Hi Ben

I'm glad you liked the site,a friend passed it on to me.And when it comes to learning about computers YOU have to read and read and then read some more(then find a friend who can translate it for you!!)Hope you can find the problem.Quads is very good at this you are in good hands.

---

Quads wrote:

 

LOL I meant the Malwarebytes log that you did  a scan and showed infections.

I can be that after the Power cut (can cause a tiny surge) that a file or files connected to the "svchost.exe" has become corrupted, so on startup "svchost.exe" is trying to load the file(s) and is having the HD work for it.  OR "svchost.exe" is corrupt itself.

When stopping and restarting is loading the services correctly and not loading or trying to load what is causing the problem.  

I have seen a similar problem in the past where on Startup where "explorer.exe" doesn't load properly and sticks (drags it heels) so the likes of the taskbar has problems.  closing "explorer.exe" then using the taskmanager "Run" feature to restart "explorer.exe" and everything comes right.

Quads 

 

---

Hi Quads,

Here's the first run when the infections were found -

Malwarebytes' Anti-Malware 1.34

Database version: 1814

Windows 5.1.2600 Service Pack 3

3/3/2009 1:50:51 AM

mbam-log-2009-03-03 (01-50-51).txt

Scan type: Quick Scan

Objects scanned: 57410

Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 12

Registry Values Infected: 6

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2c566c34-7d72-4dc1-9bbe-1121a76698f8} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2a1c5cb-c0ef-4689-9436-f62cca1c5383} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2c566c34-7d72-4dc1-9bbe-1121a76698f8} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2a1c5cb-c0ef-4689-9436-f62cca1c5383} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{81705d67-3f73-4983-859b-97d0922e5abe} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ee9f7cf5-cd49-4cd8-8ba6-1514e7a5c22c} (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

It is possible something broke when the power supply got cut.  But there are multipled scvhosts running different groups of services which exhibit no problem as far as I can tell, so maybe we can discount the possibility of scvhost.exe being corrupted.  I am assuming that all the processes named "scvhost" are all running the same scvhost.exe.

That would leave the broke possibility with 3 services viz.

Windows Management Instrumentation,

Windows Firewall/Internet Connection, and

Security Center.

(The Firewall and Security Center processes are dependants of Windows Management)

If that is the case, is there a way of reloading these 3 services?

Ben

---

mo wrote:

Hi Ben

Quads is very good at this you are in good hands.

---

Yea, mo.  I feel comfortable already!   I'll be glad when this is problem is put to rest for good.  It's a real nuisance having to go into services to restart them each time I boot up.

Thanks

Ben

Yes all services use the save "svchost.exe" unless you have a rogue one as well.

Seeing as you are saying  that these are the problem

Windows Management Instrumentation,

Windows Firewall/Internet Connection

Security Center. 

You have had Malware that more than likely trys to disable the security centre. windows firewall and automatic updates, You also only did a Quick Scan not a "Full Scan" all it takes to block or attempt to blocks legit security at times a a registy entry.

Download SuperAntiSpyware Free http://www.superantispyware.com/download.html   install, check for updates, and run a full scan.

Quads 

---

Quads wrote:

Yes all services use the save "svchost.exe" unless you have a rogue one as well.

 

Seeing as you are saying  that these are the problem

 

Windows Management Instrumentation,

Windows Firewall/Internet Connection

Security Center. 

 

You have had Malware that more than likely trys to disable the security centre. windows firewall and automatic updates, You also only did a Quick Scan not a "Full Scan" all it takes to block or attempt to blocks legit security at times a a registy entry.

 

Download SuperAntiSpyware Free http://www.superantispyware.com/download.html   install, check for updates, and run a full scan.

 

Quads 

 

 

---

Quads,

I did "Full Scan".  OK, let me try this "Super" and see what happens.  Thanks.

Ben

I haven't read all the posts past this point yet, but I wanted to respond while I had time.

When a computer shuts down by a power outage, it almost certainly results in loss of file integrity.  It is built into the window structure to use the last success boot saved in System Restore in such an event.  This would happen here because Windows saves system settings and changes at normal shutdown.  The power outage prevented this from happening, so the next boot up might well have initialized the System Restore option.

Now, malware often hides copies of itself in System Restore files; and even when it has been cleaned from the present operating structure it will still be lurking in System Restore.  For this reason, the normal procedure when cleaning Malware is to turn off (and thus delete all files in) System Restore.  In your case, you might have had the original trojan malware hidden in the System Restore.

