C windows system32 svchost exe k bthsvcs

Treat report:

How to get rid of svchost.exe -k bthsvcs (removal instructions).

In this tutorial I will tell you how to resolve the svchost.exe -k bthsvcs issue manually and how to fix it automatically with the help of proven malware removal tool. You can download the removal program by clicking on the download button below:

svchost.exe -k bthsvcs — General Suspicious:

svchost.exe -k bthsvcs is recognized as a documents that can be identified in your Task Manager as energetic and keeping up every COMPUTER start-up. There are lots of anti-virus utilities presently that do not recognize this file as dangerous. However, it can not be treated as an entirely benign procedure, for this reason, we do think it is a potentially unwanted application that deserves being gotten rid of simultaneously.

svchost.exe -k bthsvcs typically is the trace of particular adware or potentially unwanted application (PUA) to be active in your device. While this kind of malware is active you will keep encountering different PC-related difficulties, primarily defined in your computer functioning in a really sluggish fashion.

svchost.exe -k bthsvcs and associated unwanted programs could be in fact infused into your gadget using some suspicious links on the Internet. After the PC owners mistakenly determine to do so they will right away invite svchost.exe -k bthsvcs and various other unwanted software program into their computer systems.

svchost.exe -k bthsvcs procedure might be likewise integrated with other third-party applications, so you ought to delete this kind of danger as quick as you can. You might attempt to delete svchost.exe -k bthsvcs by hand from the device, nonetheless, this might call for even more advanced system analysis that is not an easy procedure in the majority of circumstances. The finest solution to erase svchost.exe -k bthsvcs is to scan your device with a trustworthy anti-virus tool.

Technical Information:

  • File name:
    svchost.exe -k bthsvcs
  • Threat type:
    General Suspicious
  • Virus name:
    SuspiciousSvchost
  • Full path:
    C:\Windows\system32\svchost.exe -k bthsvcs
  • Registry path:
  • MD5:
    DF5C3A1803C0685F7A3B1E0989742296
  • Size:
    45056 bytes
  • Product name:
  • Company name:
  • Product version:
  • File version:
  • Certificates:
  • Section:
    .text:60000020:C6DF8CA0EF3BDAE314D68FC5433A5AB8:12800
    .rdata:40000040:E451716D0A2A55AE20DD077504FF58C5:6144
    .data:C0000040:167279D293FC271C2A8A715E0E2E85BE:2560
    .pdata:40000040:5A9CA83AD387BA05D9B6AF4D8E15BBA4:1024
    .rsrc:40000040:F538B7ECD5264D6385A487CC50F36BFD:2560
    .reloc:42000040:BF619EAC0CDF3F68D496EA9344137E8B:512
  • Date of scan:
    2019-11-23 12:28

More Treats

Steps to remove svchost.exe -k bthsvcs:

I use Anti-Malware for cleaning ads and viruses from my friend’s computers, because it is extremely fast and effective.

  • Step 1: Downloader Anti-Malware for free
  • Step 2: Click on antimalware-setup.exe
  • Step 3: Press Apply after scan ends to remove all found threats

Step 1: Downloader Anti-Malware for free

Anti-Malware removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

find the anti-malware installer

Step 2: Click on antimalware-setup.exe

Anti-Malware is compatible with most antivirus software.
Anti-Malware is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
You will see a confirmation screen with verified publisher. Click YES

Click on YES to confirm the installation

After install Anti-Malware will start standard scan automatically.

Step 3: Press Apply after scan ends to remove all found threats

Cleaning Done Well

More Treats

Get cleaned now your PC. Download Anti-Malware FREE. We recommendet it ;)

