Link to home
Start Free TrialLog in
Avatar of itcantam
itcantam

asked on

Svchost.exe hosting the RPCss services take up to 90-100% of the CPU...

Let me know what I have to do to... The 1st log is from HiJack and the 2nd one is from process Explorer...

I did run each and every software of AV and SPYware without success...

Its always the same thread in svchost.exe that take all the CPU :
Kernell32.dll!RegisterWaitForInputIdle+0x4a that just multiply itself, start with 3 thread using approx 33% of the CPU each, at the end (before I power off) it can goes up to 8 thread like this splitting up all the CPU...

The desktop are not affected like the laptop (have a Firewall (zone alarm) and a VPN client (Aventail connect)). The moment this event happensl, the desktop taskbar freezes completly(svchost looks to kill himself and restart), but all opened apps still working and alt-tab to switch, can't open any new apps... For the laptop, we can start anything, but the CPU is busy by svchost.exe.

-----------------------------------------------------------------------------------------------------------------------------------------
StartupList report, 7/20/2004, 1:27:06 PM
StartupList version: 1.52.2
Started from : J:\GENASDV2\Tam\tools\Spy finders\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\DcPSI.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINNT\system32\SLClient.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Dazel\Output Envoy\bin\DcDaemon.exe
C:\Program Files\OnDemand\OdPlayer\ODPlayer.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\RemotePoint Presenter\rpointpr.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\netscape\Program\netscape.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\Program Files\InterVideo\WinDVD\WinDVD.exe
J:\GENASDV2\Tam\tools\Spy finders\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\jfthibea.000\Start Menu\Programs\Startup]
BHODemon 2.0.lnk = GENASDV2\Tam\tools\Spy finders\BHODeamon\BHODemon.exe
HotSync Manager.lnk = Program Files\Palm\HOTSYNC.EXE
pcLogic.lnk = C:\ScriptLogic\mrLogic.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HotSync Manager.lnk = ?
RemotePoint Presenter.lnk = C:\Program Files\RemotePoint Presenter\rpointpr.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AGRSMMSG = AGRSMMSG.exe
ATIModeChange = Ati2mdxx.exe
Tempfile = C:\WINNT\BAT\TEMP.LNK
DAZEL Delivery Agent = "C:\Program Files\Dazel\Output Envoy\bin\DcDaemon.exe"
OnDemand = C:\ScriptLogic\wKiX32.exe "C:\Program Files\OnDemand\OdPlayer\OnDemand.Kix"
SBMGRNT.EXE = C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
vptray = C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
TPHOTKEY = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
ZENRC Tray Icon = C:\WINNT\System32\zentray.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINNT\System32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[>{CCB781BC-EB81-436D-B7D1-6AC8F8E6036D}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 CUSTOM

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall

%SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINNT\System32\rundll32.exe" "C:\Program

Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection

C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection

C:\WINNT\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user

/install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=%SystemRoot%\bat.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINNT\System32\ATPART~1.DLL - {00000EF1-0786-4633-87C6-1AA7A44296DA}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[F1 Organizer Class]
InProcServer32 = C:\WINNT\System32\ATPART~1.DLL
CODEBASE = http://www.addictivetechnologies.net/DM0/cab/wzzp4.cab

[PCPitstop Utility]
InProcServer32 = C:\WINNT\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ISTactivex.dll
CODEBASE = http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE =

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[mhLabel Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\mhLbl.dll
CODEBASE = http://www.pcpitstop.com/mhLbl.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[SassCln Object]
InProcServer32 = C:\WINNT\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB

