Solved

svchost.exe High CPU - Logs included...

Posted on 2004-10-07
17
16,789 Views
Last Modified: 2013-11-18
Hi there,

I got a problem with high CPU use with svchost.exe. I have searched other peoples messages here but couldn't find a solution. I wonder if anybody can help?

I use Adware SE Professional and it is updated with latest signatures and I also use Norton Internet Security 2005(comes with norton antivirus) which have the latest signatures too. i have done a scan but nothing has been found. I am bug free and ad free...

I notice alot of people have posted there hijackthis.txt logs and a log of Process Explorer -sysinternals.. I too have included these at the end of the document..

I hope somebody can help as i have done a reinstall lately and it was such a big job. What I can say is if I force the svchost.exe (which takes around 96% of the cpu) to close down, its fine and doesn't seem to cause me problems.

I looked at the properties of svchost.exe that is the causing the problem and i see this line C:\WINDOWS\System32\svchost.exe -k netsvcs

I also looked under what services were attached to this svchost and I get a list of the following

Audisrv
Browser
CryptSvc
Dhcp
dmserver
ErSvc
Evensystem
Helpsvc
lanmanserver
lanmanworkstation
Netman
Nla
Schedule
seclogon
SENS
Shared access
ShellHWDetection
srservice
Tapisrv
Themes
TrkWks
w32Time
winmgmt
wuauserv
WZCSVC

I did try to close most of them down using Services applet... most did close down, some i wasn't able to do. But it didn't fix the problem.

Here comes my logs, Any help would be really appreciated

HIJACKTHIS.TXT
Logfile of HijackThis v1.97.7
Scan saved at 02:01:19, on 06/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\Program Files\Bradbury\TopStyle3\TopStyle3.exe
C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
C:\DOCUME~1\Ian\LOCALS~1\Temp\~e5d141.tmp
C:\DOCUME~1\Ian\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Software Library\Applications\Sys Internals\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Mobile Phone Suite] C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe -nogui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Customize Menu      &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms      &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms      &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms      &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms      &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm      &2 (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cuttingedgedesigns.local
O17 - HKLM\Software\..\Telephony: DomainName = cuttingedgedesigns.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{03CE0ACF-DE37-41EC-AA88-A3ABCF578261}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cuttingedgedesigns.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{03CE0ACF-DE37-41EC-AA88-A3ABCF578261}: NameServer = 192.168.0.1