Get started

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 24-09-2014
Ran by Jim at 2014-09-24 17:43:24
Running from C:\Users\Jim\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled — Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with «hidden» flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM-x32\…\Adobe AIR) (Version: 2.6.0.19120 — Adobe Systems Incorporated)
Adobe AIR (x32 Version: 2.6.0.19120 — Adobe Systems Incorporated) Hidden
Adobe Flash Player 15 ActiveX (HKLM-x32\…\Adobe Flash Player ActiveX) (Version: 15.0.0.167 — Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\…\Adobe Flash Player Plugin) (Version: 15.0.0.152 — Adobe Systems Incorporated)
Belarc Advisor 8.3 (HKLM-x32\…\Belarc Advisor) (Version: 8.3.0.0 — Belarc Inc.)
Bluetooth by hp (HKLM\…\{436E0B79-2CFB-4E5F-9380-E17C1B25D0C5}) (Version: 6.3.0.8200 — Broadcom Corporation)
Bubble Wrap (HKLM-x32\…\{5BFFDDEB-AFD7-499F-BB13-7A6EAD927CDA}_is1) (Version: 1.0.0.0 — XM Asia Pacific Pte Ltd)
Canon CanoScan LiDE 110 User Registration (HKLM-x32\…\Canon CanoScan LiDE 110 User Registration) (Version: — )
Canon Inkjet Printer/Scanner/Fax Extended Survey Program (HKLM-x32\…\CANONIJPLM100) (Version: — )
Canon MP Navigator EX 4.0 (HKLM-x32\…\MP Navigator EX 4.0) (Version: — )
Canon Solution Menu EX (HKLM-x32\…\CanonSolutionMenuEX) (Version: — )
CanoScan LiDE 110 Scanner Driver (HKLM\…\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2414) (Version: — )
CCleaner (HKLM\…\CCleaner) (Version: 4.17 — Piriform)
CyberLink BD Advisor 2.0 (HKLM-x32\…\{2D2D8FE2-605C-4D3C-B706-36E981E7EEF0}) (Version: — )
CyberLink Blu-ray Disc Suite (HKLM-x32\…\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 6.0.2806 — CyberLink Corp.)
CyberLink Blu-ray Disc Suite (x32 Version: 6.0.2806 — CyberLink Corp.) Hidden
CyberLink MediaShow (HKLM-x32\…\InstallShield_{80E158EA-7181-40FE-A701-301CE6BE64AB}) (Version: 4.1.3102 — CyberLink Corp.)
CyberLink MediaShow (x32 Version: 4.1.3102 — CyberLink Corp.) Hidden
CyberLink Power2Go (HKLM-x32\…\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.3224 — CyberLink Corp.)
CyberLink Power2Go (x32 Version: 6.1.3224 — CyberLink Corp.) Hidden
CyberLink PowerDVD 8 (HKLM-x32\…\InstallShield_{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}) (Version: 8.0.3228 — CyberLink Corp.)
CyberLink PowerDVD 8 (x32 Version: 8.0.3228 — CyberLink Corp.) Hidden
CyberLink PowerProducer (HKLM-x32\…\InstallShield_{B7A0CE06-068E-11D6-97FD-0050BACBF861}) (Version: 5.0.1.1520 — CyberLink Corp.)
CyberLink PowerProducer (x32 Version: 5.0.1.1520 — CyberLink Corp.) Hidden
CyberLink YouCam (HKLM-x32\…\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 1.0.2609 — CyberLink Corp.)
CyberLink YouCam (x32 Version: 1.0.2609 — CyberLink Corp.) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 — Microsoft) Hidden
DirectX for Managed Code Update (Summer 2004) (x32 Version: 9.02.2904 — Microsoft) Hidden
DVD Decrypter (Remove Only) (HKLM-x32\…\DVD Decrypter) (Version: — )
ESET Online Scanner v3 (HKLM-x32\…\ESET Online Scanner) (Version: — )
Facebook (HKLM-x32\…\{8AE50893-3A87-4439-9A57-942ED43F7189}) (Version: 1.1.0004 — Hewlett-Packard)
Hewlett-Packard ACLM.NET v1.1.2.0 (x32 Version: 1.00.0000 — Hewlett-Packard) Hidden
Hoyle Card Games (x32 Version: 2.2.0.95 — WildTangent) Hidden
HP Application Assistant (HKLM\…\{B34A07DD-C6F7-414A-AE63-01019482EAF0}) (Version: 1.0.393.3870 — Hewlett-Packard)
HP Auto (Version: 1.0.12935.3667 — Hewlett-Packard Company) Hidden
HP Calendar (HKLM-x32\…\{2B38E0FA-D8A5-4EBF-A018-E3C1C8E7A2E2}) (Version: 5.1.4245.23508 — Hewlett-Packard)
HP Client Services (Version: 1.1.12938.3539 — Hewlett-Packard) Hidden
HP Customer Experience Enhancements (x32 Version: 6.0.1.8 — Hewlett-Packard) Hidden
HP Games (HKLM-x32\…\WildTangent hp Master Uninstall) (Version: 1.0.2.5 — WildTangent)
HP Odometer (HKLM-x32\…\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 — Hewlett-Packard)
HP Setup (HKLM-x32\…\{F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1}) (Version: 9.0.15130.3904 — Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\…\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.2.15145.3905 — Hewlett-Packard Company)
HP Support Information (HKLM-x32\…\{B2B7B1C8-7C8B-476C-BE2C-049731C55992}) (Version: 11.00.0001 — Hewlett-Packard)
HP Vision Hardware Diagnostics (HKLM\…\{D79A02E9-6713-4335-9668-AAC7474C0C0E}) (Version: 2.12.1.0 — Hewlett-Packard)
Intel(R) Management Engine Components (HKLM-x32\…\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 — Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\…\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2291 — Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\…\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.5.0.1026 — Intel Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Juno Internet (HKLM-x32\…\{a0296e52-6e9b-11d6-ace4-00105a0cf83f}) (Version: Juno QuickStart — United Online)
LabelPrint (HKLM-x32\…\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.4507 — CyberLink Corp.)
LabelPrint (x32 Version: 2.5.4507 — CyberLink Corp.) Hidden
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\…\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 — Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 — Microsoft Corporation) Hidden
Metric Converter (HKLM-x32\…\{D0661463-50F7-4A1E-83CB-37CC590589AE}_is1) (Version: 1.0.0.0 — XM Asia Pacific Pte Ltd)
Microsoft .NET Framework 4 Client Profile (HKLM\…\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 — Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 — Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (HKLM\…\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 — Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 — Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 — Microsoft Corporation) Hidden
Microsoft Mathematics (HKLM-x32\…\{4D090F70-6F08-4B60-9357-A1DFD4458F09}) (Version: 4.0 — Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM-x32\…\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 — Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\…\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 — Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\…\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 — Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\…\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 — Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\…\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 — Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable — x64 9.0.30729.17 (HKLM\…\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 — Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable — x64 9.0.30729.4148 (HKLM\…\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 — Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable — x86 9.0.30729.17 (HKLM-x32\…\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 — Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable — x86 9.0.30729.4148 (HKLM-x32\…\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 — Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable — 10.0.30319 (HKLM\…\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 — Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable — 10.0.30319 (HKLM-x32\…\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 — Microsoft Corporation)
Microsoft WSE 3.0 Runtime (x32 Version: 3.0.5305.0 — Microsoft Corp.) Hidden
Mozilla Firefox 32.0.3 (x86 en-US) (HKLM-x32\…\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 — Mozilla)
Mozilla Maintenance Service (HKLM-x32\…\MozillaMaintenanceService) (Version: 29.0.1 — Mozilla)
MSVCRT (x32 Version: 15.4.2862.0708 — Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 — Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\…\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 — Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\…\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 — Microsoft Corporation)
opensource (x32 Version: 1.0.14960.3876 — Your Company Name) Hidden
PDF Complete Special Edition (HKLM-x32\…\PDF Complete) (Version: 4.0.65 — PDF Complete, Inc)
PlayReady PC Runtime amd64 (HKLM\…\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 — Microsoft Corporation)
PlayReady PC Runtime x86 (HKLM-x32\…\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 — Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM-x32\…\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6531 — Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.0.4424 — CyberLink Corp.) Hidden
RollerCoaster Tycoon 3: Platinum (x32 Version: 2.2.0.98 — WildTangent) Hidden
Samsung ML-1200 Series (HKLM-x32\…\Samsung ML-1200 Series) (Version: — )
Skype™ 5.5 (HKLM-x32\…\{AA59DDE4-B672-4621-A016-4C248204957A}) (Version: 5.5.117 — Skype Technologies S.A.)
Spot (HKLM-x32\…\{3D171340-B528-42E0-92E4-BDA7AEEF6F32}_is1) (Version: 1.0.0.0 — XM Asia Pacific Pte Ltd)
Tap Tap Bear (HKLM-x32\…\{A393CDFF-BEB8-48EA-990D-2EB35B311D23}_is1) (Version: 1.0.0.0 — XM Asia Pacific Pte Ltd)
TI USB 3.0 Host Controller Driver (HKLM-x32\…\InstallShield_{3AF095EF-23B3-4C6A-BBA1-4C1EB663DAF8}) (Version: 1.12.9.0 — Texas Instruments Inc.)
TI USB3 Host Driver (x32 Version: 1.12.9.0 — Texas Instruments Inc.) Hidden
TSHostedAppLauncher (x32 Version: 5.1.15.0 — Hewlett-Packard) Hidden
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\…\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 — Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\…\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 — Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM-x32\…\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217) (Version: 1 — Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (HKLM-x32\…\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2836939) (Version: 1 — Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (HKLM-x32\…\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2468871) (Version: 1 — Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (HKLM-x32\…\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2533523) (Version: 1 — Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (HKLM-x32\…\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2600217) (Version: 1 — Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2836939) (HKLM-x32\…\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2836939) (Version: 1 — Microsoft Corporation)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\…\WinLiveSuite) (Version: 15.4.3538.0513 — Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0 — Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3538.0513 — Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live Mesh (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\…\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 — Microsoft Corporation)
Windows Live Messenger (x32 Version: 15.4.3538.0513 — Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 — Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 — Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 — Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 — Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 — Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 — Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 — Microsoft Corporation) Hidden
Windows Media Player Firefox Plugin (HKLM-x32\…\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 — Microsoft Corp)
Windows XP Mode (HKLM\…\{1374CC63-B520-4f3f-98E8-E9020BF01CFF}) (Version: 1.3.7600.16423 — Microsoft Corporation)
Zinio Reader 4 (HKLM-x32\…\ZinioReader4) (Version: 4.2.4164 — Zinio LLC)
Zinio Reader 4 (x32 Version: 4.2.4164 — Zinio LLC) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

