Need a bit of help

Discussion in 'ProcessGuard' started by jtr8178, Nov 26, 2006.

Thread Status:
Not open for further replies.
  1. jtr8178
    Offline

    jtr8178 Registered Member

    I'm having problems running Madden 2007. Roughly every 4 minutes, the program will minimize and kick me back to Windows. Here is what I've done so far:

    - Uninstall & reinstall the program
    - Run Ad-Aware and clean my system
    - Run a complete virus scan on my computer
    - Disable virtually every program on start-up, and make sure nothing suspicious is running in the background

    I belive the problem is that something in running in the background on my computer and kicking me out of my program every several minutes. So I ran across ProccessGuard (A very nice program BTW), which has been very helpful.

    When my program minimizes and kicks me out, these entries are logged in ProcessGuard:

    [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [1188]
    [EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe" -embedding ]

    [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [796]
    [EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,nvcplapplycolorprofile ]

    [EXECUTION] "c:\windows\system32\wbem\wmiadap.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [1340]
    [EXECUTION] Commandline - [ wmiadap.exe /r /t ]

    [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\nvsvc32.exe" [796]
    [EXECUTION] Commandline - [ rundll32.exe nvcpl.dll,nvcplhandledisplaychange ]

    [EXECUTION] "c:\windows\system32\wbem\wmiprvse.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [1188]
    [EXECUTION] Commandline - [ c:\windows\system32\wbem\wmiprvse.exe -embedding ]

    I think the problem is in the first execution lines, which svchost.exe calling iexplorer. Am I correct in this? I went into my windows/system32 folder and renamed svchost.exe to svchost.old. I rebooted, but on re-boot I noticed that svchost.exe was back. Is this windows doing this, or some type of trojan horse?

    I blocked svchost.exe in ProcessGuard from running, but it still calls iexplorer.exe ... Am I on the right track, or should I be looking somewhere else?

    Thank you in advance for any help!
  2. strangequark
    Offline

    strangequark Registered Member

    Not sure what's causing your problem but Svchost.exe s an integral part of the operating system, and should be left well alone.
    Svchost.exe is a generic host process for Win32 Services that acts as a host for processes that run from DLLs rather than EXEs. At startup svchost.exe checks the Services portion of the Registry to construct a list of DLL-based services that it needs to load, and then loads them.
    Having said that viruses have been known to use that name.
  3. Mele20
    Offline

    Mele20 Former Poster

    I don't know what your problem is but I can tell you that it is Windows File Protection that put svchost.exe back after you rebooted. That is an essential Windows file and Windows won't allow you to get rid of it, rename it, etc. I had Kaspersky's ProActive Defense decide iexplore.exe was a nasty and it put it in quarantine. Windows File Protection simply put another copy of the file back in Program files.
  4. linney
    Offline

    linney Registered Member

    Try diagnosing the problem by eliminating other possible causes.

    310353 - How to Perform a Clean Boot in Windows XP
    http://support.microsoft.com/default.aspx?scid=kb;en-us;310353&FR=1&PA=1&SD=HSCH

    316434 - HOW TO: Perform Advanced Clean-Boot Troubleshooting in Windows XP
    http://support.microsoft.com/default.aspx?scid=kb;en-us;316434&FR=1&PA=1&SD=HSCH

    310560 - How to Troubleshoot By Using the Msconfig Utility in Windows XP
    http://support.microsoft.com/default.aspx?scid=kb;en-us;310560&FR=1&PA=1&SD=HSCH
Thread Status:
Not open for further replies.