Question

Svchost.exe hosting the RPCss services take up to 90-100% of the CPU...

Asked by: itcantam

Let me know what I have to do to... The 1st log is from HiJack and the 2nd one is from process Explorer...

I did run each and every software of AV and SPYware without success...

Its always the same thread in svchost.exe that take all the CPU :
Kernell32.dll!RegisterWaitForInputIdle+0x4a that just multiply itself, start with 3 thread using approx 33% of the CPU each, at the end (before I power off) it can goes up to 8 thread like this splitting up all the CPU...

The desktop are not affected like the laptop (have a Firewall (zone alarm) and a VPN client (Aventail connect)). The moment this event happensl, the desktop taskbar freezes completly(svchost looks to kill himself and restart), but all opened apps still working and alt-tab to switch, can't open any new apps... For the laptop, we can start anything, but the CPU is busy by svchost.exe.

-----------------------------------------------------------------------------------------------------------------------------------------
StartupList report, 7/20/2004, 1:27:06 PM
StartupList version: 1.52.2
Started from : J:\GENASDV2\Tam\tools\Spy finders\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\DcPSI.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINNT\system32\SLClient.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Dazel\Output Envoy\bin\DcDaemon.exe
C:\Program Files\OnDemand\OdPlayer\ODPlayer.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\RemotePoint Presenter\rpointpr.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\netscape\Program\netscape.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\Program Files\InterVideo\WinDVD\WinDVD.exe
J:\GENASDV2\Tam\tools\Spy finders\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\jfthibea.000\Start Menu\Programs\Startup]
BHODemon 2.0.lnk = GENASDV2\Tam\tools\Spy finders\BHODeamon\BHODemon.exe
HotSync Manager.lnk = Program Files\Palm\HOTSYNC.EXE
pcLogic.lnk = C:\ScriptLogic\mrLogic.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HotSync Manager.lnk = ?
RemotePoint Presenter.lnk = C:\Program Files\RemotePoint Presenter\rpointpr.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AGRSMMSG = AGRSMMSG.exe
ATIModeChange = Ati2mdxx.exe
Tempfile = C:\WINNT\BAT\TEMP.LNK
DAZEL Delivery Agent = "C:\Program Files\Dazel\Output Envoy\bin\DcDaemon.exe"
OnDemand = C:\ScriptLogic\wKiX32.exe "C:\Program Files\OnDemand\OdPlayer\OnDemand.Kix"
SBMGRNT.EXE = C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
vptray = C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
TPHOTKEY = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
ZENRC Tray Icon = C:\WINNT\System32\zentray.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINNT\System32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[>{CCB781BC-EB81-436D-B7D1-6AC8F8E6036D}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 CUSTOM

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall

%SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINNT\System32\rundll32.exe" "C:\Program

Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection

C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection

C:\WINNT\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user

/install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=%SystemRoot%\bat.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINNT\System32\ATPART~1.DLL - {00000EF1-0786-4633-87C6-1AA7A44296DA}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[F1 Organizer Class]
InProcServer32 = C:\WINNT\System32\ATPART~1.DLL
CODEBASE = http://www.addictivetechnologies.net/DM0/cab/wzzp4.cab

[PCPitstop Utility]
InProcServer32 = C:\WINNT\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ISTactivex.dll
CODEBASE = http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE =

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[mhLabel Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\mhLbl.dll
CODEBASE = http://www.pcpitstop.com/mhLbl.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[SassCln Object]
InProcServer32 = C:\WINNT\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB

[CentraDownloaderCtl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\CentraDownloader.dll
CODEBASE = http://batclass.icconsulting.com.au/SiteRoots/main/Install/CentraDownloader.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\Program Files\Aventail\Connect\asdns.dll
NameSpace #2: C:\WINNT\System32\mswsock.dll
NameSpace #3: C:\WINNT\System32\winrnr.dll
NameSpace #4: C:\WINNT\System32\mswsock.dll
Protocol #1: C:\WINNT\system32\mswsock.dll
Protocol #2: C:\WINNT\system32\mswsock.dll
Protocol #3: C:\WINNT\system32\mswsock.dll
Protocol #4: C:\WINNT\system32\mswsock.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\rsvpsp.dll
Protocol #7: C:\WINNT\system32\mswsock.dll
Protocol #8: C:\WINNT\system32\mswsock.dll
Protocol #9: C:\WINNT\system32\mswsock.dll
Protocol #10: C:\WINNT\system32\mswsock.dll
Protocol #11: C:\WINNT\system32\mswsock.dll
Protocol #12: C:\WINNT\system32\mswsock.dll
Protocol #13: C:\WINNT\system32\mswsock.dll
Protocol #14: C:\WINNT\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Aventail Connect: C:\Program Files\Aventail\Connect\as32svc.exe (autostart)
Ascrypto: \??\C:\Program Files\Aventail\Connect\ascrypto.sys (manual start)
Askernel: \??\C:\Program Files\Aventail\Connect\asntkrnl.sys (system)
Astdi: \??\C:\Program Files\Aventail\Connect\asnttdi.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs

(manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINNT\System32\dllhost.exe

/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Darpan: System32\DRIVERS\Darpan.sys (manual start)
DAZEL Delivery Agent: DcPSI.exe (autostart)
DefWatch: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Diskeeper: C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

(autostart)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual

start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO/1000 Adapter Driver: System32\DRIVERS\e1000325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IBMPMDRV: System32\DRIVERS\ibmpmdrv.sys (manual start)
IBM PM Service: %SystemRoot%\System32\ibmpmsvc.exe (autostart)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINNT\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
LanHound Filter: System32\DRIVERS\isproto.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"

(autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Novell Application Launcher: C:\Program Files\Novell\ZENworks\nalntsrv.exe (autostart)
NAVAP: \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS

(autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040719.048\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040719.048\NAVEX15.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (autostart)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NICM: System32\Drivers\Nicm.sys (system)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
Network Monitor Driver: System32\DRIVERS\NMnt.sys (manual start)
Symantec AntiVirus Client: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (autostart)
NSC Infrared Device Driver: System32\DRIVERS\nscirda.sys (manual start)
Novell Local Security Context Manager: \SystemRoot\System32\drivers\novell\nscmnt.sys

(manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OracleOraHome92ClientCache: C:\oracle\ora92\bin\ONRSD.EXE (manual start)
PalmUSBD: system32\drivers\PalmUSBD.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Novell ZfD Wake on LAN Status Agent: C:\Program

Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINNT\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Novell ZfD Remote Management: C:\Program

Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe (autostart)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
SafeBoot Configuration Manager: C:\Program Files\SafeBoot\SBMGRNT.EXE (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SbcpHid: \??\C:\WINNT\System32\Drivers\SbcpHid.sys (system)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS):

%SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ScriptLogic service: SLClient.exe (autostart)
Intel(R) SMBus 2.0 Driver: System32\DRIVERS\smb.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINNT\System32\dllhost.exe

/Processid:{06BEA234-9FA7-4D9B-B821-AF1C242995ED} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Synaptics TouchPad Driver: System32\DRIVERS\SynTP.sys (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINNT\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService

(disabled)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys

(manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys

(manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: \??\C:\WINNT\System32\vsdatant.sys (autostart)
TrueVector Internet Monitor: C:\WINNT\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel(R) PRO/Wireless 7100 Adapter Driver: System32\DRIVERS\w70n51.sys (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
WMI Performance Adapter: C:\WINNT\System32\wbem\wmiapsrv.exe (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Novell XTier Authentication Service: \SystemRoot\System32\drivers\novell\xauthnt.sys (manual

start)
Workstation Manager: C:\Program Files\Novell\ZENworks\wm.exe (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 35,064 bytes
Report generated in 0.100 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

-----------------------------------------------------------------------------------------------------------------------------------------
Process Explorer log when the prob happend...