and here is a log from sysinternals

Process      PID      CPU      Description      Company Name
System Idle Process      0                  
 Interrupts      n/a            Hardware Interrupts      
 DPCs      n/a            Deferred Procedure Calls      
 System      4                  
  smss.exe      696            Windows NT Session Manager      Microsoft Corporation
   csrss.exe      748            Client Server Runtime Process      Microsoft Corporation
   winlogon.exe      772            Windows NT Logon Application      Microsoft Corporation
    services.exe      816            Services and Controller app      Microsoft Corporation
     svchost.exe      980            Generic Host Process for Win32 Services      Microsoft Corporation
      BTStackServer.exe      3956            Bluetooth Stack COM Server      WIDCOMM, Inc.
      msmsgs.exe      3908            Windows Messenger      Microsoft Corporation
      WINWORD.EXE      3652            Microsoft Office Word      Microsoft Corporation
      OPScan.exe      2116            Client and Host Security Platform Out of Process Scan Server      Symantec Corporation
     svchost.exe      1040            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1104      83      Generic Host Process for Win32 Services      Microsoft Corporation
     incdsrv.exe      1124            incdsrv      Ahead Software AG
     svchost.exe      1264            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1328            Generic Host Process for Win32 Services      Microsoft Corporation
     ccProxy.exe      1404            Symantec Network Proxy Service      Symantec Corporation
     ccSetMgr.exe      1420            Symantec Settings Manager Service      Symantec Corporation
     ISSVC.exe      1432            IS Service      Symantec Corporation
     SNDSrvc.exe      1444            Network Driver Service      Symantec Corporation
     SPBBCSvc.exe      1460            SPBBC Service      Symantec Corporation
     ccEvtMgr.exe      1524            Symantec Event Manager Service      Symantec Corporation
     spoolsv.exe      1820            Spooler SubSystem App      Microsoft Corporation
     mainserv.exe      348            Battery backup management service      American Power Conversion Corporation
     btwdins.exe      368            Bluetooth Support Server      WIDCOMM, Inc.
     mdm.exe      428            Machine Debug Manager      Microsoft Corporation
     navapsvc.exe      308            Norton AntiVirus Auto-Protect Service      Symantec Corporation
     nvsvc32.exe      516            NVIDIA Driver Helper Service, Version 61.77      NVIDIA Corporation
     SMAgent.exe      2060            SoundMAX service agent component      Analog Devices, Inc.
     symlcsvc.exe      2128            Symantec Core Component      Symantec Corporation
     Tablet.exe      2200            WacomService      Wacom Technology, Corp.
     wdfmgr.exe      2288            Windows User Mode Driver Manager      Microsoft Corporation
     fxssvc.exe      2428            Fax Service      Microsoft Corporation
     symwsc.exe      2524            Norton Security Center Service      Symantec Corporation
     alg.exe      3640            Application Layer Gateway Service      Microsoft Corporation
    lsass.exe      828            LSA Shell (Export Version)      Microsoft Corporation
    taskmgr.exe      2896      1      Windows TaskManager      Microsoft Corporation
explorer.exe      172            Windows Explorer      Microsoft Corporation
 SMTray.exe      628            SoundMAX System Tray      Analog Devices, Inc.
 AsusProb.exe      636                  
 hpwuSchd.exe      644            hpwuSchd      Hewlett-Packard
 hpcmpmgr.exe      660            HP Framework Component Manager Service      Hewlett-Packard Company
 hpztsb09.exe      668                  HP
 MobilePhoneSuite.exe      684                  
 InCD.exe      740            InCD      Ahead Software AG
 jusched.exe      792                  
 rundll32.exe      120            Run a DLL as an App      Microsoft Corporation
 Ad-Watch.exe      1084      4      Ad-Watch System Protector      Lavasoft Sweden
 ccApp.exe      1168            Symantec User Session      Symantec Corporation
 msnmsgr.exe      1232            MSN Messenger      Microsoft Corporation
 backWeb-8876480.exe      1248                  
 ctfmon.exe      1292            CTF Loader      Microsoft Corporation
 RoboTaskBarIcon.exe      1344            RoboForm TaskBar Icon      Siber Systems
 acrotray.exe      1528            AcroTray      Adobe Systems Inc.
 BTTray.exe      2192            Bluetooth Tray Application      WIDCOMM, Inc.
 KEM.exe      2324            Logitech SetPoint      Logitech Inc.
  KHALMNPR.exe      2348            Logitech Hardware Abstraction Layer      Logitech Inc.
 TabUserW.exe      2368            TABUSERW      Wacom Technology, Corp.
 OUTLOOK.EXE      3740            Microsoft Office Outlook      Microsoft Corporation
 iexplore.exe      820            Internet Explorer      Microsoft Corporation
 iexplore.exe      1776      1      Internet Explorer      Microsoft Corporation
 devenv.exe      360      1      Microsoft Visual Studio .NET 2003      Microsoft Corporation
  Dreamweaver.exe      1504            Dreamweaver MX 2004      Macromedia, Inc.
   ~e5d141.tmp      196            Cleanup      Macrovision Europe Ltd.
   ~e5d141.tmp      3648            Cleanup      Macrovision Europe Ltd.
 iexplore.exe      356            Internet Explorer      Microsoft Corporation
 iexplore.exe      2328            Internet Explorer      Microsoft Corporation
 iexplore.exe      2180            Internet Explorer      Microsoft Corporation
 iexplore.exe      500            Internet Explorer      Microsoft Corporation
 HijackThis.exe      3972            HijackThis      Soeperman Enterprises Ltd.
  notepad.exe      2744            Notepad      Microsoft Corporation
 POWERARC.EXE      1952            PowerArchiver 2004      ConeXware, Inc.
  procexp.exe      580      9      Sysinternals Process Explorer      Sysinternals
webshots.scr      2584            Webshots Photo Manager      Webshots.com
apcsystray.exe      3720            PowerChute system tray power icon      American Power Conversion Corporation
TopStyle3.exe      2572            TopStyle      Bradbury Software, LLC

