PDA

View Full Version : svchost.exe periodically takes CPU to 100% loading



mcjelly
05-02-2007, 09:28 PM
My 3.2ghz P4 laptop with 1gig ram and 10gig spare HD space every so often goes into slug mode with svchost.exe loading the CPU at 95-100% usage for up to 5 minutes. it drives me nuts becuase you can't do anything until it finishes!! I know svchost is a dll manager and I have done the dos prompt check thing on what it is managing, but it doesn't mean much to me. I also have looked at some sites that suggest it can be a trojan or virus, but I only have the one file and it is where it should be, with no names like svch0st.exe etc so I'm pretty sure it's not that. . am running Symantic AV. Any suggestions? I am running XP Pro.

Trev
05-02-2007, 10:59 PM
Download highjackthis if you don't already have it from here http://www.majorgeeks.com/download3155.html run it and post log on forum for someone to read.

Trevor :)

RealBigDog
05-02-2007, 11:34 PM
Also check the processes tab to see which process is taking up all your cpu.

I usually find that when that happens it's internet explorer hung on something--close it and the cpu is freed up.

mcjelly
06-02-2007, 08:56 AM
Thanks. Here is the log.
Logfile of HijackThis v1.99.1
Scan saved at 8:39:23 a.m., on 6/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Windows Defender\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
H:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
H:\WINDOWS\system32\brsvc01a.exe
H:\WINDOWS\system32\brss01a.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
H:\Program Files\Symantec AntiVirus\DefWatch.exe
H:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
H:\WINDOWS\system32\GEARSEC.EXE
H:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
H:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
H:\Program Files\Symantec AntiVirus\SavRoam.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Symantec AntiVirus\Rtvscan.exe
H:\WINDOWS\system32\MsPMSPSv.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
H:\Program Files\Apoint2K\Apoint.exe
H:\WINDOWS\System32\NILaunch.exe
H:\Program Files\Common Files\Real\Update_OB\realsched.exe
H:\Program Files\Ahead\InCD\InCD.exe
H:\Program Files\USB_HD\GPIOManager\GPIOManager.exe
H:\Program Files\TCM\notifyme.exe
H:\Program Files\Common Files\Symantec Shared\ccApp.exe
H:\PROGRA~1\SYMANT~1\VPTray.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Messenger\msmsgs.exe
H:\PROGRA~1\MI3AA1~1\wcescomm.exe
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
H:\PROGRA~1\MI3AA1~1\rapimgr.exe
H:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
H:\Program Files\Apoint2K\Apntex.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Documents and Settings\Administrator\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - H:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] H:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Net-It Launcher] H:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] H:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [GPIO] H:\Program Files\USB_HD\GPIOManager\GPIOManager.exe
O4 - HKLM\..\Run: [TCM Notify-Me] h:\Program Files\TCM\notifyme.exe
O4 - HKLM\..\Run: [ccApp] "H:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] H:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = H:\Program Files\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - H:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1161907211847
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) -
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD8FED1F-6C45-431D-947A-3EB806C50035}: NameServer = 202.27.158.40,202.27.156.72
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - H:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.0.0.358.dll
O20 - Winlogon Notify: NavLogon - H:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - H:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - H:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - H:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - H:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - H:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GEARSecurity - GEAR Software - H:\WINDOWS\system32\GEARSEC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - H:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - H:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee Total Protection Agent Service (myAgtSvc) - McAfee, Inc. - H:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - H:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - H:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - H:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - H:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - H:\Program Files\Symantec AntiVirus\Rtvscan.exe

Speedy Gonzales
06-02-2007, 09:15 AM
The log looks ok but run HJT again (unzip it and put it in its own folder first). Click on these entries and tick fix checked. Close browser/s

O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ATIPTA] H:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

Uninstall Java (and all previous versions) and get the update in my sig below,.

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - H:\Program Files\Microsoft Money\System\mnyviewer.dllersions of Sun Java). You can get the latest version which is in my sig below.

Speedy Gonzales
06-02-2007, 11:18 AM
Its most probably Symantec causing the prob. It's not light on resources.

mcjelly
06-02-2007, 11:49 AM
Thanks. I've done all that except which java download do I need from that page as a normal user??

Speedy Gonzales
06-02-2007, 11:53 AM
The Java Runtime Environment (JRE) 6 one.

mcjelly
06-02-2007, 12:12 PM
Thank you speedy and others very much appreciated.

zqwerty
06-02-2007, 06:59 PM
Disable the indexing service in Services.

Start/Programs/Administrative Tools/Services/Double click Indexing Services/Set to - Startup type disabled/Stop the presently running service.

zqwerty
06-02-2007, 07:34 PM
Or alternatively:

# Disable Indexing Services

Indexing Services is a small little program that uses large amounts of RAM and can often make a computer endlessly loud and noisy. This system process indexes and updates lists of all the files that are on your computer. It does this so that when you do a search for something on your computer, it will search faster by scanning the index lists. If you donít search your computer often, or even if you do search often, this system service is completely unnecessary. To disable do the following:

* Go to Start
* Click Settings
* Click Control Panel
* Double-click Add/Remove Programs
* Click the Add/Remove Window Components
* Uncheck the Indexing services box
* Click ĎNextí

From here:

http://www.connectedinternet.co.uk/2007/02/06/1465/

radium
06-02-2007, 08:30 PM
Hi Speedy, Just wondering why do recommend most people who post their HiJackThis Logs to uninstall and upgrade their Java, I thought Sun Java came with an updater?

Is it a security issue?

Cheers Radium

Speedy Gonzales
06-02-2007, 08:54 PM
Hi Speedy, Just wondering why do recommend most people who post their HiJackThis Logs to uninstall and upgrade their Java, I thought Sun Java came with an updater?

Is it a security issue?

Cheers Radium

Thats it because previous versions of Java if they have vulnerabilities, if you install a later version (without uninstalling the previous version/s), even tho you've updated to the latest version, you'll still get the vulnerabilities (of the previous versions), if u leave them installed.

Java does come with an updater, but by the looks of it most people don't have it enabled, or don't bother updating it (Java). Even if it tells you there's an update.

radium
06-02-2007, 09:16 PM
Cheers for that Speedy :)