[CentraDownloaderCtl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\CentraDownloader.dll
CODEBASE = http://batclass.icconsulting.com.au/SiteRoots/main/Install/CentraDownloader.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\Program Files\Aventail\Connect\asdns.dll
NameSpace #2: C:\WINNT\System32\mswsock.dll
NameSpace #3: C:\WINNT\System32\winrnr.dll
NameSpace #4: C:\WINNT\System32\mswsock.dll
Protocol #1: C:\WINNT\system32\mswsock.dll
Protocol #2: C:\WINNT\system32\mswsock.dll
Protocol #3: C:\WINNT\system32\mswsock.dll
Protocol #4: C:\WINNT\system32\mswsock.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\rsvpsp.dll
Protocol #7: C:\WINNT\system32\mswsock.dll
Protocol #8: C:\WINNT\system32\mswsock.dll
Protocol #9: C:\WINNT\system32\mswsock.dll
Protocol #10: C:\WINNT\system32\mswsock.dll
Protocol #11: C:\WINNT\system32\mswsock.dll
Protocol #12: C:\WINNT\system32\mswsock.dll
Protocol #13: C:\WINNT\system32\mswsock.dll
Protocol #14: C:\WINNT\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Aventail Connect: C:\Program Files\Aventail\Connect\as32svc.exe (autostart)
Ascrypto: \??\C:\Program Files\Aventail\Connect\ascrypto.sys (manual start)
Askernel: \??\C:\Program Files\Aventail\Connect\asntkrnl.sys (system)
Astdi: \??\C:\Program Files\Aventail\Connect\asnttdi.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs

(manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINNT\System32\dllhost.exe

/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Darpan: System32\DRIVERS\Darpan.sys (manual start)
DAZEL Delivery Agent: DcPSI.exe (autostart)
DefWatch: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Diskeeper: C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

(autostart)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual

start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO/1000 Adapter Driver: System32\DRIVERS\e1000325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IBMPMDRV: System32\DRIVERS\ibmpmdrv.sys (manual start)
IBM PM Service: %SystemRoot%\System32\ibmpmsvc.exe (autostart)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINNT\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
LanHound Filter: System32\DRIVERS\isproto.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"

(autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Novell Application Launcher: C:\Program Files\Novell\ZENworks\nalntsrv.exe (autostart)
NAVAP: \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS

(autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040719.048\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040719.048\NAVEX15.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (autostart)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NICM: System32\Drivers\Nicm.sys (system)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
Network Monitor Driver: System32\DRIVERS\NMnt.sys (manual start)
Symantec AntiVirus Client: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (autostart)
NSC Infrared Device Driver: System32\DRIVERS\nscirda.sys (manual start)
Novell Local Security Context Manager: \SystemRoot\System32\drivers\novell\nscmnt.sys

(manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OracleOraHome92ClientCache: C:\oracle\ora92\bin\ONRSD.EXE (manual start)
PalmUSBD: system32\drivers\PalmUSBD.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Novell ZfD Wake on LAN Status Agent: C:\Program

Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINNT\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Novell ZfD Remote Management: C:\Program

Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe (autostart)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
SafeBoot Configuration Manager: C:\Program Files\SafeBoot\SBMGRNT.EXE (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SbcpHid: \??\C:\WINNT\System32\Drivers\SbcpHid.sys (system)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS):

%SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ScriptLogic service: SLClient.exe (autostart)
Intel(R) SMBus 2.0 Driver: System32\DRIVERS\smb.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINNT\System32\dllhost.exe

/Processid:{06BEA234-9FA7-4D9B-B821-AF1C242995ED} (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
Synaptics TouchPad Driver: System32\DRIVERS\SynTP.sys (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINNT\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService

(disabled)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys

(manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys

(manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: \??\C:\WINNT\System32\vsdatant.sys (autostart)
TrueVector Internet Monitor: C:\WINNT\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Intel(R) PRO/Wireless 7100 Adapter Driver: System32\DRIVERS\w70n51.sys (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual

start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k

netsvcs (manual start)
WMI Performance Adapter: C:\WINNT\System32\wbem\wmiapsrv.exe (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Novell XTier Authentication Service: \SystemRoot\System32\drivers\novell\xauthnt.sys (manual

start)
Workstation Manager: C:\Program Files\Novell\ZENworks\wm.exe (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 35,064 bytes
Report generated in 0.100 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

-----------------------------------------------------------------------------------------------------------------------------------------
Process Explorer log when the prob happend...

