 2007.07.31 -
eSafe 7.0.15.0 2007.07.31 -
eTrust-Vet 31.1.5019 2007.07.31 -
Ewido 4.0 2007.07.31 -
FileAdvisor 1 2007.07.31 -
Fortinet 2.91.0.0 2007.07.31 -
F-Prot 4.3.2.48 2007.07.30 -
F-Secure 6.70.13030.0 2007.07.31 -
Ikarus T3.1.1.8 2007.07.31 Generic.Downloader.NXM
Kaspersky 4.0.2.24 2007.07.31 -
McAfee 5086 2007.07.30 -
Microsoft 1.2704 2007.07.31 -
NOD32v2 2429 2007.07.30 -
Norman 5.80.02 2007.07.31 -
Panda 9.0.0.4 2007.07.31 Suspicious file
Prevx1 V2 2007.07.31 Trojan.SystemPoser
Rising 19.34.12.00 2007.07.31 -
Sophos 4.19.0 2007.07.26 -
Sunbelt 2.2.907.0 2007.07.31 -
Symantec 10 2007.07.31 -
TheHacker 6.1.7.159 2007.07.31 -
VBA32 3.12.2.2 2007.07.30 -
VirusBuster 4.3.26:9 2007.07.31 -
Webwasher-Gateway 6.0.1 2007.07.31 -
Additional information
File size: 143360 bytes
MD5: c1d50bb286336fe0c9db6a3d8d565ee2
SHA1: 5868b1caa880dfd68c62978cb2069680573aeeb1
Prevx info: http://fileinfo.prevx.com/fileinfo.a...513F00F78AAF1A

Screenshot of the problem svhost.exe, note i removed personal information from the username.

When i end process on it the hard drive stops flashing/making noise and computer speeds back up. Till 30sec-1min later when it automatically starts up again .

Read over the following directions. Ask if anything appears unclear to you.



Clean out TEMPORARY FILES procedures:
To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner http://www.ccleaner.com/downloadbuilds.asp

Install Options:

• Don't install any Toolbars, or other programs, should it ask you!
• Just uncheck the option of installing the Yahoo toolbar.

It will put a shortcut on your Desktop.

Do not run CCleaner until requested later.




We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O21 - SSODL: wmplayer - {BA3A4DD6-E1DC-4951-ACED-FFCC665E30DE} - C:\WINDOWS\wmplayer.dll
O21 - SSODL: wmsound - {CFB389EF-8AC1-457F-AEDB-829CF8380BD9} - C:\WINDOWS\wmsound.dll (file missing)

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.



HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



Delete TEMPORARY FILES: Now, use CCleaner to hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Run CCleaner.

FIRST-TIME USE:
Select the ”Options” BUTTON option (top LEFT), ”Advanced” BUTTON, and then UNCHECK the ”Only delete files in Windows Temp Folders older than 48 hours”. Set back to default afterwards.

Select the ”Cleaner” BUTTON option (top LEFT), if not already selected. Use the ”Windows” TAB up front by default.

• Uncheck ”Cookies” option (advisable)
• Optionally, Uncheck ”Recently Typed URLs” option (potentially still useful)
• Click the ”Analyse” button.
• Thereafter, click ”Run Cleaner” after you have reviewed what it proposes to clean.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.




Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


DELETE FILES:

C:\WINDOWS\wmplayer.dll




POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.