gpsocs
asked on
Discovering what is running on the svchost.exe stack
How does one find out what services or applications are running under svchost.exe? I have a situation where svchost.exe is peaking out the processor and the battery of av/am applications that I've run have not discovered anything (including three rootkit detection tools). There is something going on here as it is causing terrible pauses in the system and it should be much more responsive with 768 MB of memory.
Again, I believe that the root is digging out what is going on exactly with svchost.exe. I'm assuming that this process is some sort of a container process for services of some sort.
Again, I believe that the root is digging out what is going on exactly with svchost.exe. I'm assuming that this process is some sort of a container process for services of some sort.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The article says it applies to XP Pro. Are you running Home?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, it is Home. I'll grab a copy off of a Pro box.
With regards to HJT, I've already run that previously and scrubbed down what appeared to be infections and invalid entries as normal, but I can certainly check it again and post my result.
Give me a few minutes and I'll be back.
With regards to HJT, I've already run that previously and scrubbed down what appeared to be infections and invalid entries as normal, but I can certainly check it again and post my result.
Give me a few minutes and I'll be back.
Is there a reason you are not going to try Process Explorer?
I would agree with leew. ProcessExplorer will give you a detailed description of all the images (files) being used by each instance of svchost.exe. I have ProcessExplorer as a part of my standard "toolbox." It can also be used to monitor network connections in a far more user-friendly manner than netstat. VERY useful tool.
>>With regards to HJT, I've already run that previously and scrubbed down what appeared to be infections<<
Can you also please show us those entries that you already removed? it will help us. You can get it from the backup that hijackthis keeps, thanks.
A clean hijackthis log won't be helpful to us.
Bad entries once removed will no longer show up in the scan unless it's one of those persistent and stubborn malware.
Can you also please show us those entries that you already removed? it will help us. You can get it from the backup that hijackthis keeps, thanks.
A clean hijackthis log won't be helpful to us.
Bad entries once removed will no longer show up in the scan unless it's one of those persistent and stubborn malware.
ASKER
Alright, I pulled the results of that unit on over and I'll paste it below. First will be the `tasklist /svc` result. Next will be the HJT result.
`tasklist /svc` output:
Image Name PID Services
========================= ======== ========================== ========== ========
System Idle Process 0 N/A
System 4 N/A
smss.exe 624 N/A
csrss.exe 672 N/A
winlogon.exe 696 N/A
services.exe 740 Eventlog, PlugPlay
lsass.exe 752 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 900 DcomLaunch, TermService
svchost.exe 964 RpcSs
MsMpEng.exe 1052 WinDefend
svchost.exe 1096 AudioSrv, BITS, CryptSvc, Dhcp, ERSvc,
EventSystem,
FastUserSwitchingCompatibi lity, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
TapiSrv, Themes, TrkWks, W32Time, winmgmt,
wscsvc, wuauserv
svchost.exe 1208 Dnscache
svchost.exe 1260 LmHosts, SSDPSRV, WebClient
explorer.exe 1428 N/A
LEXBCES.EXE 1464 LexBceS
spoolsv.exe 1504 Spooler
LEXPPS.EXE 1540 N/A
Nhksrv.exe 1648 Nhksrv
guard.exe 1664 AVG Anti-Spyware Guard
avgamsvr.exe 1676 Avg7Alrt
avgupsvc.exe 1748 Avg7UpdSvc
FrameworkService.exe 1820 McAfeeFramework
MDM.EXE 1892 MDM
svchost.exe 184 stisvc
naPrdMgr.exe 508 N/A
DellMMKb.exe 584 N/A
LXSUPMON.EXE 320 N/A
iTunesHelper.exe 604 N/A
MSASCui.exe 612 N/A
avgcc.exe 588 N/A
avgas.exe 644 N/A
PicasaMediaDetector.exe 648 N/A
ctfmon.exe 652 N/A
OSD.exe 856 N/A
AIRPLUS.EXE 2508 N/A
iPodService.exe 2520 iPod Service
alg.exe 2580 ALG
wuauclt.exe 440 N/A
taskmgr.exe 2892 N/A
UpdaterUI.exe 3648 N/A
cmd.exe 3720 N/A
tasklist.exe 3964 N/A
wmiprvse.exe 2928 N/A
HijackThis Output:
Logfile of HijackThis v1.99.1
Scan saved at 9:21:38 PM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCE S.EXE
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\system32\LEXPPS .EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\a vgamsvr.ex e
C:\PROGRA~1\Grisoft\AVG7\a vgupsvc.ex e
C:\Program Files\Network Associates\Common Framework\FrameworkService .exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\LXSUPM ON.EXE
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\a vgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Picasa2\PicasaMediaD etector.ex e
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\Program Files\iPod\bin\iPodService .exe
C:\WINDOWS\system32\wuaucl t.exe
C:\WINDOWS\system32\taskmg r.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\cmd.ex e
\192.168.0.3\gplymale\Repa ir\Repair USB\Repair CD\HijackThis\alternativ.e xe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B BB69598904 6} - C:\Program Files\ICQToolbar\tbu5\tool baru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn1 \yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn1 \yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-D C8493744B1 D} - C:\Program Files\ICQToolbar\tbu5\tool baru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.5.0_09\bin \ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-2 09B6AD74AC C} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn1 \yt.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPM ON.EXE RUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a vgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD etector.ex e
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\ hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru. dll/SEARCH .HTML
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/ SPELLOPTIO N.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/ SPELLCHECK .HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HT M