Process      PID      CPU      Description      Company Name
System Idle Process      0                  
 Interrupts      n/a            Hardware Interrupts      
 DPCs      n/a            Deferred Procedure Calls      
 System      4      1            
  smss.exe      580            Windows NT Session Manager      Microsoft Corporation
   csrss.exe      644      1      Client Server Runtime Process      Microsoft Corporation
   winlogon.exe      668            Windows NT Logon Application      Microsoft Corporation
    services.exe      712      2      Services and Controller app      Microsoft Corporation
     ibmpmsvc.exe      904                  
     svchost.exe      940      94      Generic Host Process for Win32 Services      Microsoft Corporation
      hpgs2wnf.exe      3600            hpgs2wnf Module      
     svchost.exe      1168            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1180            Generic Host Process for Win32 Services      Microsoft Corporation
     spoolsv.exe      1392            Spooler SubSystem App      Microsoft Corporation
     cusrvc.exe      1664            Novell Client Update Service      Novell, Inc.
     DcPSI.exe      1680                  
     DKService.exe      1696            DKSERVICE.EXE      Executive Software International, Inc.
     mdm.exe      1728            Machine Debug Manager      Microsoft Corporation
     NALNTSRV.EXE      1752            NT Service for Novell Application Launcher (ZENLITE)      Novell, Inc.
     Rtvscan.exe      1856            Symantec AntiVirus      Symantec Corporation
     PCAHelper.exe      1900            PCAHelper Module      SYMON Communications, Inc.
     WolSerNT.exe      1924            Novell ZFD Wake on Lan Status Agent      Novell Inc.
     ZenRem32.exe      1944            Novell ZEN Remote Management Agent      Novell Inc.
     locator.exe      2044            Rpc Locator      Microsoft Corporation
     sbmgrnt.exe      132            SafeBoot Configuration Manager for NT      Control Break International
     SLClient.exe      184            SLServer      ScriptLogic Corporation
     svchost.exe      244            Generic Host Process for Win32 Services      Microsoft Corporation
     vsmon.exe      280            TrueVector Service      Zone Labs Inc.
     winvnc.exe      416            VNC server for Win32      RealVNC Ltd.
     WM.EXE      448            ZEN for Desktops Workstation Manager      Novell, INC.
      WMRUNDLL.EXE      1060            ZEN for Desktops Helper DLL Processor      Novell, INC.
     svchost.exe      1076            Generic Host Process for Win32 Services      Microsoft Corporation
     dllhost.exe      2844            COM Surrogate      Microsoft Corporation
     msiexec.exe      436            Windows® installer      Microsoft Corporation
    lsass.exe      724            LSA Shell (Export Version)      Microsoft Corporation
explorer.exe      2336            Windows Explorer      Microsoft Corporation
 tp4mon.exe      2500            IBM PS/2 TrackPoint Application      IBM Corporation
 DcDaemon.exe      2528            DAZEL Delivery Agent      Hewlett-Packard Company
 wKiX32.exe      2360            KiXtart main executable      Ruud van Velsen (Microsoft)
  OdPlayer.exe      2156            OnDemand Player      Global Knowledge, Inc.
 VPTray.exe      2688            Symantec AntiVirus      Symantec Corporation
 TPHKMGR.exe      2780                  
  TPONSCR.exe      2848                  
 nwtray.exe      3112            Novell System Tray Icon      Novell, Inc.
 hpgs2wnd.exe      3192            hpgs2wnd      Hewlett-Packard
 ctfmon.exe      3200            CTF Loader      Microsoft Corporation
 NALDESK.EXE      3664            ZENworks Application Explorer Executable      Novell, Inc
 HOTSYNC.EXE      240            HotSync® Manager Application      Palm, Inc.
 procexp.exe      1976      2      Sysinternals Process Explorer      Sysinternals
 MPSRPT_SETUPPerf.EXE      3228            MPS Reporting Tool for Setup and Performance Support      Microsoft Corporation
  cmd.exe      2452            Windows Command Processor      Microsoft Corporation
   msinfo32.exe      784            System Information      Microsoft Corporation
 cmd.exe      2140            Windows Command Processor      Microsoft Corporation
  cscript.exe      2696            Microsoft (r) Console Based Script Host      Microsoft Corporation
   cmd.exe      3000            Windows Command Processor      Microsoft Corporation
    tlist.exe      2912            Microsoft® Process List Utility      Microsoft Corporation
 autokr.exe      4088            Auto Kernrate Tool      
  cmd.exe      232            Windows Command Processor      Microsoft Corporation
   CheckSym.exe      1296            Symbol Collection and Verification Process      Microsoft Corporation
wuauclt.exe      2852            Windows Update AutoUpdate Client      Microsoft Corporation

