ianinspain
asked on
svchost.exe High CPU - Logs included...
Hi there,
I got a problem with high CPU use with svchost.exe. I have searched other peoples messages here but couldn't find a solution. I wonder if anybody can help?
I use Adware SE Professional and it is updated with latest signatures and I also use Norton Internet Security 2005(comes with norton antivirus) which have the latest signatures too. i have done a scan but nothing has been found. I am bug free and ad free...
I notice alot of people have posted there hijackthis.txt logs and a log of Process Explorer -sysinternals.. I too have included these at the end of the document..
I hope somebody can help as i have done a reinstall lately and it was such a big job. What I can say is if I force the svchost.exe (which takes around 96% of the cpu) to close down, its fine and doesn't seem to cause me problems.
I looked at the properties of svchost.exe that is the causing the problem and i see this line C:\WINDOWS\System32\svchos t.exe -k netsvcs
I also looked under what services were attached to this svchost and I get a list of the following
Audisrv
Browser
CryptSvc
Dhcp
dmserver
ErSvc
Evensystem
Helpsvc
lanmanserver
lanmanworkstation
Netman
Nla
Schedule
seclogon
SENS
Shared access
ShellHWDetection
srservice
Tapisrv
Themes
TrkWks
w32Time
winmgmt
wuauserv
WZCSVC
I did try to close most of them down using Services applet... most did close down, some i wasn't able to do. But it didn't fix the problem.
Here comes my logs, Any help would be really appreciated
HIJACKTHIS.TXT
Logfile of HijackThis v1.97.7
Scan saved at 02:01:19, on 06/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Ahead\InCD\InCDsrv.e xe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc3 2.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
C:\Program Files\ASUS\Probe\AsusProb. exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpm gr.exe
C:\WINDOWS\System32\spool\ drivers\w3 2x86\3\hpz tsb09.exe
C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_01\bi n\jusched. exe
C:\WINDOWS\system32\RUNDLL 32.EXE
C:\PROGRA~1\Lavasoft\AD-AW A~1\Ad-Wat ch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ BackWeb-88 76480.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e xe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\Tablet .exe
C:\Program Files\Logitech\SetPoint\KE M.exe
C:\Program Files\Logitech\SetPoint\KH ALMNPR.EXE
C:\WINDOWS\system32\Wtable t\TabUserW .exe
C:\WINDOWS\system32\fxssvc .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Webshots\webshots.sc r
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\WIDCOMM\BLUETO ~1\BTSTAC~ 1.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX E
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX E
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.ex e
C:\Program Files\Bradbury\TopStyle3\T opStyle3.e xe
C:\Program Files\Macromedia\Dreamweav er MX 2004\Dreamweaver.exe
C:\DOCUME~1\Ian\LOCALS~1\T emp\~e5d14 1.tmp
C:\DOCUME~1\Ian\LOCALS~1\T emp\~e5d14 1.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\WINDOWS\system32\taskmg r.exe
D:\Software Library\Applications\Sys Internals\HijackThis.exe
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIE Helper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-0 0400523e39 a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-2 98DDF1699E 1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt .dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-9 0002030B8E E} - C:\PROGRA~1\FlashFXP\IEFla sh.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0 0400523e39 a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A 37C9A5676A 7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt .dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb. exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpm gr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\ drivers\w3 2x86\3\hpz tsb09.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Mobile Phone Suite] C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe -nogui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh eck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bi n\jusched. exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr ay.dll,NvT askbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-A WA~1\Ad-Wa tch.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ BackWeb-88 76480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e xe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.ex e
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ LDMConf.ex e
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KE M.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtable t\TabUserW .exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustom izeIEMenu. html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillFo rms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePa ss.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.h tm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm &2 (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT3 2.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT3 2.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4 1EE9F4C36C E} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6 A52B394EC3 B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = cuttingedgedesigns.local
O17 - HKLM\Software\..\Telephony : DomainName = cuttingedgedesigns.local
O17 - HKLM\System\CCS\Services\T cpip\..\{0 3CE0ACF-DE 37-41EC-AA 88-A3ABCF5 78261}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = cuttingedgedesigns.local
O17 - HKLM\System\CS1\Services\T cpip\..\{0 3CE0ACF-DE 37-41EC-AA 88-A3ABCF5 78261}: NameServer = 192.168.0.1
and here is a log from sysinternals
Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 696 Windows NT Session Manager Microsoft Corporation
csrss.exe 748 Client Server Runtime Process Microsoft Corporation
winlogon.exe 772 Windows NT Logon Application Microsoft Corporation
services.exe 816 Services and Controller app Microsoft Corporation
svchost.exe 980 Generic Host Process for Win32 Services Microsoft Corporation
BTStackServer.exe 3956 Bluetooth Stack COM Server WIDCOMM, Inc.
msmsgs.exe 3908 Windows Messenger Microsoft Corporation
WINWORD.EXE 3652 Microsoft Office Word Microsoft Corporation
OPScan.exe 2116 Client and Host Security Platform Out of Process Scan Server Symantec Corporation
svchost.exe 1040 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1104 83 Generic Host Process for Win32 Services Microsoft Corporation
incdsrv.exe 1124 incdsrv Ahead Software AG
svchost.exe 1264 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1328 Generic Host Process for Win32 Services Microsoft Corporation
ccProxy.exe 1404 Symantec Network Proxy Service Symantec Corporation
ccSetMgr.exe 1420 Symantec Settings Manager Service Symantec Corporation
ISSVC.exe 1432 IS Service Symantec Corporation
SNDSrvc.exe 1444 Network Driver Service Symantec Corporation
SPBBCSvc.exe 1460 SPBBC Service Symantec Corporation
ccEvtMgr.exe 1524 Symantec Event Manager Service Symantec Corporation
spoolsv.exe 1820 Spooler SubSystem App Microsoft Corporation
mainserv.exe 348 Battery backup management service American Power Conversion Corporation
btwdins.exe 368 Bluetooth Support Server WIDCOMM, Inc.
mdm.exe 428 Machine Debug Manager Microsoft Corporation
navapsvc.exe 308 Norton AntiVirus Auto-Protect Service Symantec Corporation
nvsvc32.exe 516 NVIDIA Driver Helper Service, Version 61.77 NVIDIA Corporation
SMAgent.exe 2060 SoundMAX service agent component Analog Devices, Inc.
symlcsvc.exe 2128 Symantec Core Component Symantec Corporation
Tablet.exe 2200 WacomService Wacom Technology, Corp.
wdfmgr.exe 2288 Windows User Mode Driver Manager Microsoft Corporation
fxssvc.exe 2428 Fax Service Microsoft Corporation
symwsc.exe 2524 Norton Security Center Service Symantec Corporation
alg.exe 3640 Application Layer Gateway Service Microsoft Corporation
lsass.exe 828 LSA Shell (Export Version) Microsoft Corporation
taskmgr.exe 2896 1 Windows TaskManager Microsoft Corporation
explorer.exe 172 Windows Explorer Microsoft Corporation
SMTray.exe 628 SoundMAX System Tray Analog Devices, Inc.
AsusProb.exe 636
hpwuSchd.exe 644 hpwuSchd Hewlett-Packard
hpcmpmgr.exe 660 HP Framework Component Manager Service Hewlett-Packard Company
hpztsb09.exe 668 HP
MobilePhoneSuite.exe 684
InCD.exe 740 InCD Ahead Software AG
jusched.exe 792
rundll32.exe 120 Run a DLL as an App Microsoft Corporation
Ad-Watch.exe 1084 4 Ad-Watch System Protector Lavasoft Sweden
ccApp.exe 1168 Symantec User Session Symantec Corporation
msnmsgr.exe 1232 MSN Messenger Microsoft Corporation
backWeb-8876480.exe 1248
ctfmon.exe 1292 CTF Loader Microsoft Corporation
RoboTaskBarIcon.exe 1344 RoboForm TaskBar Icon Siber Systems
acrotray.exe 1528 AcroTray Adobe Systems Inc.
BTTray.exe 2192 Bluetooth Tray Application WIDCOMM, Inc.
KEM.exe 2324 Logitech SetPoint Logitech Inc.
KHALMNPR.exe 2348 Logitech Hardware Abstraction Layer Logitech Inc.
TabUserW.exe 2368 TABUSERW Wacom Technology, Corp.
OUTLOOK.EXE 3740 Microsoft Office Outlook Microsoft Corporation
iexplore.exe 820 Internet Explorer Microsoft Corporation
iexplore.exe 1776 1 Internet Explorer Microsoft Corporation
devenv.exe 360 1 Microsoft Visual Studio .NET 2003 Microsoft Corporation
Dreamweaver.exe 1504 Dreamweaver MX 2004 Macromedia, Inc.
~e5d141.tmp 196 Cleanup Macrovision Europe Ltd.