24-09-2014 22:31:37 ComboFix created restore point

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 — 2014-09-24 16:04 — 00000027 ____A C:\windows\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0F31E659-3F30-4E50-B89D-5D9BB19496BB} — System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-23] (Adobe Systems Incorporated)
Task: {36EADF4A-5E9E-4BA7-B995-D572115F3526} — System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater\HPSFUpdater.exe [2011-06-14] (Hewlett-Packard)
Task: {4DAC6A32-464E-41B6-A97F-3F0313068B12} — System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFMsgr.exe
Task: {544F9DCE-2A13-40D3-A3C4-08AA0D5104A5} — System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
Task: {8CB5B6B9-E98A-4B81-95E3-748D92D7AE86} — System32\Tasks\{3CF0DDE1-0A3B-DE96-217F-330C9A15A0AF} => C:\windows\system32\prrinj.dll/s «C:\windows\system32\prrinj.dll»
Task: {C6D426BA-66A3-440D-AC23-2402F79FF799} — System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-08-21] (Piriform Ltd)
Task: {F6D1AF20-BB12-4A16-9DFE-9EDA5787B05F} — System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-08-21 12:01 — 2010-04-05 12:55 — 00116104 _____ () C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
2013-03-10 16:36 — 2009-07-02 07:02 — 00244904 ____N () C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
2012-12-06 09:55 — 2011-09-19 00:50 — 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2009-06-03 20:59 — 2009-06-03 20:59 — 00619816 ____N () C:\Program Files (x86)\Cyberlink\Power2Go\CLMediaLibrary.dll
2009-06-03 20:59 — 2009-06-03 20:59 — 00013096 ____N () C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Jim\Desktop\mbar-1.07.0.1012.exe:BDU
AlternateDataStreams: C:\Users\Jim\Desktop\RogueKiller.exe:BDU
AlternateDataStreams: C:\Users\Jim\Desktop\tdsskiller.exe:BDU
AlternateDataStreams: C:\Users\Jim\Downloads\dds.com:BDU