Process: svchost.exe Pid: 940

Type      Name
Thread      svchost.exe(940): 980
Thread      svchost.exe(940): 980
Thread      svchost.exe(940): 980
Thread      svchost.exe(940): 976
Thread      svchost.exe(940): 976
Thread      svchost.exe(940): 948
Thread      svchost.exe(940): 948
Thread      svchost.exe(940): 944
Thread      svchost.exe(940): 3616
Thread      svchost.exe(940): 3492
Thread      svchost.exe(940): 3476
Thread      svchost.exe(940): 2896
Thread      svchost.exe(940): 2804
Thread      svchost.exe(940): 2748
Thread      svchost.exe(940): 2644
Thread      svchost.exe(940): 2404
Thread      svchost.exe(940): 228
Thread      svchost.exe(940): 2200
Thread      svchost.exe(940): 1484
Thread      svchost.exe(940): 1376
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\LOCAL SERVICE
Process      hpgs2wnf.exe(3600)
Key      HKU
Key      HKU
Key      HKU
Key      HKU
Key      HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key      HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key      HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key      HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key      HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key      HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key      HKLM\SOFTWARE\Microsoft\Ole
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM
Key      HKCU\Software\Classes
Key      HKCR\CLSID
Key      HKCR\CLSID
Key      HKCR\CLSID
Key      HKCR\AppID
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
File      C:\WINNT\system32
WindowStation      \Windows\WindowStations\Service-0x0-3e7$
WindowStation      \Windows\WindowStations\Service-0x0-3e7$
Directory      \Windows
Port      \RPC Control\epmapper
Directory      \KnownDlls
KeyedEvent      \KernelObjects\CritSecOutOfMemoryEvent
File      \Dfs
File      \Device\Udp
File      \Device\Tcp
File      \Device\Tcp
File      \Device\Tcp
File      \Device\Tcp
File      \Device\NwlnkSpx\Stream
File      \Device\NamedPipe\Winsock2\CatalogChangeListener-3ac-0
File      \Device\NamedPipe\svcctl
File      \Device\NamedPipe\net\NtControlPipe3
File      \Device\NamedPipe\epmapper
File      \Device\NamedPipe\epmapper
File      \Device\KsecDD
File      \Device\Ip
File      \Device\Ip
File      \Device\Ip
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
Desktop      \Default
Event      \BaseNamedObjects\userenv:  User Profile setup event
Section      \BaseNamedObjects\ShimSharedMemory
Mutant      \BaseNamedObjects\ShimCacheMutex
Event      \BaseNamedObjects\ScmCreatedEvent
Section      \BaseNamedObjects\RotHintTable
Mutant      \BaseNamedObjects\{02D4B3F1-FD88-11D1-960D-00805FC
Section      \BaseNamedObjects\__R_000000000007_SMem__
Directory      \BaseNamedObjects


Thank you in advance... Any advice will be appreciated.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2004-07-20 at 10:48:57ID21065139
Topic

Operating Systems Miscellaneous

Participating Experts
8
Points
500
Comments
24

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. svchost.exe
    Hi all, I have found five svchost.exe listed on my task manager. Originally, i have only 4 of them. According from my friend, if my list has 5 svchost.exe, my computer is being hacked. However, i have no idea how to find out which programs are running which svchost.exe. Ev...
  2. Problem with SVChost.exe (and RpcSs)
    Well, I am having a problem on my computer. It acts EXTREMLY sluggish bordering on unresponsive at times. If I open IE and walk away, come back in 20 mins, sometimes it will run fine, sometimes it will be just sitting there. when it does work, it is EXTREMLY slow. I ha...
  3. Svchost.exe
    All, I have windows server running on a dell poweredge, this server is acting as a file and print server and is joined to AD. The only programs installed are McAfee AV. The problem is that the server is really slow due to the service Svchost.exe taking up 99% CPU power. Ha...
  4. HiJackThis log
    The following is a log I got from HiJackThis. Can someone tell me if they see something here. This workstation's print spooler service is halting the var file. Yes it uses an lpr port for printers. Logfile of HijackThis v1.97.7 Scan saved at 9:49:34 AM, on 6/2/2004 Pl...
  5. Hijackthis Log
    Keep getting popups. I ran Ad Aware Se and Spybot SD 1.3 but I am still getting them. Here is my Hijackthis log Logfile of HijackThis v1.97.7 Scan saved at 6:09:55 AM, on 12/2/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.29...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Cyber-DudePosted on 2004-07-20 at 12:52:55ID: 11596799

Locate and delete (in safe mode) the "winhelp.hlp" file and reboot.

Cyber

 

by: kyledudePosted on 2004-07-20 at 16:04:38ID: 11598319

"The moment this event happensl, the desktop taskbar freezes completly"

When does this happen, the second the computer is started up, or after it has run a while?  Also, does the same thing happen in safe mode?  How do you know that you can not start any more apps on the desktop computers?

kyledude

 

by: adamdrayerPosted on 2004-07-20 at 20:38:58ID: 11599377

I'm not familiar with this one:
C:\WINNT\system32\DcPSI.exe

is that part of DAZEL?  what is DAZEL anyway?

 

by: sciwriterPosted on 2004-07-21 at 00:06:00ID: 11600131

You are totally focussed on service host -- and all that is is a major windows task director to execute tasks that other modules call on service host to do the work -- like kernel32, it is the central workhorse that runs processes.