~e5d141.tmp 3648 Cleanup Macrovision Europe Ltd.
iexplore.exe 356 Internet Explorer Microsoft Corporation
iexplore.exe 2328 Internet Explorer Microsoft Corporation
iexplore.exe 2180 Internet Explorer Microsoft Corporation
iexplore.exe 500 Internet Explorer Microsoft Corporation
HijackThis.exe 3972 HijackThis Soeperman Enterprises Ltd.
notepad.exe 2744 Notepad Microsoft Corporation
POWERARC.EXE 1952 PowerArchiver 2004 ConeXware, Inc.
procexp.exe 580 9 Sysinternals Process Explorer Sysinternals
webshots.scr 2584 Webshots Photo Manager Webshots.com
apcsystray.exe 3720 PowerChute system tray power icon American Power Conversion Corporation
TopStyle3.exe 2572 TopStyle Bradbury Software, LLC
Process: svchost.exe Pid: 1104
Type Name
Desktop \Default
Desktop \SADesktop
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\WBEM_ESS _OPEN_FOR_ BUSINESS
Event \BaseNamedObjects\WINMGMT_ PROVIDER_C ANSHUTDOWN
Event \BaseNamedObjects\WBEM_ESS _OPEN_FOR_ BUSINESS
Event \BaseNamedObjects\WBEM_ESS _OPEN_FOR_ BUSINESS
Event \BaseNamedObjects\IPNAT
Event \BaseNamedObjects\EVENT_RE ADYROOT/CI MV2SCM EVENT PROVIDER
Event \BaseNamedObjects\EVENT_RE ADYROOT/CI MV2PROVIDE RSUBSYSTEM
Event \BaseNamedObjects\EVENT_RE ADYROOT/CI MV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
Event \BaseNamedObjects\DHCPNEWI PADDRESS
Event \BaseNamedObjects\crypt32L ogoffEvent
Event \BaseNamedObjects\WIRELESS _POLICY_CH ANGE_EVENT
Event \BaseNamedObjects\{3086A6D 3-F5FD-4EC F-9DBE-0BC F65845D52} ShellHWDet ection
Event \BaseNamedObjects\{3086A6D 3-F5FD-4EC F-9DBE-0BC F65845D52} ShellHWDet ection
Event \BaseNamedObjects\DINPUTWI NMM
Event \BaseNamedObjects\Prefetch OverrideId le
Event \BaseNamedObjects\Prefetch Processing Complete
Event \BaseNamedObjects\Prefetch TracesRead y
Event \BaseNamedObjects\Prefetch Parameters Changed
Event \BaseNamedObjects\SAConEvt
Event \BaseNamedObjects\WkssvcTo AgentStart Event
Event \BaseNamedObjects\WkssvcTo AgentStopE vent
Event \BaseNamedObjects\AgentToW kssvcEvent
Event \BaseNamedObjects\wkssvc: MUP finished initializing event
Event \BaseNamedObjects\userenv: User Profile setup event
Event \BaseNamedObjects\ReSyncKe rnel
Event \BaseNamedObjects\WinSta0_ DesktopSwi tch
Event \Device\DmControl\VxKernel 2VoldEvent
Event \LanmanServerAnnounceEvent
Event \BaseNamedObjects\SENS Started Event
Event \BaseNamedObjects\SRCounte r
Event \BaseNamedObjects\SRStopEv ent
Event \BaseNamedObjects\SRInitEv ent
Event \BaseNamedObjects\SRIdleRe qEvent
Event \BaseNamedObjects\SC_AutoS tartComple te
Event \Security\TRKWKS_EVENT
Event \BaseNamedObjects\W32TIME_ NAMED_EVEN T_SYSTIME_ NOT_CORREC T
Event \BaseNamedObjects\WINMGMT_ COREDLL_CA NSHUTDOWN
Event \BaseNamedObjects\WINMGMT_ PROVIDER_C ANSHUTDOWN
Event \BaseNamedObjects\WMI_SysE vent_LodCt r
Event \BaseNamedObjects\WMI_SysE vent_UnLod Ctr
Event \BaseNamedObjects\WMI_RevA dap_Set
Event \BaseNamedObjects\WMI_RevA dap_ACK
Event \BaseNamedObjects\WMI_Proc essIdleTas ksStart
Event \BaseNamedObjects\WMI_Proc essIdleTas ksComplete
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: User Group Policy has been applied
File C:\WINDOWS\system32\wbem\R epository\ FS\MAPPING 1.MAP
File C:\WINDOWS\system32\wbem\R epository\ FS\MAPPING 2.MAP
File C:\WINDOWS\system32\wbem\R epository\ FS\MAPPING .VER
File C:\WINDOWS\system32\wbem\R epository\ FS\INDEX.M AP
File C:\WINDOWS\system32\wbem\R epository\ FS\OBJECTS .MAP
File C:\WINDOWS\system32\wbem\R epository\ FS\INDEX.B TR
File \Device\Tcp
File \Device\LanmanRedirector\S ERVER1\INC OMING
File C:\WINDOWS\ModemLog_Creati ve Modem Blaster V.92 DE5721.txt
File \Device\NamedPipe\wkssvc
File \Device\Afd\Endpoint
File \Device\NamedPipe\srvsvc
File C:\WINDOWS\WinSxS\x86_Micr osoft.Wind ows.Common -Controls_ 6595b64144 ccf1df_6.0 .2600.2180 _x-ww_a84f 1ff9
File \Device\IPNAT
File D:
File \Device\IPNAT
File \Device\Ip
File \Device\NamedPipe\Winsock2 \CatalogCh angeListen er-450-0
File \Device\Tcp
File \Device\Tcp
File C:\WINDOWS\SoftwareDistrib ution\Even tCache\{36 0883C7-CBA 9-4D69-8C9 3-36842753 4F4A}.bin
File \Device\Ip
File \Device\NamedPipe\Winsock2 \CatalogCh angeListen er-450-1
File \Device\Ip
File \Device\NamedPipe\browser
File \Device\NamedPipe\browser
File \Device\NamedPipe\PIPE_EVE NTROOT\CIM V2SCM EVENT PROVIDER
File \Device\NamedPipe\PIPE_EVE NTROOT\CIM V2SCM EVENT PROVIDER
File C:\WINDOWS\WinSxS\x86_Micr osoft.Wind ows.Common -Controls_ 6595b64144 ccf1df_6.0 .2600.2180 _x-ww_a84f 1ff9
File C:\WINDOWS\system32\config \systempro file\Appli cation Data\Microsoft\SystemCerti ficates\My
File \Device\Afd\AsyncConnectHl p
File C:\WINDOWS\system32
File \Device\NamedPipe\NETLOGON
File \Device\NamedPipe\lsarpc
File \Device\Ip
File \Device\WMIDataDevice
File C:\WINDOWS\WinSxS\x86_Micr osoft.Wind ows.Common -Controls_ 6595b64144 ccf1df_6.0 .2600.2180 _x-ww_a84f 1ff9
File C:\WINDOWS\WinSxS\x86_Micr osoft.Wind ows.Common -Controls_ 6595b64144 ccf1df_6.0 .2600.2180 _x-ww_a84f 1ff9
File C:\WINDOWS\WinSxS\x86_Micr osoft.Wind ows.Common -Controls_ 6595b64144 ccf1df_6.0 .2600.2180 _x-ww_a84f 1ff9
File \Device\Tcp
File \Device\Ndisuio
File \Device\WMIDataDevice
File C:\WINDOWS\SchedLgU.Txt
File \Device\NamedPipe\atsvc
File \Device\NamedPipe\atsvc
File \Device\KsecDD
File C:\WINDOWS\Tasks
File C:\WINDOWS\SoftwareDistrib ution\Even tCache\{1E 3122C2-0BE 7-4021-BCA 1-7F8D7C74 813A}.bin
File \Device\LanmanRedirector
File \Device\LanmanDatagramRece iver
File \Device\NamedPipe\wkssvc
File C:\System Volume Information\tracking.log
File \Device\NamedPipe\keysvc
File C:\WINDOWS\WinSxS\x86_Micr osoft.Wind ows.Common -Controls_ 6595b64144 ccf1df_6.0 .2600.2180 _x-ww_a84f 1ff9
File \Device\NamedPipe\keysvc
File C:\WINDOWS\WinSxS\x86_Micr osoft.Wind ows.Common -Controls_ 6595b64144 ccf1df_6.0 .2600.2180 _x-ww_a84f 1ff9
File \Device\NamedPipe\srvsvc
File \Device\NamedPipe\PCHHangR epExecPipe
File C:\WINDOWS\WinSxS\x86_Micr osoft.Wind ows.Common -Controls_ 6595b64144 ccf1df_6.0 .2600.2180 _x-ww_a84f 1ff9
File \Device\NamedPipe\PCHFault RepExecPip e
File C:\WINDOWS\PCHealth\HelpCt r\BATCH
File \Device\LanmanServer
File \Device\NamedPipe\srvsvc
File \Device\00000077
File \Device\0000008d
File \Device\IPNAT
File C:\$Extend\$ObjId
File C:
File \Device\NamedPipe\wkssvc
File \FileSystem\Filters\System Restore
File D:\System Volume Information\tracking.log
File \Device\NamedPipe\trkwks
File \Device\NamedPipe\trkwks
File D:\$Extend\$ObjId
File C:\WINDOWS\system32\wbem\m of
File \Device\LanmanDatagramRece iver
File \Device\NamedPipe\W32TIME
File \Device\NamedPipe\W32TIME
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File \Device\Udp
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File \Device\Afd\Endpoint
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File C:\WINDOWS\WindowsUpdate.l og
File \Device\NamedPipe\net\NtCo ntrolPipe4
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Afd\Endpoint
File \Device\NamedPipe\EVENTLOG
File \Device\IPNAT