Process      PID      CPU      Description      Company Name
System Idle Process      0                  
 Interrupts      n/a            Hardware Interrupts      
 DPCs      n/a            Deferred Procedure Calls      
 System      4      1            
  smss.exe      580            Windows NT Session Manager      Microsoft Corporation
   csrss.exe      644      1      Client Server Runtime Process      Microsoft Corporation
   winlogon.exe      668            Windows NT Logon Application      Microsoft Corporation
    services.exe      712      2      Services and Controller app      Microsoft Corporation
     ibmpmsvc.exe      904                  
     svchost.exe      940      94      Generic Host Process for Win32 Services      Microsoft Corporation
      hpgs2wnf.exe      3600            hpgs2wnf Module      
     svchost.exe      1168            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1180            Generic Host Process for Win32 Services      Microsoft Corporation
     spoolsv.exe      1392            Spooler SubSystem App      Microsoft Corporation
     cusrvc.exe      1664            Novell Client Update Service      Novell, Inc.
     DcPSI.exe      1680                  
     DKService.exe      1696            DKSERVICE.EXE      Executive Software International, Inc.
     mdm.exe      1728            Machine Debug Manager      Microsoft Corporation
     NALNTSRV.EXE      1752            NT Service for Novell Application Launcher (ZENLITE)      Novell, Inc.
     Rtvscan.exe      1856            Symantec AntiVirus      Symantec Corporation
     PCAHelper.exe      1900            PCAHelper Module      SYMON Communications, Inc.
     WolSerNT.exe      1924            Novell ZFD Wake on Lan Status Agent      Novell Inc.
     ZenRem32.exe      1944            Novell ZEN Remote Management Agent      Novell Inc.
     locator.exe      2044            Rpc Locator      Microsoft Corporation
     sbmgrnt.exe      132            SafeBoot Configuration Manager for NT      Control Break International
     SLClient.exe      184            SLServer      ScriptLogic Corporation
     svchost.exe      244            Generic Host Process for Win32 Services      Microsoft Corporation
     vsmon.exe      280            TrueVector Service      Zone Labs Inc.
     winvnc.exe      416            VNC server for Win32      RealVNC Ltd.
     WM.EXE      448            ZEN for Desktops Workstation Manager      Novell, INC.
      WMRUNDLL.EXE      1060            ZEN for Desktops Helper DLL Processor      Novell, INC.
     svchost.exe      1076            Generic Host Process for Win32 Services      Microsoft Corporation
     dllhost.exe      2844            COM Surrogate      Microsoft Corporation
     msiexec.exe      436            Windows® installer      Microsoft Corporation
    lsass.exe      724            LSA Shell (Export Version)      Microsoft Corporation
explorer.exe      2336            Windows Explorer      Microsoft Corporation
 tp4mon.exe      2500            IBM PS/2 TrackPoint Application      IBM Corporation
 DcDaemon.exe      2528            DAZEL Delivery Agent      Hewlett-Packard Company
 wKiX32.exe      2360            KiXtart main executable      Ruud van Velsen (Microsoft)
  OdPlayer.exe      2156            OnDemand Player      Global Knowledge, Inc.
 VPTray.exe      2688            Symantec AntiVirus      Symantec Corporation
 TPHKMGR.exe      2780                  
  TPONSCR.exe      2848                  
 nwtray.exe      3112            Novell System Tray Icon      Novell, Inc.
 hpgs2wnd.exe      3192            hpgs2wnd      Hewlett-Packard
 ctfmon.exe      3200            CTF Loader      Microsoft Corporation
 NALDESK.EXE      3664            ZENworks Application Explorer Executable      Novell, Inc
 HOTSYNC.EXE      240            HotSync® Manager Application      Palm, Inc.
 procexp.exe      1976      2      Sysinternals Process Explorer      Sysinternals
 MPSRPT_SETUPPerf.EXE      3228            MPS Reporting Tool for Setup and Performance Support      Microsoft Corporation
  cmd.exe      2452            Windows Command Processor      Microsoft Corporation
   msinfo32.exe      784            System Information      Microsoft Corporation
 cmd.exe      2140            Windows Command Processor      Microsoft Corporation
  cscript.exe      2696            Microsoft (r) Console Based Script Host      Microsoft Corporation
   cmd.exe      3000            Windows Command Processor      Microsoft Corporation
    tlist.exe      2912            Microsoft® Process List Utility      Microsoft Corporation
 autokr.exe      4088            Auto Kernrate Tool      
  cmd.exe      232            Windows Command Processor      Microsoft Corporation
   CheckSym.exe      1296            Symbol Collection and Verification Process      Microsoft Corporation
wuauclt.exe      2852            Windows Update AutoUpdate Client      Microsoft Corporation