If you forget ALL the logs, realize that service host is nothing more than a butler that serves up stuff for other people -- and if you rephrase your question about what is really going on when the system freezes, we may be able to help you.  At present, I see no way of helping you, without a clearer explanation of exactly what is happening.

 

by: itcantamPosted on 2004-07-21 at 09:00:32ID: 11604151

Thanks for the feedback guys... To anwser to some of your questions...
-It happen ramdomly on any PC... lap/desktop... while users are working, could be at any time... 5 min after login on the domain or 6 hours after... No apps could be pinpoint at this moment....
-Dazel is our IP printer services...
-Its RPCss that run under svchost.exe that looks to crash... regardless of the logs...
-Why delete winhelp.hlp btw... ??? just curious...

To give you more info...
This bug could appear 6 times on the same PC a day, and the same PC won't have any probs for the nest week, then could crash again...

If you have any clear/specific questions... feel free.

 

by: Cyber-DudePosted on 2004-07-21 at 11:25:36ID: 11605487

I encountred once in the same malfunction... The same symptoms. I reneamed winhelp.hlp to *.old and restarted the OS causing it to restore the file from system backup. I guess it is somthing to do a link made by SVCHOST process and the winhelp.hlp.

So, Just try to rename it in safe mode and restart your computer... If it wont help... it wont do any harm


Good luck

Cyber

 

by: sciwriterPosted on 2004-07-21 at 11:50:40ID: 11605733

Hey look at this -- couple of these boards at super low prices.  They may climb as the come to a close, but now --

http://search.ebay.com/ASUS-P4T-E_Desktop-PC-Components_W0QQbsZSearchQQcatrefZC6QQfromZR2QQsacategoryZ3667QQsatitle
ZASUSQ20P4TQ2dEQQsbrftogZ1QQsocolumnlayoutZ3QQsofocusZbsQQsorecordsperpageZ50QQsosortorderZ1QQsosortpropertyZ1

Piece that back into a single line, and it will give you a link to the same MBs, below $50.

 

by: sciwriterPosted on 2004-07-21 at 11:51:36ID: 11605748

Oops sorry posted to the wrong thread, this is a problem with the current questioner name baing unreadable.
Just ignore post above, please.

 

by: sciwriterPosted on 2004-07-21 at 12:05:24ID: 11605884

Sorry for the above mess, itcantam, EE has been changing the headers on these questions, and it is very hard right now to keep track of things.

I have a suggestion you could try -- and it might take a day or two to test it out, but it might be the only way you will narrow this bug --

1.  When this happens, do control-alt-delete and go to the processes tab of task manager.  There will normally be 2 service host instances for the system, one for the network, and one for local service, about halfway down.  There may be one or two higher up.  If there are any right at the top, close windows by right clicking on each in the task bar -- see which processes go away that you can't identify by windows on the task bar.  That will tell you which app is spawning the process.

2.  You should also check the server this way too, without closing the processes.

3.  Kill the Dazel print service on the printer (with queues) long enough to determine if that is/is not the problem.

4.  Cyber's fix looks interesting -- he always comes up with original ideas -- try it !!

 

by: itcantamPosted on 2004-07-21 at 12:43:48ID: 11606247

I will try to delete the hlp asap to see if it could fix this prob...

The thing is once the "bug" happen... We can't do nothing but alt-tab... Not even open Task manager...
We do have now some desktop setup with (FileMon, RegMon, Task Managerk, Process Explorer and a command prompt) open, and ask the users to work with this open... and I just wish that it will ahppen again on those ;)

I already try to kill all task one by one... The only one that brings me back my taskbar was by kill the svchost.exe hosting rpcss, but I had to kill it 5 times before that happen... And I still wait for another PC to crash to do it again to see if I delete only this one if it will have the same effect...

I will came back with news by tomorrow once trying all this.
Thanks again.

 

by: Cyber-DudePosted on 2004-07-21 at 13:14:40ID: 11606577

Yap but I take back the deletion action, try to rename the file.

Cyber

 

by: sciwriterPosted on 2004-07-21 at 14:55:34ID: 11607555

<< We can't do nothing but alt-tab... Not even open Task manager...>>

ALMOST CERTAINLY A VIRUS OR WORM !!  

DO EXTENSIVE VIRUS SCANS -- www.trendmicro.com -- online scanner.

Once cleaned, if this persists, reinstall is needed.