File C:\WINDOWS\SoftwareDistrib ution\Repo rtingEvent s.log
File \Device\Afd\Endpoint
File C:\WINDOWS\WinSxS\x86_Micr osoft.Wind ows.Common -Controls_ 6595b64144 ccf1df_6.0 .2600.2180 _x-ww_a84f 1ff9
File \Device\NdisTapi
File \Device\NdisTapi
File \Device\NDProxy
File \Device\NDProxy
File C:\WINDOWS\system32\h323lo g.txt
File C:\WINDOWS\system32\wbem\R epository\ FS\OBJECTS .DATA
Job \BaseNamedObjects\WmiProvi derSubSyst emHostJob
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Network\ Location Awareness
Key HKCR
Key HKCR
Key HKCR
Key HKU\.DEFAULT\Software\Micr osoft\Wind ows NT\CurrentVersion\Network\ Location Awareness
Key HKCR
Key HKCR
Key HKCR
Key HKU\.DEFAULT\Software\Poli cies\Micro soft\Syste mCertifica tes
Key HKLM\SYSTEM\ControlSet001\ Control\Ne twork\Conn ections
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Tr acing\NETM AN
Key HKCR
Key HKCR
Key HKCR
Key HKU\.DEFAULT\Software\Micr osoft\Wind ows NT\CurrentVersion\Network\ Location Awareness
Key HKCR
Key HKCR
Key HKLM\SYSTEM\ControlSet001\ Services\S haredAcces s\Epoch
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Tr acing\RASD LG
Key HKLM\SOFTWARE\Microsoft\Sy stemCertif icates\Dis allowed
Key HKCR
Key HKCR
Key HKLM\SYSTEM\ControlSet001\ Control\Ne twork\{4D3 6E972-E325 -11CE-BFC1 -08002BE10 318}\{03CE 0ACF-DE37- 41EC-AA88- A3ABCF5782 61}\Connec tion
Key HKLM\SYSTEM\ControlSet001\ Control\Ne tworkProvi der\HwOrde r
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\En terpriseCe rtificates \CA
Key HKLM\SYSTEM\ControlSet001\ Services\B rowser\Par ameters
Key HKU\.DEFAULT\Software\Micr osoft\Syst emCertific ates\trust
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Sy stemCertif icates\CA
Key HKU\.DEFAULT
Key HKU\.DEFAULT\Software\Micr osoft\Syst emCertific ates\Disal lowed
Key HKU\.DEFAULT\Software\Micr osoft\Syst emCertific ates\My
Key HKLM\SOFTWARE\Microsoft\En terpriseCe rtificates \Trust
Key HKLM\SYSTEM\ControlSet001\ Services\T cpip\Linka ge
Key HKLM\SYSTEM\ControlSet001\ Services\T cpip\Param eters
Key HKLM\SOFTWARE\Microsoft\Sy stemCertif icates\tru st
Key HKU\.DEFAULT
Key HKLM\SYSTEM\ControlSet001\ Services\N etBT\Param eters\Inte rfaces
Key HKLM\SYSTEM\ControlSet001\ Services\N etBT\Param eters
Key HKCR
Key HKCR
Key HKCR
Key HKU\.DEFAULT
Key HKU\.DEFAULT\Software\Poli cies\Micro soft\Syste mCertifica tes
Key HKU\.DEFAULT\Software\Poli cies\Micro soft\Syste mCertifica tes
Key HKLM\SYSTEM\ControlSet001\ Services\W inSock2\Pa rameters\P rotocol_Ca talog9
Key HKCR
Key HKCR
Key HKLM\SYSTEM\ControlSet001\ Services\W inSock2\Pa rameters\N ameSpace_C atalog5
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SYSTEM\ControlSet001\ Services\D hcp\Parame ters
Key HKLM\SYSTEM\ControlSet001\ Services\T cpip\Param eters
Key HKLM\SYSTEM\ControlSet001\ Services\D hcp\Parame ters\Optio ns
Key HKLM\SYSTEM\ControlSet001\ Services
Key HKLM\SYSTEM\ControlSet001\ Services\T cpip\Param eters\DNSR egisteredA dapters
Key HKLM
Key HKLM\SYSTEM\ControlSet001\ Services\T cpip\Param eters\Inte rfaces\{03 CE0ACF-DE3 7-41EC-AA8 8-A3ABCF57 8261}
Key HKLM\SOFTWARE\Microsoft\Tr acing\WZCT race
Key HKLM\SOFTWARE\Microsoft\Tr acing\EAPO L
Key HKU\.DEFAULT
Key HKU\.DEFAULT\Software\Micr osoft\Wind ows\Curren tVersion\I nternet Settings
Key HKLM\SOFTWARE\Microsoft\Tr acing\RAST LS
Key HKLM\SOFTWARE\Microsoft\Tr acing\RASC HAP
Key HKLM\SOFTWARE\Microsoft\Tr acing\Wlpo licy
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\CO M3
Key HKU
Key HKCR
Key HKU
Key HKLM\SOFTWARE\Microsoft\CO M3
Key HKLM\SOFTWARE\Microsoft\CO M3
Key HKCR\CLSID
Key HKCR
Key HKLM\SOFTWARE\Microsoft\CO M3
Key HKU
Key HKLM\SOFTWARE\Microsoft\CO M3
Key HKLM\SOFTWARE\Microsoft\CO M3
Key HKCR\CLSID
Key HKCR
Key HKLM\SYSTEM\ControlSet001\ Control\Cl ass\{4D36E 96D-E325-1 1CE-BFC1-0 8002BE1031 8}\0000
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Drivers3 2
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Prefetch er
Key HKLM\SOFTWARE\Microsoft\Sy stemCertif icates\ROO T
Key HKU\.DEFAULT\Software\Micr osoft\Syst emCertific ates\CA
Key HKLM\SOFTWARE\Microsoft\En terpriseCe rtificates \Root
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Drivers3 2
Key HKU
Key HKCR
Key HKLM\SYSTEM\ControlSet001\ Services\l anmanworks tation\par ameters
Key HKCR
Key HKLM\SYSTEM\ControlSet001\ Control\Te rminal Server
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Policies
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Ev entSystem\ {26c409cc- ae86-11d1- b616-00805 fc79216}
Key HKLM\SOFTWARE\Microsoft\Ev entSystem\ {26c409cc- ae86-11d1- b616-00805 fc79216}\S ubscriptio ns
Key HKCR
Key HKLM\SYSTEM\ControlSet001\ Services\S haredAcces s\Epoch
Key HKLM\SYSTEM\ControlSet001\ Services\l anmanserve r\paramete rs
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Ev entSystem\ {26c409cc- ae86-11d1- b616-00805 fc79216}\E ventClasse s
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SYSTEM\Setup
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\CO M3
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\En terpriseCe rtificates \Disallowe d
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Tr acing\tapi srv
Key HKLM\SOFTWARE\Microsoft\Sy stemCertif icates\Aut hRoot
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Tr acing\IPNA THLP
Key HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \WindowsUp date\Repor ting
Key HKLM\SYSTEM\ControlSet001\ Control\Ls a\Audit
Key HKLM\SYSTEM\ControlSet001\ Services\S haredAcces s\Epoch
Key HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \WindowsUp date\Repor ting\Event Cache\Sus
Key HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \WindowsUp date\Repor ting\Event Cache\WU
Key HKLM\SYSTEM\ControlSet001\ Services\S haredAcces s\Paramete rs\Firewal lPolicy
Key HKLM\SYSTEM\ControlSet001\ Services\S haredAcces s\Paramete rs
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Policies\Mic rosoft\Sys temCertifi cates
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Tr acing\KMDD SP
Key HKLM\SOFTWARE\Microsoft\Tr acing\NDPT SP
Key HKLM\SOFTWARE\Microsoft\Tr acing\conf tsp
Key HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \H323TSP
Key HKCR
Key HKU\.DEFAULT\Software\Micr osoft\Syst emCertific ates\Root
Key HKCR
Key HKCR
Key HKCR
KeyedEvent \KernelObjects\CritSecOutO fMemoryEve nt
Mutant \BaseNamedObjects\ShimCach eMutex
Mutant \BaseNamedObjects\ZonesCou nterMutex
Mutant \BaseNamedObjects\RasPbFil e
Mutant \BaseNamedObjects\SHIMLIB_ LOG_MUTEX
Mutant \BaseNamedObjects\RasPbFil e
Mutant \BaseNamedObjects\ZonesLoc kedCacheCo unterMutex
Mutant \BaseNamedObjects\0CADFD67 AF62496dB3 4264F000F5 624A
Mutant \BaseNamedObjects\4FCC0DEF E22C4f138F B9D5AF25FD 9398
Mutant \BaseNamedObjects\SRDataSt ore
Mutant \BaseNamedObjects\238FAD31 09D3473aB4 764B20B373 1840
Mutant \BaseNamedObjects\OOC State Mutex
Mutant \BaseNamedObjects\SRDataSt ore
Mutant \BaseNamedObjects\WindowsU pdateTraci ngMutex