Process: svchost.exe Pid: 940

Type      Name
Thread      svchost.exe(940): 980
Thread      svchost.exe(940): 980
Thread      svchost.exe(940): 980
Thread      svchost.exe(940): 976
Thread      svchost.exe(940): 976
Thread      svchost.exe(940): 948
Thread      svchost.exe(940): 948
Thread      svchost.exe(940): 944
Thread      svchost.exe(940): 3616
Thread      svchost.exe(940): 3492
Thread      svchost.exe(940): 3476
Thread      svchost.exe(940): 2896
Thread      svchost.exe(940): 2804
Thread      svchost.exe(940): 2748
Thread      svchost.exe(940): 2644
Thread      svchost.exe(940): 2404
Thread      svchost.exe(940): 228
Thread      svchost.exe(940): 2200
Thread      svchost.exe(940): 1484
Thread      svchost.exe(940): 1376
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\LOCAL SERVICE
Process      hpgs2wnf.exe(3600)
Key      HKU
Key      HKU
Key      HKU
Key      HKU
Key      HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key      HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key      HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key      HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key      HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key      HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key      HKLM\SOFTWARE\Microsoft\Ole
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM
Key      HKCU\Software\Classes
Key      HKCR\CLSID
Key      HKCR\CLSID
Key      HKCR\CLSID
Key      HKCR\AppID
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
Token      CA\cdagenai
File      C:\WINNT\system32
WindowStation      \Windows\WindowStations\Service-0x0-3e7$
WindowStation      \Windows\WindowStations\Service-0x0-3e7$
Directory      \Windows
Port      \RPC Control\epmapper
Directory      \KnownDlls
KeyedEvent      \KernelObjects\CritSecOutOfMemoryEvent
File      \Dfs
File      \Device\Udp
File      \Device\Tcp
File      \Device\Tcp
File      \Device\Tcp
File      \Device\Tcp
File      \Device\NwlnkSpx\Stream
File      \Device\NamedPipe\Winsock2\CatalogChangeListener-3ac-0
File      \Device\NamedPipe\svcctl
File      \Device\NamedPipe\net\NtControlPipe3
File      \Device\NamedPipe\epmapper
File      \Device\NamedPipe\epmapper
File      \Device\KsecDD
File      \Device\Ip
File      \Device\Ip
File      \Device\Ip
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
Desktop      \Default
Event      \BaseNamedObjects\userenv:  User Profile setup event
Section      \BaseNamedObjects\ShimSharedMemory
Mutant      \BaseNamedObjects\ShimCacheMutex
Event      \BaseNamedObjects\ScmCreatedEvent
Section      \BaseNamedObjects\RotHintTable
Mutant      \BaseNamedObjects\{02D4B3F1-FD88-11D1-960D-00805FC
Section      \BaseNamedObjects\__R_000000000007_SMem__
Directory      \BaseNamedObjects


Thank you in advance... Any advice will be appreciated.

Avatar of Cyber-Dude
Cyber-Dude
Locate and delete (in safe mode) the "winhelp.hlp" file and reboot.

Cyber
Avatar of kyledude
kyledude
"The moment this event happensl, the desktop taskbar freezes completly"

When does this happen, the second the computer is started up, or after it has run a while?  Also, does the same thing happen in safe mode?  How do you know that you can not start any more apps on the desktop computers?

kyledude
Avatar of adamdrayer
adamdrayer
Flag of United States of America image
I'm not familiar with this one:
C:\WINNT\system32\DcPSI.exe

is that part of DAZEL?  what is DAZEL anyway?