 

by: itcantamPosted on 2004-07-22 at 08:21:36ID: 11613143

We did try trendsmicro, stinger of McAfee... Nothing found as virus...

IF we kill one the the svchost.exe, everything came back to normal... But I know its not RPCss, neither the DNS one... Have to focus on the 2 others to see witch one after we kill it gave us back the control, I'll let you know.

 

by: Cyber-DudePosted on 2004-07-22 at 08:28:05ID: 11613224

Hmmm....
Found something. i didnt try it my-self but it sounds promising...
http://www.stiller.com

Tell me if you wish to implement it on your computer and how it worked...

Cyber

 

by: sciwriterPosted on 2004-07-22 at 11:31:11ID: 11615151

Itcantam -- If it is the network process you have to kill, that might you are being probed.  Have you gone to your firewall and made sure it is tight?

Go to www.grc.com -- wade through some pages looking for "probe my ports" -- Gibson's site is a great way to test your firewall -- as long as everything comes up stealth, you are safe -- and yes, you can test it from a WS, as all it probes is the WAN IP -- main firewall.

 

by: itcantamPosted on 2004-07-22 at 12:42:14ID: 11615899

Oki... I did try the renaming of the winhlp32.hlp...

I know now for sure...
That if I kill the svchost.exe that host (Audiosrv, dhcp, messenger, browser, help + support...), I gain back the control over the PC, Start menu work... only thing is that prcss is now takin 100% of CPU... ;)

We did run all anti-virus possible without succes... look like we did create our onw one :( hehe
All this happen when we began to pahse out our Novell environment (IPX) to go full IP.

Thanks

 

by: sciwriterPosted on 2004-07-22 at 12:46:13ID: 11615947

<< All this happen when we began to pahse out our Novell environment (IPX) to go full IP >>

Wish you had said that a long while ago.  Is the novell now gone, or still on line?

<< only thing is that prcss is now takin 100% of CPU >>

Which process?

 

by: Cyber-DudePosted on 2004-07-22 at 13:14:41ID: 11616252

Are you using GroupWise?

Cyber

 

by: beem4nPosted on 2004-07-22 at 23:40:09ID: 11619155

Hi,

try the following: update all critical patches using windows update

i am almost sure its virus attacks,
virus is not infecting you, but doing smth like DDoS
thats why cpu is ~95-100%

Also check your local network for viruses

 

by: itcantamPosted on 2004-07-23 at 08:54:30ID: 11622660

Hey guys... guess what???

Still have to be tested, our virus came from this article... ;)

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10092225.htm

Have a look, we did upgrade/remove some of our Zen Agent to see if the prob will appear again... But I really doubt.
Woup woup woup... Novell again!!! Just bad luck after bad luck with this F***** agent... We still wait for the "Midas" version of it...

Have a nice week-end and thx to all for the help on this issue... We will have to wait a week or so to see if the symptoms is really dead... I will keep you post.

 

by: sciwriterPosted on 2004-07-23 at 11:01:21ID: 11623897

It's probably a courtesy to all the people who put in time to assign points now to the most accurate answer that led to finding the fix, or else SPLIT points among the answers you feel helped the most get you there.  If the problem continues, you can always ask another Q later.  They become old after 2-5 days  :)))

We're all glad you found it!!

 

by: muzzlePosted on 2004-08-17 at 20:41:33ID: 11827342

Hi,

Try using the task command to view what service inside the svhost may be causing the crash.  I managed to resolve this on a few machines by disabling ctfmon.exe, (there is a worm that kills the ctfmon and takes its identity) however I dont know if this is relevant or not in your case.

In command prompt type:

tasklist /svc

You will then be able to see inside so to speak and something may stand out.

 

by: plimpiasPosted on 2004-08-20 at 09:16:02ID: 11852788

Uninstall the Indexing service and reinstall. It is in add/remove problems. If that doesn't work (it should) then follow the next step..If this is a sony laptop reply back to me because i will give you a link to the fix for it. It is a known issue with the sony laptop with cpu running at 100% because of svchost.exe. They put out a fix for it..

 

by: chow8400Posted on 2004-08-23 at 14:15:00ID: 11875205

if you installed any applications recently, more than likely it will be the cause, even updates. i remember that after installing a service pack svchost was running like a killer...97% cpu time, etc. eventually i ended up unistalling the apps and the service pack. then my system was working like a charm. i realised that you're running a os like windows nt or windows 2000 due to %winnt% mentioned. i would suggest that you check to see if the apps are compatible with the os. and also check services to see if there are any unneccessary services starting up.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...