Mutant \BaseNamedObjects\ZonesCac heCounterM utex
Mutant \BaseNamedObjects\DBWinMut ex
Port \RPC Control\dhcpcsvc
Port \RPC Control\wzcsvc
Port \RPC Control\OLE38CC342E8EBD428 7BEFCA95FE 193
Port \RPC Control\AudioSrv
Port \RPC Control\keysvc
Port \XactSrvLpcPort
Port \RPC Control\SECLOGON
Port \RPC Control\senssvc
Port \RPC Control\srrpc
Port \RPC Control\tapsrvlpc
Port \RPC Control\trkwks
Port \RPC Control\unimdmsvc
Port \ThemeApiPort
Process winlogon.exe(772)
Process winlogon.exe(772)
Process winlogon.exe(772)
Process apcsystray.exe(3720)
Process svchost.exe(1104)
Process winlogon.exe(772)
Process backWeb-8876480.exe(1248)
Process devenv.exe(360)
Process devenv.exe(360)
Process svchost.exe(1104)
Process iexplore.exe(500)
Process iexplore.exe(820)
Process POWERARC.EXE(1952)
Process Dreamweaver.exe(1504)
Process taskmgr.exe(2896)
Process ~e5d141.tmp(196)
Process HijackThis.exe(3972)
Process iexplore.exe(2180)
Process iexplore.exe(356)
Process ccProxy.exe(1404)
Process OUTLOOK.EXE(3740)
Process svchost.exe(1104)
Process hpcmpmgr.exe(660)
Process msnmsgr.exe(1232)
Process explorer.exe(172)
Process explorer.exe(172)
Process msmsgs.exe(3908)
Process mainserv.exe(348)
Process SMTray.exe(628)
Process OPScan.exe(2116)
Process hpwuSchd.exe(644)
Process hpztsb09.exe(668)
Process jusched.exe(792)
Process MobilePhoneSuite.exe(684)
Process InCD.exe(740)
Process AsusProb.exe(636)
Process rundll32.exe(120)
Process ccApp.exe(1168)
Process msnmsgr.exe(1232)
Process ctfmon.exe(1292)
Process iexplore.exe(2328)
Process RoboTaskBarIcon.exe(1344)
Process Ad-Watch.exe(1084)
Process backWeb-8876480.exe(1248)
Process acrotray.exe(1528)
Process TopStyle3.exe(2572)
Process KEM.exe(2324)
Process nvsvc32.exe(516)
Process procexp.exe(580)
Process Tablet.exe(2200)
Process BTTray.exe(2192)
Process mdm.exe(428)
Process KHALMNPR.exe(2348)
Process TabUserW.exe(2368)
Process BTStackServer.exe(3956)
Process notepad.exe(2744)
Process ~e5d141.tmp(3648)
Process iexplore.exe(1776)
Process lsass.exe(828)
Process webshots.scr(2584)
Process fxssvc.exe(2428)
Process WINWORD.EXE(3652)
Section \BaseNamedObjects\Wmi Provider Sub System Counters
Section \BaseNamedObjects\ShimShar edMemory
Section \BaseNamedObjects\SENS Information Cache
Section \BaseNamedObjects\__R_0000 0000000f_S Mem__
Section \BaseNamedObjects\mmGlobal PnpInfo
Section \BaseNamedObjects\SENS Information Cache
Section \BaseNamedObjects\RotHintT able
Section \BaseNamedObjects\AtlDebug Allocator_ FileMappin gNameStati c3_450
Semaphore \BaseNamedObjects\shell.{2 10A4BA0-3A EA-1069-A2 D9-08002B3 0309D}
Semaphore \BaseNamedObjects\shell.{A 48F1A32-A3 40-11D1-BC 6B-00A0C90 312E1}
Semaphore \BaseNamedObjects\PowerPro fileRegist rySemaphor e
Thread svchost.exe(1104): 1120
Thread svchost.exe(1104): 3140
Thread svchost.exe(1104): 3144
Thread svchost.exe(1104): 4004
Thread svchost.exe(1104): 2264
Thread svchost.exe(1104): 3168
Thread svchost.exe(1104): 3196
Thread svchost.exe(1104): 3204
Thread svchost.exe(1104): 1144
Thread svchost.exe(1104): 1380
Thread svchost.exe(1104): 3684
Thread svchost.exe(1104): 3656
Thread svchost.exe(1104): 3204
Thread svchost.exe(1104): 448
Thread svchost.exe(1104): 2536
Thread svchost.exe(1104): 3140
Thread svchost.exe(1104): 2672
Thread svchost.exe(1104): 1552
Thread svchost.exe(1104): 3656
Thread svchost.exe(1104): 1868
Thread svchost.exe(1104): 1552
Thread svchost.exe(1104): 396
Thread svchost.exe(1104): 396
Thread svchost.exe(1104): 1868
Thread svchost.exe(1104): 1800
Thread svchost.exe(1104): 2400
Thread svchost.exe(1104): 1144
Thread svchost.exe(1104): 2284
Thread svchost.exe(1104): 3992
Thread svchost.exe(1104): 440
Thread svchost.exe(1104): 1740
Thread svchost.exe(1104): 2028
Thread svchost.exe(1104): 2284
Thread svchost.exe(1104): 1740
Thread svchost.exe(1104): 2028
Thread svchost.exe(1104): 3992
Thread svchost.exe(1104): 1244
Thread svchost.exe(1104): 1244
Thread svchost.exe(1104): 1120
Thread svchost.exe(1104): 1276
Thread svchost.exe(1104): 1276
Thread svchost.exe(1104): 1312
Thread svchost.exe(1104): 1396
Thread svchost.exe(1104): 1400
Thread svchost.exe(1104): 1780
Thread svchost.exe(1104): 1780
Thread svchost.exe(1104): 1792
Thread svchost.exe(1104): 1796
Thread svchost.exe(1104): 1800
Thread svchost.exe(1104): 1808
Thread svchost.exe(1104): 1812
Thread svchost.exe(1104): 1812
Thread svchost.exe(1104): 1816
Thread svchost.exe(1104): 1816
Thread svchost.exe(1104): 920
Thread svchost.exe(1104): 1792
Thread explorer.exe(172): 220
Thread svchost.exe(1104): 232
Thread svchost.exe(1104): 232
Thread svchost.exe(1104): 392
Thread svchost.exe(1104): 388
Thread svchost.exe(1104): 424
Thread svchost.exe(1104): 400
Thread svchost.exe(1104): 420
Thread svchost.exe(1104): 420
Thread svchost.exe(1104): 436
Thread svchost.exe(1104): 552
Thread svchost.exe(1104): 556
Thread svchost.exe(1104): 3024
Thread svchost.exe(1104): 3168
Thread svchost.exe(1104): 2068
Thread svchost.exe(1104): 920
Thread svchost.exe(1104): 2124
Thread svchost.exe(1104): 1904
Thread svchost.exe(1104): 1904
Thread svchost.exe(1104): 1904
Thread svchost.exe(1104): 2272
Thread svchost.exe(1104): 2268
Thread svchost.exe(1104): 2396
Thread svchost.exe(1104): 2408
Thread svchost.exe(1104): 1120
Thread svchost.exe(1104): 1108
Thread svchost.exe(1104): 2448
Thread svchost.exe(1104): 2468
Thread svchost.exe(1104): 2468
Thread svchost.exe(1104): 1312
Thread svchost.exe(1104): 2396
Thread svchost.exe(1104): 2492
Thread svchost.exe(1104): 728
Thread svchost.exe(1104): 3656
Thread svchost.exe(1104): 3156
Thread svchost.exe(1104): 2400
Thread svchost.exe(1104): 2400
Thread svchost.exe(1104): 1380
Thread svchost.exe(1104): 2536
Thread svchost.exe(1104): 1380
Thread svchost.exe(1104): 1380
Thread svchost.exe(1104): 2660
Thread svchost.exe(1104): 2672
Thread svchost.exe(1104): 2676
Thread svchost.exe(1104): 2856
Thread svchost.exe(1104): 1312
Thread svchost.exe(1104): 2852
Thread svchost.exe(1104): 2856
Thread svchost.exe(1104): 2936
Thread svchost.exe(1104): 1116
Thread svchost.exe(1104): 2940
Thread svchost.exe(1104): 2960
Thread svchost.exe(1104): 3008
Thread svchost.exe(1104): 3008
Thread svchost.exe(1104): 1112
Token CED\ian
Token CED\ian
Token CED\ian
Token NT AUTHORITY\LOCAL SERVICE
Token CED\ian
Token NT AUTHORITY\SYSTEM
Token CED\ian
Token CED\ian
Token CED\ian
Token CED\ian
Token CED\ian
Token NT AUTHORITY\SYSTEM
Token CED\ian
Token CED\ian
Token CED\ian
Token CED\ian
Token NT AUTHORITY\SYSTEM
Token NT AUTHORITY\SYSTEM
Token CED\ian
Token NT AUTHORITY\NETWORK SERVICE
WaitablePort \NLAPublicPort
WaitablePort \NLAPrivatePort
WaitablePort \Security\TRKWKS_PORT
WindowStation \Windows\WindowStations\Wi nSta0
WindowStation \Windows\WindowStations\Se rvice-0x0- 3e7$
WindowStation \Windows\WindowStations\Wi nSta0
WindowStation \Windows\WindowStations\SA WinSta
I got a problem with high CPU use with svchost.exe. I have searched other peoples messages here but couldn't find a solution. I wonder if anybody can help?