Process: svchost.exe Pid: 1104

Type      Name
Desktop      \Default
Desktop      \SADesktop
Desktop      \Default
Directory      \Windows
Directory      \BaseNamedObjects
Directory      \KnownDlls
Event      \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event      \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
Event      \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event      \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
Event      \BaseNamedObjects\IPNAT
Event      \BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
Event      \BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
Event      \BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
Event      \BaseNamedObjects\DHCPNEWIPADDRESS
Event      \BaseNamedObjects\crypt32LogoffEvent
Event      \BaseNamedObjects\WIRELESS_POLICY_CHANGE_EVENT
Event      \BaseNamedObjects\{3086A6D3-F5FD-4ECF-9DBE-0BCF65845D52}ShellHWDetection
Event      \BaseNamedObjects\{3086A6D3-F5FD-4ECF-9DBE-0BCF65845D52}ShellHWDetection
Event      \BaseNamedObjects\DINPUTWINMM
Event      \BaseNamedObjects\PrefetchOverrideIdle
Event      \BaseNamedObjects\PrefetchProcessingComplete
Event      \BaseNamedObjects\PrefetchTracesReady
Event      \BaseNamedObjects\PrefetchParametersChanged
Event      \BaseNamedObjects\SAConEvt
Event      \BaseNamedObjects\WkssvcToAgentStartEvent
Event      \BaseNamedObjects\WkssvcToAgentStopEvent
Event      \BaseNamedObjects\AgentToWkssvcEvent
Event      \BaseNamedObjects\wkssvc:  MUP finished initializing event
Event      \BaseNamedObjects\userenv:  User Profile setup event
Event      \BaseNamedObjects\ReSyncKernel
Event      \BaseNamedObjects\WinSta0_DesktopSwitch
Event      \Device\DmControl\VxKernel2VoldEvent
Event      \LanmanServerAnnounceEvent
Event      \BaseNamedObjects\SENS Started Event
Event      \BaseNamedObjects\SRCounter
Event      \BaseNamedObjects\SRStopEvent
Event      \BaseNamedObjects\SRInitEvent
Event      \BaseNamedObjects\SRIdleReqEvent
Event      \BaseNamedObjects\SC_AutoStartComplete
Event      \Security\TRKWKS_EVENT
Event      \BaseNamedObjects\W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
Event      \BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
Event      \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
Event      \BaseNamedObjects\WMI_SysEvent_LodCtr
Event      \BaseNamedObjects\WMI_SysEvent_UnLodCtr
Event      \BaseNamedObjects\WMI_RevAdap_Set
Event      \BaseNamedObjects\WMI_RevAdap_ACK
Event      \BaseNamedObjects\WMI_ProcessIdleTasksStart
Event      \BaseNamedObjects\WMI_ProcessIdleTasksComplete
Event      \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event      \BaseNamedObjects\userenv: User Group Policy has been applied
File      C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
File      C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
File      C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
File      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
File      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
File      C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
File      \Device\Tcp
File      \Device\LanmanRedirector\SERVER1\INCOMING
File      C:\WINDOWS\ModemLog_Creative Modem Blaster V.92 DE5721.txt
File      \Device\NamedPipe\wkssvc
File      \Device\Afd\Endpoint
File      \Device\NamedPipe\srvsvc
File      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File      \Device\IPNAT
File      D:
File      \Device\IPNAT
File      \Device\Ip
File      \Device\NamedPipe\Winsock2\CatalogChangeListener-450-0
File      \Device\Tcp
File      \Device\Tcp
File      C:\WINDOWS\SoftwareDistribution\EventCache\{360883C7-CBA9-4D69-8C93-368427534F4A}.bin
File      \Device\Ip
File      \Device\NamedPipe\Winsock2\CatalogChangeListener-450-1
File      \Device\Ip
File      \Device\NamedPipe\browser
File      \Device\NamedPipe\browser
File      \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
File      \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
File      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File      C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My
File      \Device\Afd\AsyncConnectHlp
File      C:\WINDOWS\system32
File      \Device\NamedPipe\NETLOGON
File      \Device\NamedPipe\lsarpc
File      \Device\Ip
File      \Device\WMIDataDevice
File      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File      \Device\Tcp
File      \Device\Ndisuio
File      \Device\WMIDataDevice
File      C:\WINDOWS\SchedLgU.Txt
File      \Device\NamedPipe\atsvc
File      \Device\NamedPipe\atsvc
File      \Device\KsecDD
File      C:\WINDOWS\Tasks
File      C:\WINDOWS\SoftwareDistribution\EventCache\{1E3122C2-0BE7-4021-BCA1-7F8D7C74813A}.bin
File      \Device\LanmanRedirector
File      \Device\LanmanDatagramReceiver
File      \Device\NamedPipe\wkssvc
File      C:\System Volume Information\tracking.log
File      \Device\NamedPipe\keysvc