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The «AlternateShell» will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk => C:\windows\pss\Bluetooth.lnk.CommonStartup
MSCONFIG\startupreg: (default) =>
MSCONFIG\startupreg: BDRegion => C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
MSCONFIG\startupreg: CanonSolutionMenuEx => C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
MSCONFIG\startupreg: HP Software Update => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: MDS_Menu => «C:\Program Files (x86)\CyberLink\MediaShow4\MUITransfer\MUIStartMenu.exe» «C:\Program Files (x86)\CyberLink\MediaShow4» UpdateWithCreateOnce «Software\CyberLink\MediaShow\4.1»
MSCONFIG\startupreg: NeroFilterCheck => C:\windows\system32\NeroCheck.exe
MSCONFIG\startupreg: NWEReboot =>
MSCONFIG\startupreg: PDF Complete => C:\Program Files (x86)\PDF Complete\pdfsty.exe
MSCONFIG\startupreg: PDVD8LanguageShortcut => «C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe»
MSCONFIG\startupreg: RemoteControl8 => «C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe»
MSCONFIG\startupreg: UCam_Menu => «C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe» «C:\Program Files (x86)\CyberLink\YouCam» UpdateWithCreateOnce «Software\CyberLink\YouCam\1.0»
MSCONFIG\startupreg: UpdateP2GoShortCut => «C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe» «C:\Program Files (x86)\CyberLink\Power2Go» UpdateWithCreateOnce «SOFTWARE\CyberLink\Power2Go\6.0»
MSCONFIG\startupreg: UpdatePPShortCut => «C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe» «C:\Program Files (x86)\CyberLink\PowerProducer» UpdateWithCreateOnce «Software\CyberLink\PowerProducer\5.0»
MSCONFIG\startupreg: UpdatePSTShortCut => «C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe» «C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite» UpdateWithCreateOnce «Software\CyberLink\PowerStarter»

==================== Faulty Device Manager Devices =============

Name: SBRE
Description: SBRE
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: SBRE
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================

System errors:
=============

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
Date: 2014-09-24 16:04:31.403
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-09-24 16:04:31.341
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-09-24 16:04:31.278
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-09-24 16:04:31.216
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-09-23 20:59:41.675
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-09-23 20:59:41.612
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-09-23 20:59:41.550
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-09-23 20:59:41.487
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-09-23 13:57:03.743
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-09-23 13:57:03.681
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel(R) Pentium(R) CPU G630 @ 2.70GHz
Percentage of memory in use: 17%
Total physical RAM: 8096.35 MB
Available physical RAM: 6646.2 MB
Total Pagefile: 16190.88 MB
Available Pagefile: 14692.66 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:448.82 GB) (Free:401.64 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (HP_RECOVERY) (Fixed) (Total:16.72 GB) (Free:2.07 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 016D6D1A)

Partition: GPT Partition Type.

==================== End Of Log ============================

Thread Status:

Not open for further replies.
  1. I just bought Port Explorer to help me find a problem with my Windows XP Home system. The problem is that Windows XP freezes for about 30 seconds after booting to the desktop. During this freeze period, I cannot start any windows applications, I can only open the DOS window and issue DOS commands. I put Port Explorer and TaskMgr in the startup folder, so that they would both start before the freeze. Port Explorer showed me that one of the SVCHOST processes is the culprit. The process is trying to communicate with «baym-td3.msgr.hotmail.com».

    Port Explorer resolves the name, but cannot ping it. I am assuming that this server has something to do with Windows Instant Messanger. Whois shows that it is a Microsoft domain.

    What is the best way for me to track down what is starting SVCHOST to initiate the communication?

    By the way: I have scanned for viruses (McAfee) and spyware (Spybot). The system is clean.