Avatar of sciwriter
sciwriter
You are totally focussed on service host -- and all that is is a major windows task director to execute tasks that other modules call on service host to do the work -- like kernel32, it is the central workhorse that runs processes.

If you forget ALL the logs, realize that service host is nothing more than a butler that serves up stuff for other people -- and if you rephrase your question about what is really going on when the system freezes, we may be able to help you.  At present, I see no way of helping you, without a clearer explanation of exactly what is happening.
Avatar of itcantam
itcantam

ASKER

Thanks for the feedback guys... To anwser to some of your questions...
-It happen ramdomly on any PC... lap/desktop... while users are working, could be at any time... 5 min after login on the domain or 6 hours after... No apps could be pinpoint at this moment....
-Dazel is our IP printer services...
-Its RPCss that run under svchost.exe that looks to crash... regardless of the logs...
-Why delete winhelp.hlp btw... ??? just curious...

To give you more info...
This bug could appear 6 times on the same PC a day, and the same PC won't have any probs for the nest week, then could crash again...

If you have any clear/specific questions... feel free.
Avatar of Cyber-Dude
Cyber-Dude
I encountred once in the same malfunction... The same symptoms. I reneamed winhelp.hlp to *.old and restarted the OS causing it to restore the file from system backup. I guess it is somthing to do a link made by SVCHOST process and the winhelp.hlp.

So, Just try to rename it in safe mode and restart your computer... If it wont help... it wont do any harm


Good luck

Cyber
Avatar of sciwriter
sciwriter
Hey look at this -- couple of these boards at super low prices.  They may climb as the come to a close, but now --

http://search.ebay.com/ASUS-P4T-E_Desktop-PC-Components_W0QQbsZSearchQQcatrefZC6QQfromZR2QQsacategoryZ3667QQsatitle
ZASUSQ20P4TQ2dEQQsbrftogZ1QQsocolumnlayoutZ3QQsofocusZbsQQsorecordsperpageZ50QQsosortorderZ1QQsosortpropertyZ1

Piece that back into a single line, and it will give you a link to the same MBs, below $50.
Avatar of sciwriter
sciwriter
Oops sorry posted to the wrong thread, this is a problem with the current questioner name baing unreadable.
Just ignore post above, please.
Avatar of sciwriter
sciwriter
Sorry for the above mess, itcantam, EE has been changing the headers on these questions, and it is very hard right now to keep track of things.

I have a suggestion you could try -- and it might take a day or two to test it out, but it might be the only way you will narrow this bug --

1.  When this happens, do control-alt-delete and go to the processes tab of task manager.  There will normally be 2 service host instances for the system, one for the network, and one for local service, about halfway down.  There may be one or two higher up.  If there are any right at the top, close windows by right clicking on each in the task bar -- see which processes go away that you can't identify by windows on the task bar.  That will tell you which app is spawning the process.

2.  You should also check the server this way too, without closing the processes.

3.  Kill the Dazel print service on the printer (with queues) long enough to determine if that is/is not the problem.

4.  Cyber's fix looks interesting -- he always comes up with original ideas -- try it !!
Avatar of itcantam
itcantam

ASKER

I will try to delete the hlp asap to see if it could fix this prob...

The thing is once the "bug" happen... We can't do nothing but alt-tab... Not even open Task manager...
We do have now some desktop setup with (FileMon, RegMon, Task Managerk, Process Explorer and a command prompt) open, and ask the users to work with this open... and I just wish that it will ahppen again on those ;)

I already try to kill all task one by one... The only one that brings me back my taskbar was by kill the svchost.exe hosting rpcss, but I had to kill it 5 times before that happen... And I still wait for another PC to crash to do it again to see if I delete only this one if it will have the same effect...

I will came back with news by tomorrow once trying all this.
Thanks again.
ASKER CERTIFIED SOLUTION
Avatar of Cyber-Dude
Cyber-Dude
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sciwriter
sciwriter
<< We can't do nothing but alt-tab... Not even open Task manager...>>

ALMOST CERTAINLY A VIRUS OR WORM !!  

DO EXTENSIVE VIRUS SCANS -- www.trendmicro.com -- online scanner.