File      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File      \Device\NamedPipe\keysvc
File      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File      \Device\NamedPipe\srvsvc
File      \Device\NamedPipe\PCHHangRepExecPipe
File      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File      \Device\NamedPipe\PCHFaultRepExecPipe
File      C:\WINDOWS\PCHealth\HelpCtr\BATCH
File      \Device\LanmanServer
File      \Device\NamedPipe\srvsvc
File      \Device\00000077
File      \Device\0000008d
File      \Device\IPNAT
File      C:\$Extend\$ObjId
File      C:
File      \Device\NamedPipe\wkssvc
File      \FileSystem\Filters\SystemRestore
File      D:\System Volume Information\tracking.log
File      \Device\NamedPipe\trkwks
File      \Device\NamedPipe\trkwks
File      D:\$Extend\$ObjId
File      C:\WINDOWS\system32\wbem\mof
File      \Device\LanmanDatagramReceiver
File      \Device\NamedPipe\W32TIME
File      \Device\NamedPipe\W32TIME
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      \Device\Udp
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      \Device\Afd\Endpoint
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      C:\WINDOWS\WindowsUpdate.log
File      \Device\NamedPipe\net\NtControlPipe4
File      \Device\Udp
File      \Device\Afd\Endpoint
File      \Device\Afd\Endpoint
File      \Device\NamedPipe\EVENTLOG
File      \Device\IPNAT
File      C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
File      \Device\Afd\Endpoint
File      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File      \Device\NdisTapi
File      \Device\NdisTapi
File      \Device\NDProxy
File      \Device\NDProxy
File      C:\WINDOWS\system32\h323log.txt
File      C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
Job      \BaseNamedObjects\WmiProviderSubSystemHostJob
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
Key      HKLM\SYSTEM\ControlSet001\Control\Network\Connections
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\Tracing\NETMAN
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
Key      HKCR
Key      HKCR
Key      HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\Tracing\RASDLG
Key      HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
Key      HKCR
Key      HKCR
Key      HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{03CE0ACF-DE37-41EC-AA88-A3ABCF578261}\Connection
Key      HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA
Key      HKLM\SYSTEM\ControlSet001\Services\Browser\Parameters
Key      HKU\.DEFAULT\Software\Microsoft\SystemCertificates\trust
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\SystemCertificates\CA
Key      HKU\.DEFAULT
Key      HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
Key      HKU\.DEFAULT\Software\Microsoft\SystemCertificates\My
Key      HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust
Key      HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key      HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key      HKLM\SOFTWARE\Microsoft\SystemCertificates\trust
Key      HKU\.DEFAULT
Key      HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key      HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKU\.DEFAULT
Key      HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
Key      HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
Key      HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key      HKCR
Key      HKCR
Key      HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters
Key      HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key      HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters\Options
Key      HKLM\SYSTEM\ControlSet001\Services
Key      HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters
Key      HKLM
Key      HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{03CE0ACF-DE37-41EC-AA88-A3ABCF578261}
Key      HKLM\SOFTWARE\Microsoft\Tracing\WZCTrace
Key      HKLM\SOFTWARE\Microsoft\Tracing\EAPOL
Key      HKU\.DEFAULT
Key      HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key      HKLM\SOFTWARE\Microsoft\Tracing\RASTLS
Key      HKLM\SOFTWARE\Microsoft\Tracing\RASCHAP
Key      HKLM\SOFTWARE\Microsoft\Tracing\Wlpolicy
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKU
Key      HKCR
Key      HKU
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKCR\CLSID
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKU
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKCR\CLSID
Key      HKCR
Key      HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher
Key      HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT
Key      HKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA
Key      HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key      HKU
Key      HKCR
Key      HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters
Key      HKCR
Key      HKLM\SYSTEM\ControlSet001\Control\Terminal Server
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Policies
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}