So there is the sequence.  You might have had a clean computer with the exception of an infected System Restore.  Power outage crashes computer.  Computer reboots using System Restore -- infection is then loaded into the system as part of the Restore package.

Okay, Ben, I have read all the posts now and have seen a lot of great suggestions.  I hope one of them leads the way.

But if not, here are some things I haven't see addressed.

The main damage that occurs from instant power off lies in two areas:

corrupted files

physical damage.

Either one of these might explain the problems you are having.

First:  Physical damage without file integrity damage.

a.  You might have had RAM damage.  If you lost usable memory, then program memory structure would place heavier demand on file swapping and file swapping produces the kind of surges and slow downs in activity that you are describing.  You should check your RAM statistic in My Computer>Properties.  If the number is not correct, that would explain a lot.

b.  Hard disk damage (this might also apply to RAM, but it's not an area I know about).  Physical damage to the Fixed disk (that does not actually make it unbootable) results in the computer trying to fix itself, by moving data from damaged sectors to good sectors and redirecting pointers.  This can lead to a series of fixes, one after another, and not all at the same time.  It is even possible that the sector is bad, but not bad enough to be recognized as such, just requiring more time to be read.  Any vital oft-referred to file (such as Svshost) that is located in that sector might cause an immediate slow down each time the computer tries to reference it.  Defragmenting might help in this situtation, but that would be chancy if the sector's behavior is inconsistent.

Second:  File integrity issues.

Sometimes programs try to repair themselves on the fly.  If they are missing essential components, these are extracted from installers left in key places and put back where they belong (Adobe Acrobat is good at this, as is a lot of recent Adobe products).  However, sometimes repairs might mean putting back an earlier file that had been replaced by an upgrade.  If the software doing this has not been well designed, it might result in the kind of behavior you describe.  There are files that speed things up, but which -- if missing -- don't actually stop the process.  Many things can be going on here.

What I would recommend if all the previous suggestions don't work:

1.  Run Checkdisk using the heavy-duty multiple pass feature that checks all sectors and repairs everything.  Your computer might not be available for quite some time, but it is worth the effort.  Use CHKDSK /R

2.  There are other fixed drive checkers, usually one that comes with your computer.  Check with your computer manufacturer to see if there is one launchable at boot up.  They check for actually physical issues.

3.  If you are convinced there is nothing wrong with your physical drive, then consider reinstalling an earlier image of your system if you have one backed up.  Make sure you save all your important data (letters, appointments, financial and tax data, media files) first.

4.  If you can't do 3, then uninstall and reinstall all the software on your computer, beginning with a reinstall of Windows itself.

Good luck

Hi mijcar,

Many thanks for your thoughts.

In response to your suggestions, I can confirm -

1.  There is no RAM damage.  The full 2GB is working.

2.  CHKDSK shows 0 bad sectors.  I've also successfully done a defrag.

You mentioned that malware may have infect the System Restore files so that the bootup after the outage may have brought the malware into the work area.  If that was the case, then won't all the subsequent scans done kill these creatures?  And won't the subsequent bootups be  from a clean environment rather than from System Restore?  Yet the hard disk occupation persists.

As I have reported, the problem seems to be narrowed down to the Windows Management Instrumentation service (and its 2 dependencies, namely, Windows Security and Windows Firewall).  When these services are restarted, the probelm disappears.  Actually the last 2 service seem ok, since restarting or shutting them down separately (leaving WMI untouched) brought no relief.

For the time being, in order to get any use out of this system, I've resorted to disabling these services.  I don't know if there will be any harm done, but I figure that since I've now altogether 5, yes 5 difference antivirus and antimalware software active in the system,  I don't really need these 3 windows services, do I?

I guess if we really run out of ideas about the cause of the problem, then only thing left is to reinstall Windows and all the other programs I've got in the system right now.

I must say I'm really greatful to you guys for all your ideas so far and have learned quite a lot from them.  Thanks again.

Ben

Hey, Ben, you might have provided a clue right there.  Too many active security systems will create a slowdown in and of themselves, even complete breakdowns.  They tend to fight each other for privileges and miscontrue each other's behavior as viral in nature.  Basically, you should only have one active Firewall and one active AV program.  Most of us here use NIS, so we recommend that package.

What happens when you turn off all the other security packages (including the Window's ones)?