Once cleaned, if this persists, reinstall is needed.
Avatar of itcantam
itcantam

ASKER

We did try trendsmicro, stinger of McAfee... Nothing found as virus...

IF we kill one the the svchost.exe, everything came back to normal... But I know its not RPCss, neither the DNS one... Have to focus on the 2 others to see witch one after we kill it gave us back the control, I'll let you know.
Avatar of Cyber-Dude
Cyber-Dude
Hmmm....
Found something. i didnt try it my-self but it sounds promising...
http://www.stiller.com

Tell me if you wish to implement it on your computer and how it worked...

Cyber
Avatar of sciwriter
sciwriter
Itcantam -- If it is the network process you have to kill, that might you are being probed.  Have you gone to your firewall and made sure it is tight?

Go to www.grc.com -- wade through some pages looking for "probe my ports" -- Gibson's site is a great way to test your firewall -- as long as everything comes up stealth, you are safe -- and yes, you can test it from a WS, as all it probes is the WAN IP -- main firewall.
Avatar of itcantam
itcantam

ASKER

Oki... I did try the renaming of the winhlp32.hlp...

I know now for sure...
That if I kill the svchost.exe that host (Audiosrv, dhcp, messenger, browser, help + support...), I gain back the control over the PC, Start menu work... only thing is that prcss is now takin 100% of CPU... ;)

We did run all anti-virus possible without succes... look like we did create our onw one :( hehe
All this happen when we began to pahse out our Novell environment (IPX) to go full IP.

Thanks
Avatar of sciwriter
sciwriter
<< All this happen when we began to pahse out our Novell environment (IPX) to go full IP >>

Wish you had said that a long while ago.  Is the novell now gone, or still on line?

<< only thing is that prcss is now takin 100% of CPU >>

Which process?
Avatar of Cyber-Dude
Cyber-Dude
Are you using GroupWise?

Cyber
Avatar of beem4n
beem4n
Hi,

try the following: update all critical patches using windows update

i am almost sure its virus attacks,
virus is not infecting you, but doing smth like DDoS
thats why cpu is ~95-100%

Also check your local network for viruses
Avatar of itcantam
itcantam

ASKER

Hey guys... guess what???

Still have to be tested, our virus came from this article... ;)

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10092225.htm

Have a look, we did upgrade/remove some of our Zen Agent to see if the prob will appear again... But I really doubt.
Woup woup woup... Novell again!!! Just bad luck after bad luck with this F***** agent... We still wait for the "Midas" version of it...

Have a nice week-end and thx to all for the help on this issue... We will have to wait a week or so to see if the symptoms is really dead... I will keep you post.
Avatar of sciwriter
sciwriter
It's probably a courtesy to all the people who put in time to assign points now to the most accurate answer that led to finding the fix, or else SPLIT points among the answers you feel helped the most get you there.  If the problem continues, you can always ask another Q later.  They become old after 2-5 days  :)))

We're all glad you found it!!
Avatar of muzzle
muzzle
Hi,

Try using the task command to view what service inside the svhost may be causing the crash.  I managed to resolve this on a few machines by disabling ctfmon.exe, (there is a worm that kills the ctfmon and takes its identity) however I dont know if this is relevant or not in your case.

In command prompt type:

tasklist /svc

You will then be able to see inside so to speak and something may stand out.
Avatar of plimpias
plimpias
Flag of United States of America image
Uninstall the Indexing service and reinstall. It is in add/remove problems. If that doesn't work (it should) then follow the next step..If this is a sony laptop reply back to me because i will give you a link to the fix for it. It is a known issue with the sony laptop with cpu running at 100% because of svchost.exe. They put out a fix for it..
Avatar of chow8400
chow8400
Flag of Saint Lucia image
if you installed any applications recently, more than likely it will be the cause, even updates. i remember that after installing a service pack svchost was running like a killer...97% cpu time, etc. eventually i ended up unistalling the apps and the service pack. then my system was working like a charm. i realised that you're running a os like windows nt or windows 2000 due to %winnt% mentioned. i would suggest that you check to see if the apps are compatible with the os. and also check services to see if there are any unneccessary services starting up.