Key      HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions
Key      HKCR
Key      HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch
Key      HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SYSTEM\Setup
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\COM3
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\Tracing\tapisrv
Key      HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\Tracing\IPNATHLP
Key      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting
Key      HKLM\SYSTEM\ControlSet001\Control\Lsa\Audit
Key      HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch
Key      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\Sus
Key      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\WU
Key      HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy
Key      HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
Key      HKCR
Key      HKCR
Key      HKCR
Key      HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
Key      HKCR
Key      HKLM\SOFTWARE\Microsoft\Tracing\KMDDSP
Key      HKLM\SOFTWARE\Microsoft\Tracing\NDPTSP
Key      HKLM\SOFTWARE\Microsoft\Tracing\conftsp
Key      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\H323TSP
Key      HKCR
Key      HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root
Key      HKCR
Key      HKCR
Key      HKCR
KeyedEvent      \KernelObjects\CritSecOutOfMemoryEvent
Mutant      \BaseNamedObjects\ShimCacheMutex
Mutant      \BaseNamedObjects\ZonesCounterMutex
Mutant      \BaseNamedObjects\RasPbFile
Mutant      \BaseNamedObjects\SHIMLIB_LOG_MUTEX
Mutant      \BaseNamedObjects\RasPbFile
Mutant      \BaseNamedObjects\ZonesLockedCacheCounterMutex
Mutant      \BaseNamedObjects\0CADFD67AF62496dB34264F000F5624A
Mutant      \BaseNamedObjects\4FCC0DEFE22C4f138FB9D5AF25FD9398
Mutant      \BaseNamedObjects\SRDataStore
Mutant      \BaseNamedObjects\238FAD3109D3473aB4764B20B3731840
Mutant      \BaseNamedObjects\OOC State Mutex
Mutant      \BaseNamedObjects\SRDataStore
Mutant      \BaseNamedObjects\WindowsUpdateTracingMutex
Mutant      \BaseNamedObjects\ZonesCacheCounterMutex
Mutant      \BaseNamedObjects\DBWinMutex
Port      \RPC Control\dhcpcsvc
Port      \RPC Control\wzcsvc
Port      \RPC Control\OLE38CC342E8EBD4287BEFCA95FE193
Port      \RPC Control\AudioSrv
Port      \RPC Control\keysvc
Port      \XactSrvLpcPort
Port      \RPC Control\SECLOGON
Port      \RPC Control\senssvc
Port      \RPC Control\srrpc
Port      \RPC Control\tapsrvlpc
Port      \RPC Control\trkwks
Port      \RPC Control\unimdmsvc
Port      \ThemeApiPort
Process      winlogon.exe(772)
Process      winlogon.exe(772)
Process      winlogon.exe(772)
Process      apcsystray.exe(3720)
Process      svchost.exe(1104)
Process      winlogon.exe(772)
Process      backWeb-8876480.exe(1248)
Process      devenv.exe(360)
Process      devenv.exe(360)
Process      svchost.exe(1104)
Process      iexplore.exe(500)
Process      iexplore.exe(820)
Process      POWERARC.EXE(1952)
Process      Dreamweaver.exe(1504)
Process      taskmgr.exe(2896)
Process      ~e5d141.tmp(196)
Process      HijackThis.exe(3972)
Process      iexplore.exe(2180)
Process      iexplore.exe(356)
Process      ccProxy.exe(1404)
Process      OUTLOOK.EXE(3740)
Process      svchost.exe(1104)
Process      hpcmpmgr.exe(660)
Process      msnmsgr.exe(1232)
Process      explorer.exe(172)
Process      explorer.exe(172)
Process      msmsgs.exe(3908)
Process      mainserv.exe(348)
Process      SMTray.exe(628)
Process      OPScan.exe(2116)
Process      hpwuSchd.exe(644)
Process      hpztsb09.exe(668)
Process      jusched.exe(792)
Process      MobilePhoneSuite.exe(684)
Process      InCD.exe(740)
Process      AsusProb.exe(636)
Process      rundll32.exe(120)
Process      ccApp.exe(1168)
Process      msnmsgr.exe(1232)
Process      ctfmon.exe(1292)
Process      iexplore.exe(2328)
Process      RoboTaskBarIcon.exe(1344)
Process      Ad-Watch.exe(1084)
Process      backWeb-8876480.exe(1248)
Process      acrotray.exe(1528)
Process      TopStyle3.exe(2572)
Process      KEM.exe(2324)
Process      nvsvc32.exe(516)
Process      procexp.exe(580)
Process      Tablet.exe(2200)
Process      BTTray.exe(2192)
Process      mdm.exe(428)
Process      KHALMNPR.exe(2348)
Process      TabUserW.exe(2368)
Process      BTStackServer.exe(3956)
Process      notepad.exe(2744)
Process      ~e5d141.tmp(3648)
Process      iexplore.exe(1776)
Process      lsass.exe(828)
Process      webshots.scr(2584)
Process      fxssvc.exe(2428)
Process      WINWORD.EXE(3652)
Section      \BaseNamedObjects\Wmi Provider Sub System Counters
Section      \BaseNamedObjects\ShimSharedMemory
Section      \BaseNamedObjects\SENS Information Cache
Section      \BaseNamedObjects\__R_00000000000f_SMem__
Section      \BaseNamedObjects\mmGlobalPnpInfo
Section      \BaseNamedObjects\SENS Information Cache
Section      \BaseNamedObjects\RotHintTable
Section      \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_450