  2. Have you examined what’s starting automatically with your system using a tool such as Autostart Explorer?
    http://www.diamondcs.com.au/index.php?page=asviewer

  3. Thanks. I am looking at it now. Wow! A lot of stuff in there. There are so many references to SVCHOST that I do not know where to begin. Here is a text output from AutoStart:

    ————————[ Begin ]————————
    c:\autoexec.bat
    SET CTSYN=C:\WINDOWS
    C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    SET CTSYN=C:\WINDOWS
    PATH=C:\WINDOWS\system32
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    C:\WINDOWS\dosstart.bat
    C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
    c:\windows\wininit.bak [rename]
    NUL=C:\WINDOWS\SYSTEM\SENSOR~1.DLL
    NUL=C:\PROGRA~1\INTEL\INTEL(~1\IMONRES.LRC
    NUL=C:\PROGRA~1\INTEL\INTEL(~1\IMON98.EXE
    NUL=C:\PROGRA~1\INTEL\INTEL(~1\
    c:\windows\system.ini [drivers]
    timer=timer.drv
    wavemapper=*.drv
    MSACM.imaadpcm=*.acm
    MSACM.msadpcm=*.acm
    midi=mmsystem.dll
    wave=mmsystem.dll
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\SPEEDO~1.SCR
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\SPEEDO~1.SCR
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe «%1» %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe «%1» %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe «%1» %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe «%1» %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe «%1» %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe «%1» %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
    C:\WINDOWS\system32\SysTray.Exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdReg
    C:\WINDOWS\UpdReg.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BluetoothAuthenticationAgent
    rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdaptecDirectCD
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IMONTRAY
    C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
    C:\Program Files\QuickTime\qttask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mmtask
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /install
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
    RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Logitech Utility
    C:\WINDOWS\Logi_MwX.Exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Port Explorer.lnk
    D:\Program Files\Port Explorer\PortExplorer.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Shortcut to taskmgr.
    C:\WINDOWS\SYSTEM32\taskmgr.exe
    C:\WINDOWS\system\iosubsys\
    C:\WINDOWS\system\iosubsys\Cdudf.vxd
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog
    C:\WINDOWS\System32\dcsws2.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-
    C:\WINDOWS\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\the
    HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E
    C:\WINDOWS\System32\rundll32.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-0
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-0
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Ins
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-0
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.QuietI
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-0
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-0
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-0
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-0
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5
    C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
    HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-0
    C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
    HKLM\Software\Microsoft\Active Setup\Installed Components\{CA0A4247-44BE-11d1-A005-0
    RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\6to4\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\BthServ\
    C:\WINDOWS\system32\svchost.exe -k bthsvcs
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\HidServ\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\imonNT\
    C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
    HKLM\System\CurrentControlSet\Services\Ip6FwHlp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\iSMBIOS\
    \??\C:\WINDOWS\System32\drivers\iSMBIOS.SYS
    HKLM\System\CurrentControlSet\Services\LanmanServer\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LanmanWorkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINDOWS\System32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PfModNT\
    \??\C:\WINDOWS\System32\PfModNT.sys
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Secdrv\
    C:\WINDOWS\System32\DRIVERS\secdrv.sys
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SharedAccess\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SIODRV\
    \??\C:\WINDOWS\System32\drivers\SIODRV.SYS
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    ————————[ End ]————————

  4. Hi,

    Your log looks pretty clean trojan-wise, but can you please email this file to submit@diamondcs.com.au for checking

    C:\WINDOWS\system32\SysTray.Exe

    You could also disable a few services like Messenger, best to go to http://grc.com and get «The 3 musketeers» to disable those 3 nasty services.

    Some interesting entries such as the Bluetooth one, can you think of anything which was added recently which could cause this ? It is quite normal for userinit.exe and Windows boot process to take a while before actually allowing you to run programs, 30 seconds seems a bit excessive though..

  5. Gavin;

    Thank you very much for your prompt response. I just spent a couple of hours browsing the GRC web site. An interesting read to say the least. I will gladly kill the Messenger Service and let you know how it goes. Unfortunatly, I cannot do it today. Perhaps Friday or Saturday. But I will certainly keep you posted. Meanwhile, I will e-mail the now.

  6. Gavin;

    I ran Shoot the Messenger and re-booted. The process is still running.

    I finally sent that e-mail to the address that you gave me. I attached three text files:

    asview.txt
    Table.txt
    pelog.txt

  7. More news:

    I used MSConfig to disable the startup of individual programs and services. I ruled out all items in the Startup tab. I then went to services and found the culprit. Its the «IPv6 Helper Service»! If I manually start this service, the computer immediatly starts communicating with the Hotmail system! Shut it down, and the communication stops!

    I am going to do some more research now. Preliminary Google searches have found little. I just know that it is a legitimate service from Microsoft. Do I need it?

  8. I just read this article:

    http://www.winnetmag.com/Articles/ArticleID/40313/pg/2/2.html

    And here is a quote from it:

    The Svchost Mystery
    Windows 2000 and later also open many other ports (e.g., 500, 123) that are assigned to a service called svchost.exe. This generic host process resides in the \%windir%\system32 folder. It starts anytime Windows starts and loads into memory one or more services as defined in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost registry subkey.

    Often when you port enumerate, you’ll find that svchost.exe is responsible for several separate port openings. For example, as I write this article, svchost.exe is loaded four times in my computer’s memory; is hosting the RPCSS, EventSystem, Netman, NtmsSvc, RasMan, SENS, and TapiSrv services; and has ports 123, 135, 1025, 1026, 1900, and 5000 open. When you’re searching for malicious software (malware), you can take comfort in knowing that the ports attached to svchost.exe aren’t open for intentional malicious use. Of course, external attacks against those ports (e.g., remote procedure call—RPC—attacks against port 135) aren’t out of the question.

