Hello all I appreciate any help with this matter, I understand that this is just a hobby for most of you, so I will remain patient. I will try to be as specific as possible.

I am running windows xp sp3

This all started about a week ago.

At first I noticed the svchost.exe was taking up all my cpu. So after searching, I found that it was an old problem that Microsoft did eventually fix. Everything I read said to go into Windows Update and change some of the options. When I went to do this, the page would not load, nor would anything related to the microsoft support page. This is when I figured something else was wrong.

The Next day I started getting the fake security program messages, XP security 2011, I believe it was. I tried to run Malwarebyte, but it would not open, even in safe mode. I eventually got spybot to get rid of it (in safemode).

So I am still having the svchost.exe issue. When I try to run a scan with Avast/malwarebyte/superantispyware, I get a BSOD. The message reads one of two: IRQL not less or equal or invalid work queue item. This occurs when running scans either in normal or safe mode(with networking, I also get the bsod when trying to boot to just safe mode). The bsod always seems to come during the avast scan when it reaches 79%, when it is scanning the file: C:windows/system32/security.dll.

I have tried a boot scan with avast, and it gets stuck at 98%, but it finds virus win32:malob-ei error 42060 mspacthas.dll

During this issue, I switched from AVG to Avast. AVG had found trojan horse agent r.xj. BSOD would show during AVG scans as well.

I have tried seaching for help on these issues, but it all comes back to using COMBOFIX, which says not to use unless told to do so. So that is where I am.

I will post anything else as I think of it.

Here is a list of programs I currently have: I have to admit I have not been using them as much lately as I should have been.
Malwarebyte’s Anti Malward
Spybot Search and Destroy
Spywareblaster
Superantispyware**
CCleaner**
Combofix (have not used it)
Avast free edition ** means that they are new programs since this issue has started.

I just got a windows error saying it needed to end svchost.exe, and now my cpu is back to normal usage. But when I restart it is back sucking all my memory. Avast randomly tells me that a malicious url was block, with the process of svchost.exe. I have been getting random windows opening, that has not stopped.

I think that is it for now, I will be around for the next few hours for a quick response. Thank you again for your help.

I don’t know if it helps at all, but I think I got the virus/s while streaming a NHL game.

are you able to do this?

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )

Essexboy will look at the logs when posted…

Hi there - slight change of tack with this one

FIRST

Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 2 and validate
[]The RKreport.txt shall be generated next to the executable.
[]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

here is the roguekiller log:

RogueKiller V4.3.11 [04/25/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: David Gsellmeyer [Admin rights]
Mode: Remove – Date : 04/25/2011 15:54:56

Bad processes: 0

Registry Entries: 1
[DNS] HKLM[…]\ControlSet003\Parameters\Interfaces{47B2ABF5-CB82-411D-A01F-F625371B64B5} : NameServer (68.87.64.146,68.87.75.194) → NOT REMOVED, USE DNSFIX

HOSTS File:

Finished : << RKreport[1].txt >>
RKreport[1].txt

I downloaded OTS to the desktop, but it will not open. A window pops up and says that it can’t be run from a temp folder…Please download to the desktop or other suitable location. But I choose desktop when I downloaded it. This happens when I open it normally or in the sandbox. The file path it saves to is c:doc and setting/temp/desktop. so how do I download it to the desktop?

I moved OTS to C: and it opens. Will it do what it needs to do at this location?

Yes it will work perfectly well there, if it fails to open due to malware activity then rename it to OTS.SCR

A few minutes into the scan, I got a bsod saying invalid work queue item.

OK time for a different tactic

Download Combofix from any of the links below. You must rename it before saving rename it to Gotcha before saving it to your desktop.

Link 1
Link 2

==================================

http://www.hdrcgb.org.uk/g2g/Cfix_Gotcha.exe.jpg

Double click on the renamed ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt so we can continue cleaning the system.

I got the same BSOD at about the 50th step mark. I also had some problems getting combofix started. I kept having a pev.exe trying to open. I told soapbox to not allow it to open.

When I was doing research about the BSOD problem, I found that it is normally a hardware issue; possibly a bad driver or something. Now the only driver that I have updated lately was my Intel wireless driver. When I open device manager, everything appears to be working properly.

Thank you for your help, I may not be able to work on this for a few hours, I realize that we might be in far different time zones. So if you just let me know what to try next, I can be patient as the computer works well enough at the moment. Thanks again.

By the way, the combofix scan was done in safe mode. The other two were done in normal.

Should I be running all scans in safe mode? OTS worked in safe mode, here is the log, it was too big to attach.

The file is too big to attach, and has too many characters to post, what do you suggest?

I just remembered that I ran diagnostics at startup the other day, and my hard drive fails the dst short test. Not sure if that has to do with this issue or not, just giving you all the information I can.

I kept having a pev.exe trying to open. I told soapbox to not allow it to open.

Can you attach the log

Bottom left additional options when posting

Combofix (in safe mode) got to stage 50 before the bsod of invalid work queue item.

OK sounds like there may be a system problem as well - the HDD may be part of it

Have you run a disc check on the main drive ?

http://www.ehow.com/how_2052292_run-chkdsk-f-windows-xp.html

Do not do this

Set your system to safe mode with the “/SAFEBOOT” command from the MSCONFIG program. Click “Start” and “Run.” Type “MSCONFIG” and enable the “/SAFEBOOT” option from the BOOT.INI tab if your anti-virus or anti-spyware software is conflicting with the Chkdsk process.

Have you ran SFC / Scannow ?

Go to start > Run
When the prompt opens type the following bolded text and press enter

sfc /scannow (Note: There is a space between sfc and /scannow)

On completion reboot

The disk check went through just fine, the other one I got the same bsod.

During the SFC scan ? This would indicate some system file corruption… Might be an idea to back up your data and reformat

It just got through the sfc scan. Do we have any other options? or do you still suggest a refomat?

If refomatting is the next course of action, will that get rid of the virus/s? Also, can you give me a quick idea of how to do so, or a link to a good guide. Will I need to reinstall windows?

Thanks again for all of your help.