Semaphore      \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Semaphore      \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore      \BaseNamedObjects\PowerProfileRegistrySemaphore
Thread      svchost.exe(1104): 1120
Thread      svchost.exe(1104): 3140
Thread      svchost.exe(1104): 3144
Thread      svchost.exe(1104): 4004
Thread      svchost.exe(1104): 2264
Thread      svchost.exe(1104): 3168
Thread      svchost.exe(1104): 3196
Thread      svchost.exe(1104): 3204
Thread      svchost.exe(1104): 1144
Thread      svchost.exe(1104): 1380
Thread      svchost.exe(1104): 3684
Thread      svchost.exe(1104): 3656
Thread      svchost.exe(1104): 3204
Thread      svchost.exe(1104): 448
Thread      svchost.exe(1104): 2536
Thread      svchost.exe(1104): 3140
Thread      svchost.exe(1104): 2672
Thread      svchost.exe(1104): 1552
Thread      svchost.exe(1104): 3656
Thread      svchost.exe(1104): 1868
Thread      svchost.exe(1104): 1552
Thread      svchost.exe(1104): 396
Thread      svchost.exe(1104): 396
Thread      svchost.exe(1104): 1868
Thread      svchost.exe(1104): 1800
Thread      svchost.exe(1104): 2400
Thread      svchost.exe(1104): 1144
Thread      svchost.exe(1104): 2284
Thread      svchost.exe(1104): 3992
Thread      svchost.exe(1104): 440
Thread      svchost.exe(1104): 1740
Thread      svchost.exe(1104): 2028
Thread      svchost.exe(1104): 2284
Thread      svchost.exe(1104): 1740
Thread      svchost.exe(1104): 2028
Thread      svchost.exe(1104): 3992
Thread      svchost.exe(1104): 1244
Thread      svchost.exe(1104): 1244
Thread      svchost.exe(1104): 1120
Thread      svchost.exe(1104): 1276
Thread      svchost.exe(1104): 1276
Thread      svchost.exe(1104): 1312
Thread      svchost.exe(1104): 1396
Thread      svchost.exe(1104): 1400
Thread      svchost.exe(1104): 1780
Thread      svchost.exe(1104): 1780
Thread      svchost.exe(1104): 1792
Thread      svchost.exe(1104): 1796
Thread      svchost.exe(1104): 1800
Thread      svchost.exe(1104): 1808
Thread      svchost.exe(1104): 1812
Thread      svchost.exe(1104): 1812
Thread      svchost.exe(1104): 1816
Thread      svchost.exe(1104): 1816
Thread      svchost.exe(1104): 920
Thread      svchost.exe(1104): 1792
Thread      explorer.exe(172): 220
Thread      svchost.exe(1104): 232
Thread      svchost.exe(1104): 232
Thread      svchost.exe(1104): 392
Thread      svchost.exe(1104): 388
Thread      svchost.exe(1104): 424
Thread      svchost.exe(1104): 400
Thread      svchost.exe(1104): 420
Thread      svchost.exe(1104): 420
Thread      svchost.exe(1104): 436
Thread      svchost.exe(1104): 552
Thread      svchost.exe(1104): 556
Thread      svchost.exe(1104): 3024
Thread      svchost.exe(1104): 3168
Thread      svchost.exe(1104): 2068
Thread      svchost.exe(1104): 920
Thread      svchost.exe(1104): 2124
Thread      svchost.exe(1104): 1904
Thread      svchost.exe(1104): 1904
Thread      svchost.exe(1104): 1904
Thread      svchost.exe(1104): 2272
Thread      svchost.exe(1104): 2268
Thread      svchost.exe(1104): 2396
Thread      svchost.exe(1104): 2408
Thread      svchost.exe(1104): 1120
Thread      svchost.exe(1104): 1108
Thread      svchost.exe(1104): 2448
Thread      svchost.exe(1104): 2468
Thread      svchost.exe(1104): 2468
Thread      svchost.exe(1104): 1312
Thread      svchost.exe(1104): 2396
Thread      svchost.exe(1104): 2492
Thread      svchost.exe(1104): 728
Thread      svchost.exe(1104): 3656
Thread      svchost.exe(1104): 3156
Thread      svchost.exe(1104): 2400
Thread      svchost.exe(1104): 2400
Thread      svchost.exe(1104): 1380
Thread      svchost.exe(1104): 2536
Thread      svchost.exe(1104): 1380
Thread      svchost.exe(1104): 1380
Thread      svchost.exe(1104): 2660
Thread      svchost.exe(1104): 2672
Thread      svchost.exe(1104): 2676
Thread      svchost.exe(1104): 2856
Thread      svchost.exe(1104): 1312
Thread      svchost.exe(1104): 2852
Thread      svchost.exe(1104): 2856
Thread      svchost.exe(1104): 2936
Thread      svchost.exe(1104): 1116
Thread      svchost.exe(1104): 2940
Thread      svchost.exe(1104): 2960
Thread      svchost.exe(1104): 3008
Thread      svchost.exe(1104): 3008
Thread      svchost.exe(1104): 1112
Token      CED\ian
Token      CED\ian
Token      CED\ian
Token      NT AUTHORITY\LOCAL SERVICE
Token      CED\ian
Token      NT AUTHORITY\SYSTEM
Token      CED\ian
Token      CED\ian
Token      CED\ian
Token      CED\ian
Token      CED\ian
Token      NT AUTHORITY\SYSTEM
Token      CED\ian
Token      CED\ian
Token      CED\ian
Token      CED\ian
Token      NT AUTHORITY\SYSTEM
Token      NT AUTHORITY\SYSTEM
Token      CED\ian
Token      NT AUTHORITY\NETWORK SERVICE
WaitablePort      \NLAPublicPort
WaitablePort      \NLAPrivatePort
WaitablePort      \Security\TRKWKS_PORT
WindowStation      \Windows\WindowStations\WinSta0
WindowStation      \Windows\WindowStations\Service-0x0-3e7$
WindowStation      \Windows\WindowStations\WinSta0
WindowStation      \Windows\WindowStations\SAWinSta