I use Adware SE Professional and it is updated with latest signatures and I also use Norton Internet Security 2005(comes with norton antivirus) which have the latest signatures too. i have done a scan but nothing has been found. I am bug free and ad free...
I notice alot of people have posted there hijackthis.txt logs and a log of Process Explorer -sysinternals.. I too have included these at the end of the document..
I hope somebody can help as i have done a reinstall lately and it was such a big job. What I can say is if I force the svchost.exe (which takes around 96% of the cpu) to close down, its fine and doesn't seem to cause me problems.
I looked at the properties of svchost.exe that is the causing the problem and i see this line C:\WINDOWS\System32\svchos
I also looked under what services were attached to this svchost and I get a list of the following
Audisrv
Browser
CryptSvc
Dhcp
dmserver
ErSvc
Evensystem
Helpsvc
lanmanserver
lanmanworkstation
Netman
Nla
Schedule
seclogon
SENS
Shared access
ShellHWDetection
srservice
Tapisrv
Themes
TrkWks
w32Time
winmgmt
wuauserv
WZCSVC
I did try to close most of them down using Services applet... most did close down, some i wasn't able to do. But it didn't fix the problem.
Here comes my logs, Any help would be really appreciated
HIJACKTHIS.TXT
Logfile of HijackThis v1.97.7
Scan saved at 02:01:19, on 06/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Ahead\InCD\InCDsrv.e
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc3
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
C:\Program Files\ASUS\Probe\AsusProb.
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpm
C:\WINDOWS\System32\spool\
C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_01\bi
C:\WINDOWS\system32\RUNDLL
C:\PROGRA~1\Lavasoft\AD-AW
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
C:\WINDOWS\system32\ctfmon
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\Tablet
C:\Program Files\Logitech\SetPoint\KE
C:\Program Files\Logitech\SetPoint\KH
C:\WINDOWS\system32\Wtable
C:\WINDOWS\system32\fxssvc
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Webshots\webshots.sc
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\WIDCOMM\BLUETO
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.ex
C:\Program Files\Bradbury\TopStyle3\T
C:\Program Files\Macromedia\Dreamweav
C:\DOCUME~1\Ian\LOCALS~1\T
C:\DOCUME~1\Ian\LOCALS~1\T
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\WINDOWS\system32\taskmg
D:\Software Library\Applications\Sys Internals\HijackThis.exe
R1 - HKCU\Software\Microsoft\Wi
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-0
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-2
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-9
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpm
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Mobile Phone Suite] C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bi
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-A
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.ex
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtable
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustom
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillFo
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePa
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.h
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm &2 (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT3
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT3
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
and here is a log from sysinternals
Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 696 Windows NT Session Manager Microsoft Corporation
csrss.exe 748 Client Server Runtime Process Microsoft Corporation
winlogon.exe 772 Windows NT Logon Application Microsoft Corporation
services.exe 816 Services and Controller app Microsoft Corporation
svchost.exe 980 Generic Host Process for Win32 Services Microsoft Corporation
BTStackServer.exe 3956 Bluetooth Stack COM Server WIDCOMM, Inc.
msmsgs.exe 3908 Windows Messenger Microsoft Corporation
WINWORD.EXE 3652 Microsoft Office Word Microsoft Corporation
OPScan.exe 2116 Client and Host Security Platform Out of Process Scan Server Symantec Corporation
svchost.exe 1040 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1104 83 Generic Host Process for Win32 Services Microsoft Corporation
incdsrv.exe 1124 incdsrv Ahead Software AG
svchost.exe 1264 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1328 Generic Host Process for Win32 Services Microsoft Corporation
ccProxy.exe 1404 Symantec Network Proxy Service Symantec Corporation
ccSetMgr.exe 1420 Symantec Settings Manager Service Symantec Corporation
ISSVC.exe 1432 IS Service Symantec Corporation
SNDSrvc.exe 1444 Network Driver Service Symantec Corporation
SPBBCSvc.exe 1460 SPBBC Service Symantec Corporation
ccEvtMgr.exe 1524 Symantec Event Manager Service Symantec Corporation
spoolsv.exe 1820 Spooler SubSystem App Microsoft Corporation
mainserv.exe 348 Battery backup management service American Power Conversion Corporation
btwdins.exe 368 Bluetooth Support Server WIDCOMM, Inc.
mdm.exe 428 Machine Debug Manager Microsoft Corporation
navapsvc.exe 308 Norton AntiVirus Auto-Protect Service Symantec Corporation
nvsvc32.exe 516 NVIDIA Driver Helper Service, Version 61.77 NVIDIA Corporation
SMAgent.exe 2060 SoundMAX service agent component Analog Devices, Inc.
symlcsvc.exe 2128 Symantec Core Component Symantec Corporation
Tablet.exe 2200 WacomService Wacom Technology, Corp.
wdfmgr.exe 2288 Windows User Mode Driver Manager Microsoft Corporation
fxssvc.exe 2428 Fax Service Microsoft Corporation
symwsc.exe 2524 Norton Security Center Service Symantec Corporation
alg.exe 3640 Application Layer Gateway Service Microsoft Corporation
lsass.exe 828 LSA Shell (Export Version) Microsoft Corporation
taskmgr.exe 2896 1 Windows TaskManager Microsoft Corporation
explorer.exe 172 Windows Explorer Microsoft Corporation
SMTray.exe 628 SoundMAX System Tray Analog Devices, Inc.
AsusProb.exe 636
hpwuSchd.exe 644 hpwuSchd Hewlett-Packard
hpcmpmgr.exe 660 HP Framework Component Manager Service Hewlett-Packard Company
hpztsb09.exe 668 HP
MobilePhoneSuite.exe 684
InCD.exe 740 InCD Ahead Software AG
jusched.exe 792
rundll32.exe 120 Run a DLL as an App Microsoft Corporation
Ad-Watch.exe 1084 4 Ad-Watch System Protector Lavasoft Sweden
ccApp.exe 1168 Symantec User Session Symantec Corporation
msnmsgr.exe 1232 MSN Messenger Microsoft Corporation
backWeb-8876480.exe 1248
ctfmon.exe 1292 CTF Loader Microsoft Corporation
RoboTaskBarIcon.exe 1344 RoboForm TaskBar Icon Siber Systems
acrotray.exe 1528 AcroTray Adobe Systems Inc.
BTTray.exe 2192 Bluetooth Tray Application WIDCOMM, Inc.
KEM.exe 2324 Logitech SetPoint Logitech Inc.
KHALMNPR.exe 2348 Logitech Hardware Abstraction Layer Logitech Inc.
TabUserW.exe 2368 TABUSERW Wacom Technology, Corp.
OUTLOOK.EXE 3740 Microsoft Office Outlook Microsoft Corporation
iexplore.exe 820 Internet Explorer Microsoft Corporation
iexplore.exe 1776 1 Internet Explorer Microsoft Corporation
devenv.exe 360 1 Microsoft Visual Studio .NET 2003 Microsoft Corporation
Dreamweaver.exe 1504 Dreamweaver MX 2004 Macromedia, Inc.
~e5d141.tmp 196 Cleanup Macrovision Europe Ltd.
~e5d141.tmp 3648 Cleanup Macrovision Europe Ltd.
iexplore.exe 356 Internet Explorer Microsoft Corporation
iexplore.exe 2328 Internet Explorer Microsoft Corporation
iexplore.exe 2180 Internet Explorer Microsoft Corporation
iexplore.exe 500 Internet Explorer Microsoft Corporation
HijackThis.exe 3972 HijackThis Soeperman Enterprises Ltd.
notepad.exe 2744 Notepad Microsoft Corporation
POWERARC.EXE 1952 PowerArchiver 2004 ConeXware, Inc.