    Does this mean that the SVCHost attempts to communicate with the server «baym-td3.msgr.hotmail.com» is not malicious? That it is some legitimate attempt by the OS to establish services (In this case the IPv6 Helper Service) critical to the functionality of IPv6? :rolleyes:

    Close Hauled *puppy*

  9. Jooske;

    Once again, thanks.

    I knew that you could uninstall IPv6, but never did find that Microsoft article 555059. What kind of solution is that?! They drive me nuts! I hate Band-Aid solutions. Notice that they do not explain what is going on?

    I suspect that what is going on is; Microsoft is trying to facilitate 6to4 conversion by having the OS communicate with the «baym-td3.msgr.hotmail.com» system.

    If anyone has any idea as to what is going on with the IPv6 Herper Service, please chime in.

    Close Hauled

  10. To All;

    I got the official word from Microsoft on this problem;

    ———————[ Begin ]———————
    Thank you for choosing Online Support for your Microsoft Technical Support offering. My name is Raymond and I will be assisting you with this service request. For your reference, the Case ID of this service request is SRX040428603725.

    To give the most accurate support possible, I would like to give a brief summary of the concern as I understand it:

    The svchost process freezes while trying to communicate with baym-td3.msgr.hotmail.com. According to the Knowledge Base 555059, you disabled the IPv6 related services, and the problem went away.

    If there is any misunderstanding, please feel free to let me know.

    Suggestions
    ========

    I understand that you are worried that you may use this protocol in the future and do not want to disable it. However, according to my knowledge, the IPv6 Protocol is not popular so far, and most of the ISP and network programs do not support this protocol. This protocol is normally not started aft er installing Windows XP; but if you install the Advanced Networking Pack, the IPv6 Protocol will automatically be started. In the future, if the IPv6 Protocol grows popular, more ISP and network programs will support it. At that time, we can reinstall the protocol.

    I suggest you follow the steps to remove the Advanced Networking Pack for Windows XP:

    1. Click «Start», and then click «Control Panel».

    2. Click «Add or Remove Programs».

    3. In the list of currently installed programs, click «Advanced Networking Pack for Windows XP», and then click «Remove».

    4. Follow the instructions on the screen to remove the Advanced Networking Pack for Windows XP from your computer.

    5. After the removal is complete, restart the computer.

    Please try these steps and let me know the result at your earliest convenience. If you have any further concerns, please do not hesitate to let me know. I look forward to hearing from you.

    Best regards,

    Raymond
    ———————[ End ]———————

  11. I’m running win2k Professional and i’m having a similar issue with svchost.exe. Whenever I play Diablo 2, and connect to battle.net my svchost.exe process jumps up to 99% processor usage and my game lags like hell. I exited the game and started looking around on the internet for this problem and my svchost.exe generated errors and an error log was created, the file size was 3124k and i had 3 entries in my list the one with 3124k disappeared and i’m still online I restarted diablo 2 and rejoined a game and i’m able to play without any lag. pretty weird

Thread Status:

Not open for further replies.

Wilders Security Forums

svchost.exe -k bthsvcs Removal: How to Get Rid of svchost.exe -k bthsvcs560a23d39c81ada7112158ac948879f5

  • File Details
  • Overview
  • Analysis

svchost.exe -k bthsvcs

The module svchost.exe -k bthsvcs has been detected as SuspiciousSvchost

svchost.exe -k bthsvcs

File Details

MD5: 560a23d39c81ada7112158ac948879f5
Size: 44 KB
First Published: 2018-08-14 14:20:53 (5 years ago)
Latest Published: 2018-08-14 14:20:53 (5 years ago)
Status: SuspiciousSvchost (on last analysis)
Analysis Date: 2018-08-14 14:20:53 (5 years ago)

Analysis

Subsystem: Windows GUI
PE Type: pe
OS Bitness: 64
Image Base: 0x00000000ff350000
Entry Address: 0x0000246c
Name Size of data MD5
.text 12800 c6df8ca0ef3bdae314d68fc5433a5ab8
.rdata 6144 e451716d0a2a55ae20dd077504ff58c5
.data 2560 98d2bfa0db1b4d516ac9eb46cb5ed9b2
.pdata 1024 5a9ca83ad387ba05d9b6af4d8e15bba4
.rsrc 2560 f538b7ecd5264d6385a487cc50f36bfd
.reloc 512 bf619eac0cdf3f68d496ea9344137e8b

copyright for information about svchost.exe -k bthsvcs

Table of Contents
. What is SvcHost?
. SvcHost and Windows 7
. SvcHost in Windows 10
. Using SysInternals Process Monitor to understand Service Host
. SvcHost parameters and Registry
. Checking Service Host for security threats
. Check if svchost.exe is legit
. Check the parent process of svchost.exe
. What can go wrong with legit Service Host?

Affiliate: Experience limitless no-code automation, streamline your workflows, and effortlessly transfer data between apps with Make.com.

Got an alert from our EDR regarding execution of the “svchost.exe” via Command Line.
What is “svchost”? Basically, this is shared process for hosting Windows Services, hence the name SvcHost (Service Host). There can be one service or a group of services under one instance of “svchost.exe”.