0
Comment
Question by:ianinspain
  • 7
  • 5
  • 3
  • +2
17 Comments
 

Author Comment

by:ianinspain
Comment Utility
The thing I forgot to mention is that the PC runs find when first booted, its after about 1 hour or sometimes less that it starts with the high cpu and then after that i have to either cancel the svchost or reboot... It does not correct itself..
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 125 total points
Comment Utility
Hello ianinspain =)

First thind, u can delete the question u posted before in Operating System area :)

Second thing,,,, can u see these two porcesses running ??
>> C:\DOCUME~1\Ian\LOCALS~1\Temp\~e5d141.tmp
>> C:\DOCUME~1\Ian\LOCALS~1\Temp\~e5d141.tmp

these are running from temp folder,,,,,, why, they shudn't !!
do this, boot ur system in safemode and delete all files present in C:\Documents and Settings\ur usernmae\Local Settings\Temp
and delete the temp internet files of IE also !!

reboot back and check if any progress ??
if NO then goto Start>Run>msconfig>Startup
and click on Disable All
restart and dont connect to internet,,, check if svchost.exe is still taking up CPU usage or not ??
Post back results :)
0
 
LVL 24

Assisted Solution

by:Kenneniah
Kenneniah earned 125 total points
Comment Utility
~e5d141.tmp is a part of Macromedia's (Dreamweaver) product activation and licensing process. Taken from
http://www.macromedia.com/software/activation/audit/security_review.pdf

"On the Windows 2000/XP operating system the license manager is installed as a manually started, LocalSystem service named “Macromedia Licensing Service”. An additional process related to the license manager is called “~e5d141.tmp”. Two instances of this process are present when a Macromedia application is running."
0
 

Author Comment

by:ianinspain
Comment Utility
thanks for the info... I did try and delete everything from my temp directory but had to get into safe mode....

Safe mode wouldn't work and i just found out it was because i had NERO INCD installed ...it has bugs... i removed it and then got into safe mode... I removed everything... including a IADHIDE4.dll which was locked when in normal mode! which is apparently associated to back office......

Anyway.. Anything else you think??? I will have to wait around 1 hour or so to see if its worked .. as i say the cpu doesn't go high until about 1 hour...

Ad aware never found the .dll! ..

Wish me luck... be back soon to report what happend

ian
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
hmmmmmm Good Luck :)
0
 

Author Comment

by:ianinspain
Comment Utility
Hi there,

No Luck I'm afraid, back up to 98% .... Is there any other tools i can use to pinpount the problem?

I am placing a new updated hijackthis.txt here ... Thanks ian

Logfile of HijackThis v1.97.7
Scan saved at 00:46:34, on 08/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Software Library\Applications\Sys Internals\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Mobile Phone Suite] C:\Program Files\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe -nogui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Customize Menu      &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms      &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms      &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms      &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms      &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RoboForm      &2 (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cuttingedgedesigns.local
O17 - HKLM\Software\..\Telephony: DomainName = cuttingedgedesigns.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{03CE0ACF-DE37-41EC-AA88-A3ABCF578261}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cuttingedgedesigns.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{03CE0ACF-DE37-41EC-AA88-A3ABCF578261}: NameServer = 192.168.0.1

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
ur system is not a standalone pc..... networked with other systems,,, right ??
what if u disconnect it from network and then check for the problem ??

also have u any idea... that when this all started happening,,,,??
0
 
LVL 6

Assisted Solution

by:davexnet
davexnet earned 125 total points
Comment Utility
In general, once you've identified the list of services running in the svchost,
use the services.msc tool and try stopping them,one at a time and see what the effect is
Some of them may be impossible to stop, but with some luck, this
method will identify the culprit.