procexp.exe 580 9 Sysinternals Process Explorer Sysinternals
webshots.scr 2584 Webshots Photo Manager Webshots.com
apcsystray.exe 3720 PowerChute system tray power icon American Power Conversion Corporation
TopStyle3.exe 2572 TopStyle Bradbury Software, LLC
Process: svchost.exe Pid: 1104
Type Name
Desktop \Default
Desktop \SADesktop
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\WBEM_ESS
Event \BaseNamedObjects\WINMGMT_
Event \BaseNamedObjects\WBEM_ESS
Event \BaseNamedObjects\WBEM_ESS
Event \BaseNamedObjects\IPNAT
Event \BaseNamedObjects\EVENT_RE
Event \BaseNamedObjects\EVENT_RE
Event \BaseNamedObjects\EVENT_RE
Event \BaseNamedObjects\DHCPNEWI
Event \BaseNamedObjects\crypt32L
Event \BaseNamedObjects\WIRELESS
Event \BaseNamedObjects\{3086A6D
Event \BaseNamedObjects\{3086A6D
Event \BaseNamedObjects\DINPUTWI
Event \BaseNamedObjects\Prefetch
Event \BaseNamedObjects\Prefetch
Event \BaseNamedObjects\Prefetch
Event \BaseNamedObjects\Prefetch
Event \BaseNamedObjects\SAConEvt
Event \BaseNamedObjects\WkssvcTo
Event \BaseNamedObjects\WkssvcTo
Event \BaseNamedObjects\AgentToW
Event \BaseNamedObjects\wkssvc: MUP finished initializing event
Event \BaseNamedObjects\userenv:
Event \BaseNamedObjects\ReSyncKe
Event \BaseNamedObjects\WinSta0_
Event \Device\DmControl\VxKernel
Event \LanmanServerAnnounceEvent
Event \BaseNamedObjects\SENS Started Event
Event \BaseNamedObjects\SRCounte
Event \BaseNamedObjects\SRStopEv
Event \BaseNamedObjects\SRInitEv
Event \BaseNamedObjects\SRIdleRe
Event \BaseNamedObjects\SC_AutoS
Event \Security\TRKWKS_EVENT
Event \BaseNamedObjects\W32TIME_
Event \BaseNamedObjects\WINMGMT_
Event \BaseNamedObjects\WINMGMT_
Event \BaseNamedObjects\WMI_SysE
Event \BaseNamedObjects\WMI_SysE
Event \BaseNamedObjects\WMI_RevA
Event \BaseNamedObjects\WMI_RevA
Event \BaseNamedObjects\WMI_Proc
Event \BaseNamedObjects\WMI_Proc
Event \BaseNamedObjects\userenv:
Event \BaseNamedObjects\userenv:
File C:\WINDOWS\system32\wbem\R
File C:\WINDOWS\system32\wbem\R
File C:\WINDOWS\system32\wbem\R
File C:\WINDOWS\system32\wbem\R
File C:\WINDOWS\system32\wbem\R
File C:\WINDOWS\system32\wbem\R
File \Device\Tcp
File \Device\LanmanRedirector\S
File C:\WINDOWS\ModemLog_Creati
File \Device\NamedPipe\wkssvc
File \Device\Afd\Endpoint
File \Device\NamedPipe\srvsvc
File C:\WINDOWS\WinSxS\x86_Micr
File \Device\IPNAT
File D:
File \Device\IPNAT
File \Device\Ip
File \Device\NamedPipe\Winsock2
File \Device\Tcp
File \Device\Tcp
File C:\WINDOWS\SoftwareDistrib
File \Device\Ip
File \Device\NamedPipe\Winsock2
File \Device\Ip
File \Device\NamedPipe\browser
File \Device\NamedPipe\browser
File \Device\NamedPipe\PIPE_EVE
File \Device\NamedPipe\PIPE_EVE
File C:\WINDOWS\WinSxS\x86_Micr
File C:\WINDOWS\system32\config
File \Device\Afd\AsyncConnectHl
File C:\WINDOWS\system32
File \Device\NamedPipe\NETLOGON
File \Device\NamedPipe\lsarpc
File \Device\Ip
File \Device\WMIDataDevice
File C:\WINDOWS\WinSxS\x86_Micr
File C:\WINDOWS\WinSxS\x86_Micr
File C:\WINDOWS\WinSxS\x86_Micr
File \Device\Tcp
File \Device\Ndisuio
File \Device\WMIDataDevice
File C:\WINDOWS\SchedLgU.Txt
File \Device\NamedPipe\atsvc
File \Device\NamedPipe\atsvc
File \Device\KsecDD
File C:\WINDOWS\Tasks
File C:\WINDOWS\SoftwareDistrib
File \Device\LanmanRedirector
File \Device\LanmanDatagramRece
File \Device\NamedPipe\wkssvc
File C:\System Volume Information\tracking.log
File \Device\NamedPipe\keysvc
File C:\WINDOWS\WinSxS\x86_Micr
File \Device\NamedPipe\keysvc
File C:\WINDOWS\WinSxS\x86_Micr
File \Device\NamedPipe\srvsvc
File \Device\NamedPipe\PCHHangR
File C:\WINDOWS\WinSxS\x86_Micr
File \Device\NamedPipe\PCHFault
File C:\WINDOWS\PCHealth\HelpCt
File \Device\LanmanServer
File \Device\NamedPipe\srvsvc
File \Device\00000077
File \Device\0000008d
File \Device\IPNAT
File C:\$Extend\$ObjId
File C:
File \Device\NamedPipe\wkssvc
File \FileSystem\Filters\System
File D:\System Volume Information\tracking.log
File \Device\NamedPipe\trkwks
File \Device\NamedPipe\trkwks
File D:\$Extend\$ObjId
File C:\WINDOWS\system32\wbem\m
File \Device\LanmanDatagramRece
File \Device\NamedPipe\W32TIME
File \Device\NamedPipe\W32TIME
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File \Device\Udp
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File \Device\Afd\Endpoint
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File C:\WINDOWS\WindowsUpdate.l
File \Device\NamedPipe\net\NtCo
File \Device\Udp
File \Device\Afd\Endpoint
File \Device\Afd\Endpoint
File \Device\NamedPipe\EVENTLOG
File \Device\IPNAT
File C:\WINDOWS\SoftwareDistrib
File \Device\Afd\Endpoint
File C:\WINDOWS\WinSxS\x86_Micr
File \Device\NdisTapi
File \Device\NdisTapi
File \Device\NDProxy
File \Device\NDProxy
File C:\WINDOWS\system32\h323lo
File C:\WINDOWS\system32\wbem\R
Job \BaseNamedObjects\WmiProvi
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Wi
Key HKCR
Key HKCR
Key HKCR
Key HKU\.DEFAULT\Software\Micr
Key HKCR
Key HKCR
Key HKCR
Key HKU\.DEFAULT\Software\Poli
Key HKLM\SYSTEM\ControlSet001\
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKCR
Key HKCR
Key HKCR
Key HKU\.DEFAULT\Software\Micr
Key HKCR
Key HKCR
Key HKLM\SYSTEM\ControlSet001\
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKLM\SOFTWARE\Microsoft\Sy
Key HKCR
Key HKCR
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SYSTEM\ControlSet001\
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\En
Key HKLM\SYSTEM\ControlSet001\
Key HKU\.DEFAULT\Software\Micr
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Sy
Key HKU\.DEFAULT
Key HKU\.DEFAULT\Software\Micr
Key HKU\.DEFAULT\Software\Micr
Key HKLM\SOFTWARE\Microsoft\En
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SOFTWARE\Microsoft\Sy
Key HKU\.DEFAULT
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SYSTEM\ControlSet001\
Key HKCR
Key HKCR
Key HKCR
Key HKU\.DEFAULT
Key HKU\.DEFAULT\Software\Poli
Key HKU\.DEFAULT\Software\Poli
Key HKLM\SYSTEM\ControlSet001\
Key HKCR
Key HKCR
Key HKLM\SYSTEM\ControlSet001\
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SYSTEM\ControlSet001\
Key HKLM
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKU\.DEFAULT
Key HKU\.DEFAULT\Software\Micr
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\CO
Key HKU
Key HKCR
Key HKU
Key HKLM\SOFTWARE\Microsoft\CO
Key HKLM\SOFTWARE\Microsoft\CO
Key HKCR\CLSID
Key HKCR
Key HKLM\SOFTWARE\Microsoft\CO
Key HKU
Key HKLM\SOFTWARE\Microsoft\CO
Key HKLM\SOFTWARE\Microsoft\CO
Key HKCR\CLSID
Key HKCR
Key HKLM\SYSTEM\ControlSet001\
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Wi
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Wi
Key HKLM\SOFTWARE\Microsoft\Sy
Key HKU\.DEFAULT\Software\Micr
Key HKLM\SOFTWARE\Microsoft\En
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Wi
Key HKU
Key HKCR
Key HKLM\SYSTEM\ControlSet001\
Key HKCR
Key HKLM\SYSTEM\ControlSet001\
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Policies
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Ev
Key HKLM\SOFTWARE\Microsoft\Ev
Key HKCR
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SYSTEM\ControlSet001\
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Ev
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SYSTEM\Setup
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\CO
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\En
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKLM\SOFTWARE\Microsoft\Sy
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKLM\SOFTWARE\Microsoft\Wi
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SOFTWARE\Microsoft\Wi
Key HKLM\SOFTWARE\Microsoft\Wi
Key HKLM\SYSTEM\ControlSet001\
Key HKLM\SYSTEM\ControlSet001\
Key HKCR
Key HKCR
Key HKCR
Key HKLM\SOFTWARE\Policies\Mic
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKLM\SOFTWARE\Microsoft\Tr
Key HKLM\SOFTWARE\Microsoft\Wi