SvcHost and Windows 7

The problem? In Windows 7 in Task Manager under [Processes] tab you would see number of “svchost.exe” instances with description of “Host Process for Windows Services”. No indication of what service or services are running. Off course you can add the Command Line column:

Task Manager => [View] => Select Columns
[V] Command Line
[OK]

And you will see the CMDs of the services. For example:

C:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k WerSvcGroupC:\Windows\system32\svchost.exe -k netsvc

In Task Manager you can

RightClick svchost.exe => Go to Service(s)

You will be redirected to the [Services] tab and the service that is running under this specific svchost will be shown.
Another way is to run a Command line, which will show you all the instances of svchost.exe and what services are running under it:

tasklist /SVC /fi “imagename eq svchost.exe”

SvcHost in Windows 10

In Windows 10 after build 1703, there’s only one service per svchost running if you have more than 3.5 GB of memory. In Task Manager under [Processes] tab you will see “Service Host: Background Intelligent Transfer Service”. Which makes it a lot easier to understand.

To know which Command line is responsible for which service, you can goto the services:

[Win] + [R] => services.msc => [OK]

Double Clicking the service will open its window. Let’s say that for example you’ve opened “Windows Time”. In the [General] tab you will see:

Service name: W32Time
Display name: Windows Time
Path to executable:
C:\Windows\system32\svchost.exe -k LocalService

Path to executable is how this service is executed. As you can see it is a Command line that executes “svchost.exe” with “-k” switch and the name of the service or a group of services (in this case “LocalService”, which is a group). In Windows 10 there were more switches added. Example of “WebClient” after execution:

C:\WINDOWS\system32\svchost.exe -k LocalService -p -s WebClient

“-s” used for “service name” and “WebClient” as in any service is the actual name of the service as it is written in the properties of the service. You won’t see this in service properties.

Using SysInternals Process Monitor to understand Service Host

Process Monitor from SysInternals Suite can be used (and not only for svchost).

Download it and “Run as Administrator” (in Windows 10 you won’t see any info without it).
After you run it, you will see all the processes in your system. To simplify the view:

[View] => Select Columns…
[V] User Name
[V] Command Line
[OK]

This will add the “User Name” responsible for all the executables and the “Command Line” that ran it. Now you will see the exact command also in Windows 10.
Double Clicking any “svchost.exe” line will show you all the needed information.
[Image] tab will show you the Version of the executable, File location, Command line it was executed with, Parent process that executed this current process that you opened, User that executed this process. If the process is a service, you will see that it has [Services] tab. Inside this tab you will see the name of the services that this process runs or the paths to DLL files that this svchost.exe is running.

SvcHost parameters and Registry

What happens when the svchost is launched with a parameter?
Svchost.exe navigates in the registry to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

Then the key with the name of the parameter is opened, like “LocalService”. If you open this key in Windows 10 most likely you will see the next list:

nsi
WdiServiceHost
w32time
EventSystem
RemoteRegistry
SstpSvc
netprofm
lltdsvc
FontCache
fdphost
bthserv
LicenseManager
bthavctpsvc
tzautoupdate
WpcMonSvc
SEMgrSvc
WinHttpAutoProxySvc
CDPSvc
workfolderssvc
PhoneSvc
DispBrokerDesktopSvc
SharedRealitySvc
CaptureService
WebClient

These are all the services that will run after command execution under this specific instance of svchost.exe. Let’s take for example “w32time”. After that all the services in this list will be run from the registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Each service with its key name, in our case:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time

The path to the service DLL will be in the Parameters path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

In the “ServiceDll” key. So, the DLL from that path will run under svchost.exe. This will be done for all the services from the list of the “LocalService” group.

Parent process is the process that executes the svchost.exe itself. In a regular environment it Is always will be “services.exe” and some service account with the SID of S-1-5-18 (NT AUTHORITY\SYSTEM), S-1-5-19 (NT AUTHORITY\LOCAL SERVICE), S-1-5-20 (NT AUTHORITY\NETWORK SERVICE), which are reserved for system accounts. You can find the full list of Security Identifiers in Microsoft Support – Windows known SIDs.
You can read more about LocalSystem, LocalService, NetworkService accounts on their relative pages in Microsoft Docs.

In two words:
LocalSystem is a SYSTEM account that runs mostly OS core executables and services,
LocalService runs local services (there are also services that are executables and not DLLs, like “FontCache”),
NetworkService runs local services that are related mostly to network activities.
User SIDs that start with “S-1-5-21” will most likely be the domain users or local users on a computer. To find out whom the SID belongs, you can navigate in the registry to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

Select your user that starts with “S-1-5-21-“ and check for the value of the key that is called “ProfileImagePath”. The value will be the path to the user’s folder on your computer like

C:\Users\YourUsersName

The local regular user (even if he is an administrator on the host) that logged in interactively – can’t run svchost.exe by design. So, if you run any command of the service (like the one for WebClient: C:\WINDOWS\system32\svchost.exe -k LocalService -p -s WebClient) nothing will happen. It will run for a second or two and terminate. Two of the standard methods of executing a service (that is not running) is from Services console (services.msc) and with Command line of the file

C:\Windows\System32\sc.exe

The commands to start and stop a service (for example WebClient):

sc start webclientsc stop webclient

In the second case you must run CMD with Administrative privileges. In both cases the Parent Process of this instance of “svchost.exe” will still be “services.exe”.