Dave
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Assisted Solution

by:Sootah
Sootah earned 125 total points
Comment Utility
You have a rediculous amount of stuff running. Try shutting everything down to just the required processes right after you boot up, run the system from there like you normally would, and see what happens. http://www.tweaksforgeeks.com/EssentialProc.html

If it runs OK then remove all misc junk from startup, run it for a while,  and start adding it back one by one till you hit the problem.
0
 

Author Comment

by:ianinspain
Comment Utility
ok ... heres an update.. I tried stopping the services one at a time but didn't make no difference .. I also tried ending the tasks of basically everything that wasn't important.. still no difference. so I am gonna now try the

Start>Run>msconfig>Startup and disable all and add 1 back in at a time..

I am also networked.. i did try to disconnect my network cable but that didn't help either..

Check back soon

ian
0
 

Author Comment

by:ianinspain
Comment Utility
Ok I just run msconfig ... and removed everything for startup.. restarted and i notice the nvcpl has added itself again, this is the only one..

The command is RUNDLL32.EXE c:\windows\system32\nvcpl.dll,nvstartup

I presume this is the control panel??? for Nvidia display cards or thats what i found on the net anyway... I normally have a icon in the taskbar... but its not there...

Will keep my eye on it and be back soon..

Ian
0
 
LVL 2

Expert Comment

by:Sootah
Comment Utility
Yes, it's the dll for nVidia. It's OK.
0
 

Author Comment

by:ianinspain
Comment Utility
Hi there everyone again..

Ok I did the msconfig bit and removed everything but the following files got put back in there automatically

ctfmon.exe
Nvcpl running under rundll32.exe (which is the nvidia stuff)

But to cut a long story short.. still causing problems with svchost being high..

I wonder if its my nvidia drivers.. anyway ... I am downloading an update to see if it fixes

Ian
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
ianin.... ur problem seems a bit twisty one !!

i mean the svchost.exe is not highering the cpu usage at once,,,, its gradually increasing in cpu column,,,,, :-?
tell me are u using one RAM stick or more than one ??
if more than one then can u take out the other(s) and can test with only one at a time !!

and when u test ur ram with www.memtest86.com, does it report any faults ??
0
 

Author Comment

by:ianinspain
Comment Utility
No memtest86 was ok...

But an interesting thing, I have started to design websites, and although I need to test Internet Explorer with my sites, I decided to make my main browser Mozilla firefox.

I use outlook 2003 for my mail, but it is always slow ... so I noticed mozilla also do thunderbird (another mail client), so i don't really use Outlook 2003 extra functionality like appointments etc so I decided to give it a whirl... Imported my messages et cetc and then decided I liked it so I removed outlook 2003 ...

AND WHAT DO YOU KNOW!!!! Outlook 2003 looks to have been the problem because I have had my computer on all day and working heavily, and not one problem!!!

Wow! thanks guys for all the help ..... Now I have the problem have distributing points, as everyone has helped me so much so I will distribute evenly between the best helps...

Thanks once again for everyones help, but it is nice to know that outlook 2003 is a pile of crap <grin>

Ian
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
wow..... is there any end of these computers mystries !!! :D
thanx for letting us know abt the solution.... will remember it in future if ever come across this situation :)
Cheers ^_^
0
 
LVL 2

Expert Comment

by:Sootah
Comment Utility
Yeah, I've been dicking with an issue with Outlooks PIM manager supposedly not running, and thus my client can't sync his Pocket PC to it. Bah.

Glad you found out what was up. I'll have to keep that one in mind if I ever run into something like it.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

I will show you how to create a ASP.NET Captcha control without using any HTTP HANDELRS or what so ever. you can easily plug it into your web pages. For Example a = 2 + 3 (where 2 and 3 are 2 random numbers) Session("Answer") = 5 then we…
SASS allows you to treat your CSS code in a more OOP way. Let's have a look on how you can structure your code in order for it to be easily maintained and reused.
Viewers will learn about the different types of variables in Java and how to declare them. Decide the type of variable desired: Put the keyword corresponding to the type of variable in front of the variable name: Use the equal sign to assign a v…
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now