Key HKCR
Key HKU\.DEFAULT\Software\Micr
Key HKCR
Key HKCR
Key HKCR
KeyedEvent \KernelObjects\CritSecOutO
Mutant \BaseNamedObjects\ShimCach
Mutant \BaseNamedObjects\ZonesCou
Mutant \BaseNamedObjects\RasPbFil
Mutant \BaseNamedObjects\SHIMLIB_
Mutant \BaseNamedObjects\RasPbFil
Mutant \BaseNamedObjects\ZonesLoc
Mutant \BaseNamedObjects\0CADFD67
Mutant \BaseNamedObjects\4FCC0DEF
Mutant \BaseNamedObjects\SRDataSt
Mutant \BaseNamedObjects\238FAD31
Mutant \BaseNamedObjects\OOC State Mutex
Mutant \BaseNamedObjects\SRDataSt
Mutant \BaseNamedObjects\WindowsU
Mutant \BaseNamedObjects\ZonesCac
Mutant \BaseNamedObjects\DBWinMut
Port \RPC Control\dhcpcsvc
Port \RPC Control\wzcsvc
Port \RPC Control\OLE38CC342E8EBD428
Port \RPC Control\AudioSrv
Port \RPC Control\keysvc
Port \XactSrvLpcPort
Port \RPC Control\SECLOGON
Port \RPC Control\senssvc
Port \RPC Control\srrpc
Port \RPC Control\tapsrvlpc
Port \RPC Control\trkwks
Port \RPC Control\unimdmsvc
Port \ThemeApiPort
Process winlogon.exe(772)
Process winlogon.exe(772)
Process winlogon.exe(772)
Process apcsystray.exe(3720)
Process svchost.exe(1104)
Process winlogon.exe(772)
Process backWeb-8876480.exe(1248)
Process devenv.exe(360)
Process devenv.exe(360)
Process svchost.exe(1104)
Process iexplore.exe(500)
Process iexplore.exe(820)
Process POWERARC.EXE(1952)
Process Dreamweaver.exe(1504)
Process taskmgr.exe(2896)
Process ~e5d141.tmp(196)
Process HijackThis.exe(3972)
Process iexplore.exe(2180)
Process iexplore.exe(356)
Process ccProxy.exe(1404)
Process OUTLOOK.EXE(3740)
Process svchost.exe(1104)
Process hpcmpmgr.exe(660)
Process msnmsgr.exe(1232)
Process explorer.exe(172)
Process explorer.exe(172)
Process msmsgs.exe(3908)
Process mainserv.exe(348)
Process SMTray.exe(628)
Process OPScan.exe(2116)
Process hpwuSchd.exe(644)
Process hpztsb09.exe(668)
Process jusched.exe(792)
Process MobilePhoneSuite.exe(684)
Process InCD.exe(740)
Process AsusProb.exe(636)
Process rundll32.exe(120)
Process ccApp.exe(1168)
Process msnmsgr.exe(1232)
Process ctfmon.exe(1292)
Process iexplore.exe(2328)
Process RoboTaskBarIcon.exe(1344)
Process Ad-Watch.exe(1084)
Process backWeb-8876480.exe(1248)
Process acrotray.exe(1528)
Process TopStyle3.exe(2572)
Process KEM.exe(2324)
Process nvsvc32.exe(516)
Process procexp.exe(580)
Process Tablet.exe(2200)
Process BTTray.exe(2192)
Process mdm.exe(428)
Process KHALMNPR.exe(2348)
Process TabUserW.exe(2368)
Process BTStackServer.exe(3956)
Process notepad.exe(2744)
Process ~e5d141.tmp(3648)
Process iexplore.exe(1776)
Process lsass.exe(828)
Process webshots.scr(2584)
Process fxssvc.exe(2428)
Process WINWORD.EXE(3652)
Section \BaseNamedObjects\Wmi Provider Sub System Counters
Section \BaseNamedObjects\ShimShar
Section \BaseNamedObjects\SENS Information Cache
Section \BaseNamedObjects\__R_0000
Section \BaseNamedObjects\mmGlobal
Section \BaseNamedObjects\SENS Information Cache
Section \BaseNamedObjects\RotHintT
Section \BaseNamedObjects\AtlDebug
Semaphore \BaseNamedObjects\shell.{2
Semaphore \BaseNamedObjects\shell.{A
Semaphore \BaseNamedObjects\PowerPro
Thread svchost.exe(1104): 1120
Thread svchost.exe(1104): 3140
Thread svchost.exe(1104): 3144
Thread svchost.exe(1104): 4004
Thread svchost.exe(1104): 2264
Thread svchost.exe(1104): 3168
Thread svchost.exe(1104): 3196
Thread svchost.exe(1104): 3204
Thread svchost.exe(1104): 1144
Thread svchost.exe(1104): 1380
Thread svchost.exe(1104): 3684
Thread svchost.exe(1104): 3656
Thread svchost.exe(1104): 3204
Thread svchost.exe(1104): 448
Thread svchost.exe(1104): 2536
Thread svchost.exe(1104): 3140
Thread svchost.exe(1104): 2672
Thread svchost.exe(1104): 1552
Thread svchost.exe(1104): 3656
Thread svchost.exe(1104): 1868
Thread svchost.exe(1104): 1552
Thread svchost.exe(1104): 396
Thread svchost.exe(1104): 396
Thread svchost.exe(1104): 1868
Thread svchost.exe(1104): 1800
Thread svchost.exe(1104): 2400
Thread svchost.exe(1104): 1144
Thread svchost.exe(1104): 2284
Thread svchost.exe(1104): 3992
Thread svchost.exe(1104): 440
Thread svchost.exe(1104): 1740
Thread svchost.exe(1104): 2028
Thread svchost.exe(1104): 2284
Thread svchost.exe(1104): 1740
Thread svchost.exe(1104): 2028
Thread svchost.exe(1104): 3992
Thread svchost.exe(1104): 1244
Thread svchost.exe(1104): 1244
Thread svchost.exe(1104): 1120
Thread svchost.exe(1104): 1276
Thread svchost.exe(1104): 1276
Thread svchost.exe(1104): 1312
Thread svchost.exe(1104): 1396
Thread svchost.exe(1104): 1400
Thread svchost.exe(1104): 1780
Thread svchost.exe(1104): 1780
Thread svchost.exe(1104): 1792
Thread svchost.exe(1104): 1796
Thread svchost.exe(1104): 1800
Thread svchost.exe(1104): 1808
Thread svchost.exe(1104): 1812
Thread svchost.exe(1104): 1812
Thread svchost.exe(1104): 1816
Thread svchost.exe(1104): 1816
Thread svchost.exe(1104): 920
Thread svchost.exe(1104): 1792
Thread explorer.exe(172): 220
Thread svchost.exe(1104): 232
Thread svchost.exe(1104): 232
Thread svchost.exe(1104): 392
Thread svchost.exe(1104): 388
Thread svchost.exe(1104): 424
Thread svchost.exe(1104): 400
Thread svchost.exe(1104): 420
Thread svchost.exe(1104): 420
Thread svchost.exe(1104): 436
Thread svchost.exe(1104): 552
Thread svchost.exe(1104): 556
Thread svchost.exe(1104): 3024
Thread svchost.exe(1104): 3168
Thread svchost.exe(1104): 2068
Thread svchost.exe(1104): 920
Thread svchost.exe(1104): 2124
Thread svchost.exe(1104): 1904
Thread svchost.exe(1104): 1904
Thread svchost.exe(1104): 1904
Thread svchost.exe(1104): 2272
Thread svchost.exe(1104): 2268
Thread svchost.exe(1104): 2396
Thread svchost.exe(1104): 2408
Thread svchost.exe(1104): 1120
Thread svchost.exe(1104): 1108
Thread svchost.exe(1104): 2448
Thread svchost.exe(1104): 2468
Thread svchost.exe(1104): 2468
Thread svchost.exe(1104): 1312
Thread svchost.exe(1104): 2396
Thread svchost.exe(1104): 2492
Thread svchost.exe(1104): 728
Thread svchost.exe(1104): 3656
Thread svchost.exe(1104): 3156
Thread svchost.exe(1104): 2400
Thread svchost.exe(1104): 2400
Thread svchost.exe(1104): 1380
Thread svchost.exe(1104): 2536
Thread svchost.exe(1104): 1380
Thread svchost.exe(1104): 1380
Thread svchost.exe(1104): 2660
Thread svchost.exe(1104): 2672
Thread svchost.exe(1104): 2676
Thread svchost.exe(1104): 2856
Thread svchost.exe(1104): 1312
Thread svchost.exe(1104): 2852
Thread svchost.exe(1104): 2856
Thread svchost.exe(1104): 2936
Thread svchost.exe(1104): 1116
Thread svchost.exe(1104): 2940
Thread svchost.exe(1104): 2960
Thread svchost.exe(1104): 3008
Thread svchost.exe(1104): 3008
Thread svchost.exe(1104): 1112
Token CED\ian
Token CED\ian
Token CED\ian
Token NT AUTHORITY\LOCAL SERVICE
Token CED\ian
Token NT AUTHORITY\SYSTEM
Token CED\ian
Token CED\ian
Token CED\ian
Token CED\ian
Token CED\ian
Token NT AUTHORITY\SYSTEM
Token CED\ian
Token CED\ian
Token CED\ian
Token CED\ian
Token NT AUTHORITY\SYSTEM
Token NT AUTHORITY\SYSTEM
Token CED\ian
Token NT AUTHORITY\NETWORK SERVICE
WaitablePort \NLAPublicPort
WaitablePort \NLAPrivatePort
WaitablePort \Security\TRKWKS_PORT
WindowStation \Windows\WindowStations\Wi
WindowStation \Windows\WindowStations\Se
WindowStation \Windows\WindowStations\Wi
WindowStation \Windows\WindowStations\SA
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for the info... I did try and delete everything from my temp directory but had to get into safe mode....
Safe mode wouldn't work and i just found out it was because i had NERO INCD installed ...it has bugs... i removed it and then got into safe mode... I removed everything... including a IADHIDE4.dll which was locked when in normal mode! which is apparently associated to back office......
Anyway.. Anything else you think??? I will have to wait around 1 hour or so to see if its worked .. as i say the cpu doesn't go high until about 1 hour...
Ad aware never found the .dll! ..