Checking Service Host for security threats

So, what is the issue from the security point of view?
1. Svchost.exe is not legit
2. Parent process of the svchost.exe is not legit
3. Svchost.exe is legit, but its usage is not or being compromised

Check if svchost.exe is legit

1. Process Monitor:

Run “Process Monitor” as Administrator => [View]
[V] Command Line
[V] User Name
[OK]

2. Find the “svchost.exe” that you think is problematic => DoubleClick it => Goto [Image] tab
3. Check that the User Name in “User:” is one of the System accounts from above and not the Regular user account.
*** If a regular user account is running it then svchost.exe that is running doesn’t belong to system core and most likely is compromised!

4. Check that svchost.exe is running from “C:\Windows\System32”, look at the “Path:”. It should be “C:\Windows\System32\svchost.exe”.
*** If it is anything else, then your svchost.exe is compromised!

5. Check the file Hash over known services (the best way for most services is to use SHA256). If you’re using the computer at home, you can upload the file to a service for a check, but it is strongly not advised. If you’re in enterprise environment, you shouldn’t use file upload. Services like VirusTotal and Hybrid-Analysis are Public, so if your organization is targeted, by uploading the file it will be available online in these services and the attacker might know that your organization is aware of the attack.

So, in this case you will need the file Hash and check if it is already in the database of these services. If it is not, better use paid service like ThreatGrid From Cisco, which is Private for your organization (though there is still a way to know if a file hash is in ThreatGrid without having an account, you just won’t see any details regarding the investigation).

5.1. Run “powershell.exe”
5.1.1. [Win] + [R] will show you the “Run” window. Execute there

powershell.exe

and it will open you the powershell window.
5.2. Execute “Get-FileHash” cmdlet over “svchost.exe”:

Get-FileHash c:\windows\system32\svchost.exe

Or you can write “Get-FileHash” hit [Space] and drag the svchost.exe file in question (if the path to the file is not standard).
5.2.2. When you hit [Enter] you will see the “Algorithm” column (which by default is SHA256). Under the “Hash” column you will find your hash. Select the hash and hit [Enter], the hash will be copied to clipboard.

5.3. Goto VirusTotal Malware Databse (this is Public database of malicious file results over different engines)
5.3.1. You will be redirected to [Search] option, which is responsible to Search in VirusTotal database for Hashes (also URLs, domains, IPs).
5.3.2. Paste your Hash from the clipboard and hit [Enter]
5.3.3. If the results were found and it is green circle with 0 engines, it is a legit file, if it is not, you will see what the problem is in the [Details] tab.
*** If there are engines that found that your Hash is malicious – it might be!

5.4. Goto Hybrid-Analysis Sandbox (Public sandbox for malware analysis).
5.4.1. Goto [Report Search] tab, which is responsible for Hash search (also you can search by IP or Domain).
5.4.2. Paste your hash and hit [Enter] and check for the results.

5.5. Another site is Talos, which is part of Cisco intelligence. Talos connects to Cisco ThreatGrid sandbox database and shows if there is already an analysis of the file in ThreatGrid. Off course you will need ThreatGrid account in order to see the analysis itself. Talos File Reputation only works with SHA256 Hashes. Goto Cisco Talos File Reputation.
5.5.1. Paste you Hash, check that you’re not a robot
5.5.2. If the file is in the database you will be provided with the link to ThreatGrid login page and after login you should see any information about it, if the user that uploaded it made it public to the ThreatGrid users. By default, all the submissions are Private.

*** If you can’t find the hash of your svchost.exe file in any of the databases, most probably that it is malicious and the virus is new or you’re Operating System was updated recently, but in case of the update it should get very quick to the databases as it is a core process. Any way beware.

Check the parent process of svchost.exe

We need to find the parent process of our “svchost.exe”:
6. Return to “Process Monitor” that you left in stage 4.
6.1. Find the Parent process. It should be “services.exe”.
6.2. If you still have the svchost.exe window opened, check in the [Image] tab in “Parent:” option.
*** If it is not “services.exe” it is definitely malicious!
7. Close the window of your svchost.exe in question and find all the instances of “services.exe” in Process Monitor. Follow the same pattern that we did for “svchost.exe” from stage 1 to 5. There should be only 1 instance of “services.exe” though.

What can go wrong with legit Service Host?

If you’re using EDR software in Enterprise environment, you will see all the details prior to svchost execution in the logs. You should check for previous activities of “sc.exe” commands, like “sc create” (or “sc.exe create”) and registry changes in the keys that were stated above. This can indicate some messing around with svchost. With “sc create” you can create any service that you like including malicious executables. Some info about “sc.exe” Command Line Tool and “sc create” Command Switch can be found on Microsoft site.

  • C windows system32 srvcli dll
  • C windows system32 sppextcomobj exe что это
  • C windows system32 pnkbstra exe no is pnkbstrb explicitly allowed
  • C windows system32 pcalua exe
  • C windows system32 spp store