Wish me luck... be back soon to report what happend
ian
Safe mode wouldn't work and i just found out it was because i had NERO INCD installed ...it has bugs... i removed it and then got into safe mode... I removed everything... including a IADHIDE4.dll which was locked when in normal mode! which is apparently associated to back office......
Anyway.. Anything else you think??? I will have to wait around 1 hour or so to see if its worked .. as i say the cpu doesn't go high until about 1 hour...
Ad aware never found the .dll! ..
Wish me luck... be back soon to report what happend
ian
hmmmmmm Good Luck :)
ASKER
Hi there,
No Luck I'm afraid, back up to 98% .... Is there any other tools i can use to pinpount the problem?
I am placing a new updated hijackthis.txt here ... Thanks ian
Logfile of HijackThis v1.97.7
Scan saved at 00:46:34, on 08/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
C:\Program Files\ASUS\Probe\AsusProb. exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpm gr.exe
C:\WINDOWS\System32\spool\ drivers\w3 2x86\3\hpz tsb09.exe
C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe
C:\Program Files\Java\j2re1.4.2_01\bi n\jusched. exe
C:\WINDOWS\system32\RUNDLL 32.EXE
C:\PROGRA~1\Lavasoft\AD-AW A~1\Ad-Wat ch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ BackWeb-88 76480.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e xe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\KE M.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Logitech\SetPoint\KH ALMNPR.EXE
C:\WINDOWS\system32\Wtable t\TabUserW .exe
C:\Program Files\Webshots\webshots.sc r
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc3 2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\WINDOWS\system32\Tablet .exe
C:\WINDOWS\system32\fxssvc .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\WIDCOMM\BLUETO ~1\BTSTAC~ 1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\taskmg r.exe
D:\Software Library\Applications\Sys Internals\HijackThis.exe
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIE Helper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-0 0400523e39 a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-2 98DDF1699E 1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt .dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-9 0002030B8E E} - C:\PROGRA~1\FlashFXP\IEFla sh.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0 0400523e39 a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A 37C9A5676A 7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt .dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl. dll,NvStar tup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb. exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpm gr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\ drivers\w3 2x86\3\hpz tsb09.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Mobile Phone Suite] C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe -nogui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh eck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bi n\jusched. exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr ay.dll,NvT askbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-A WA~1\Ad-Wa tch.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ BackWeb-88 76480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e xe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.ex e
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ LDMConf.ex e
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KE M.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtable t\TabUserW .exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustom izeIEMenu. html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillFo rms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePa ss.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.h tm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm &2 (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT3 2.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT3 2.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4 1EE9F4C36C E} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6 A52B394EC3 B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = cuttingedgedesigns.local
O17 - HKLM\Software\..\Telephony : DomainName = cuttingedgedesigns.local
O17 - HKLM\System\CCS\Services\T cpip\..\{0 3CE0ACF-DE 37-41EC-AA 88-A3ABCF5 78261}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = cuttingedgedesigns.local
O17 - HKLM\System\CS1\Services\T cpip\..\{0 3CE0ACF-DE 37-41EC-AA 88-A3ABCF5 78261}: NameServer = 192.168.0.1
No Luck I'm afraid, back up to 98% .... Is there any other tools i can use to pinpount the problem?
I am placing a new updated hijackthis.txt here ... Thanks ian
Logfile of HijackThis v1.97.7
Scan saved at 00:46:34, on 08/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
C:\Program Files\ASUS\Probe\AsusProb.
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpm
C:\WINDOWS\System32\spool\
C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe
C:\Program Files\Java\j2re1.4.2_01\bi
C:\WINDOWS\system32\RUNDLL
C:\PROGRA~1\Lavasoft\AD-AW
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
C:\WINDOWS\system32\ctfmon
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\KE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Logitech\SetPoint\KH
C:\WINDOWS\system32\Wtable
C:\Program Files\Webshots\webshots.sc
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc3
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINDOWS\system32\Tablet
C:\WINDOWS\system32\fxssvc
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\WIDCOMM\BLUETO
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\taskmg
D:\Software Library\Applications\Sys Internals\HijackThis.exe
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-0
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-2
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-9
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpm
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Mobile Phone Suite] C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bi
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-A
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.ex
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtable
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustom
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillFo
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePa
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.h
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm &2 (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT3
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT3
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS1\Services\T
ur system is not a standalone pc..... networked with other systems,,, right ??
what if u disconnect it from network and then check for the problem ??
also have u any idea... that when this all started happening,,,,??
what if u disconnect it from network and then check for the problem ??
also have u any idea... that when this all started happening,,,,??
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok ... heres an update.. I tried stopping the services one at a time but didn't make no difference .. I also tried ending the tasks of basically everything that wasn't important.. still no difference. so I am gonna now try the
Start>Run>msconfig>Startup and disable all and add 1 back in at a time..
I am also networked.. i did try to disconnect my network cable but that didn't help either..
Check back soon
ian
Start>Run>msconfig>Startup
I am also networked.. i did try to disconnect my network cable but that didn't help either..
Check back soon
ian
ASKER
Ok I just run msconfig ... and removed everything for startup.. restarted and i notice the nvcpl has added itself again, this is the only one..
The command is RUNDLL32.EXE c:\windows\system32\nvcpl. dll,nvstar tup
I presume this is the control panel??? for Nvidia display cards or thats what i found on the net anyway... I normally have a icon in the taskbar... but its not there...
Will keep my eye on it and be back soon..
Ian
The command is RUNDLL32.EXE c:\windows\system32\nvcpl.
I presume this is the control panel??? for Nvidia display cards or thats what i found on the net anyway... I normally have a icon in the taskbar... but its not there...
Will keep my eye on it and be back soon..
Ian
Yes, it's the dll for nVidia. It's OK.
ASKER
Hi there everyone again..
Ok I did the msconfig bit and removed everything but the following files got put back in there automatically
ctfmon.exe
Nvcpl running under rundll32.exe (which is the nvidia stuff)
But to cut a long story short.. still causing problems with svchost being high..
I wonder if its my nvidia drivers.. anyway ... I am downloading an update to see if it fixes
Ian
Ok I did the msconfig bit and removed everything but the following files got put back in there automatically
ctfmon.exe
Nvcpl running under rundll32.exe (which is the nvidia stuff)
But to cut a long story short.. still causing problems with svchost being high..
I wonder if its my nvidia drivers.. anyway ... I am downloading an update to see if it fixes
Ian
ianin.... ur problem seems a bit twisty one !!
i mean the svchost.exe is not highering the cpu usage at once,,,, its gradually increasing in cpu column,,,,, :-?
tell me are u using one RAM stick or more than one ??
if more than one then can u take out the other(s) and can test with only one at a time !!
and when u test ur ram with www.memtest86.com, does it report any faults ??
i mean the svchost.exe is not highering the cpu usage at once,,,, its gradually increasing in cpu column,,,,, :-?
tell me are u using one RAM stick or more than one ??
if more than one then can u take out the other(s) and can test with only one at a time !!
and when u test ur ram with www.memtest86.com, does it report any faults ??
ASKER
No memtest86 was ok...
But an interesting thing, I have started to design websites, and although I need to test Internet Explorer with my sites, I decided to make my main browser Mozilla firefox.
I use outlook 2003 for my mail, but it is always slow ... so I noticed mozilla also do thunderbird (another mail client), so i don't really use Outlook 2003 extra functionality like appointments etc so I decided to give it a whirl... Imported my messages et cetc and then decided I liked it so I removed outlook 2003 ...
AND WHAT DO YOU KNOW!!!! Outlook 2003 looks to have been the problem because I have had my computer on all day and working heavily, and not one problem!!!
Wow! thanks guys for all the help ..... Now I have the problem have distributing points, as everyone has helped me so much so I will distribute evenly between the best helps...
Thanks once again for everyones help, but it is nice to know that outlook 2003 is a pile of crap <grin>
Ian
But an interesting thing, I have started to design websites, and although I need to test Internet Explorer with my sites, I decided to make my main browser Mozilla firefox.
I use outlook 2003 for my mail, but it is always slow ... so I noticed mozilla also do thunderbird (another mail client), so i don't really use Outlook 2003 extra functionality like appointments etc so I decided to give it a whirl... Imported my messages et cetc and then decided I liked it so I removed outlook 2003 ...
AND WHAT DO YOU KNOW!!!! Outlook 2003 looks to have been the problem because I have had my computer on all day and working heavily, and not one problem!!!
Wow! thanks guys for all the help ..... Now I have the problem have distributing points, as everyone has helped me so much so I will distribute evenly between the best helps...
Thanks once again for everyones help, but it is nice to know that outlook 2003 is a pile of crap <grin>
Ian
wow..... is there any end of these computers mystries !!! :D
thanx for letting us know abt the solution.... will remember it in future if ever come across this situation :)
Cheers ^_^
thanx for letting us know abt the solution.... will remember it in future if ever come across this situation :)
Cheers ^_^
Yeah, I've been dicking with an issue with Outlooks PIM manager supposedly not running, and thus my client can't sync his Pocket PC to it. Bah.
Glad you found out what was up. I'll have to keep that one in mind if I ever run into something like it.
Glad you found out what was up. I'll have to keep that one in mind if I ever run into something like it.
ASKER