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-C A6EE38B68A 8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-C A6EE38B68A 8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-E D5B2FD488E 7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-E D5B2FD488E 7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0 0010333D0A D} - C:\Program Files\Yahoo!\Messenger\yhe xbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0 0010333D0A D} - C:\Program Files\Yahoo!\Messenger\yhe xbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~4\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1 2A255F085E 1} - C:\Program Files\PartyPoker\PartyPoke r.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1 2A255F085E 1} - C:\Program Files\PartyPoker\PartyPoke r.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A 2CD196348E 9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A 2CD196348E 9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A 9046DEA8A2 1} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3 BD15D84E66 8} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5 D2C442ADFD E} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174342726421
O16 - DPF: {9600F64D-755F-11D4-A47F-0 001023E6D5 A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog on.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9 4D524869DB 5} - C:\WINDOWS\system32\WPDShS erviceObj. dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgamsvr.ex e
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgupsvc.ex e
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiR ox.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE S.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService .exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN T~1\SCRIPT ~1\SBServ. exe
`tasklist /svc` output:
Image Name PID Services
========================= ======== ==========================
System Idle Process 0 N/A
System 4 N/A
smss.exe 624 N/A
csrss.exe 672 N/A
winlogon.exe 696 N/A
services.exe 740 Eventlog, PlugPlay
lsass.exe 752 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 900 DcomLaunch, TermService
svchost.exe 964 RpcSs
MsMpEng.exe 1052 WinDefend
svchost.exe 1096 AudioSrv, BITS, CryptSvc, Dhcp, ERSvc,
EventSystem,
FastUserSwitchingCompatibi
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
TapiSrv, Themes, TrkWks, W32Time, winmgmt,
wscsvc, wuauserv
svchost.exe 1208 Dnscache
svchost.exe 1260 LmHosts, SSDPSRV, WebClient
explorer.exe 1428 N/A
LEXBCES.EXE 1464 LexBceS
spoolsv.exe 1504 Spooler
LEXPPS.EXE 1540 N/A
Nhksrv.exe 1648 Nhksrv
guard.exe 1664 AVG Anti-Spyware Guard
avgamsvr.exe 1676 Avg7Alrt
avgupsvc.exe 1748 Avg7UpdSvc
FrameworkService.exe 1820 McAfeeFramework
MDM.EXE 1892 MDM
svchost.exe 184 stisvc
naPrdMgr.exe 508 N/A
DellMMKb.exe 584 N/A
LXSUPMON.EXE 320 N/A
iTunesHelper.exe 604 N/A
MSASCui.exe 612 N/A
avgcc.exe 588 N/A
avgas.exe 644 N/A
PicasaMediaDetector.exe 648 N/A
ctfmon.exe 652 N/A
OSD.exe 856 N/A
AIRPLUS.EXE 2508 N/A
iPodService.exe 2520 iPod Service
alg.exe 2580 ALG
wuauclt.exe 440 N/A
taskmgr.exe 2892 N/A
UpdaterUI.exe 3648 N/A
cmd.exe 3720 N/A
tasklist.exe 3964 N/A
wmiprvse.exe 2928 N/A
HijackThis Output:
Logfile of HijackThis v1.99.1
Scan saved at 9:21:38 PM, on 4/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCE
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\LEXPPS
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Network Associates\Common Framework\FrameworkService
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchos
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\System32\LXSUPM
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Picasa2\PicasaMediaD
C:\WINDOWS\system32\ctfmon
C:\Program Files\Netropa\OSD.exe
C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
C:\Program Files\iPod\bin\iPodService
C:\WINDOWS\system32\wuaucl
C:\WINDOWS\system32\taskmg
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\cmd.ex
\192.168.0.3\gplymale\Repa
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-B
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-D
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-2
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPM
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaD
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: D-Link AirPlus Utility.lnk = ?
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HT
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-C
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-C
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-E
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-E
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {0335A685-ED24-4F7B-A08E-3
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {62475759-9E84-458E-A1AB-5
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {9600F64D-755F-11D4-A47F-0
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-9
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiR
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN
Thanks for the log, sorry nothing stood out there, is it possible for us to see those bad entries that you removed? thanks.
ASKER
No, sorry, those were removed some time ago and this unit is one that returned for a modem repair but I noticed those pauses were still existent and driving me nuts so I'm trying to figure out what might be going on. I've only seen an issue like this once before of the last several years and it took a reinstallation (ie, not repair installation) to resolve the issue... So I'm worried as to what could be causing this pause.
I really wish Windows had better diagnostic tools that could isolate pauses like this. Are there any other deeper tools that pick up unresponsive apps and services as such that I'm overlooking?
I really wish Windows had better diagnostic tools that could isolate pauses like this. Are there any other deeper tools that pick up unresponsive apps and services as such that I'm overlooking?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh look - that article says to use process explorer - mentioned much earlier in your question... again... is there ANY reason you are ignoring my posts?
ASKER
I apologize leew, I had already used that long ago. I did check it again at your behest and did find another item, however this was not the issue, but useful nonetheless so thanks.
It appears that the article referred to by r-k was the key in terms of a resolution even though the proc hanging was hard to isolate (read, I did not find it with process explorer again as it is acting very erratic, however after applying the hotfix things seem to have reached normalcy).
It appears that the article referred to by r-k was the key in terms of a resolution even though the proc hanging was hard to isolate (read, I did not find it with process explorer again as it is acting very erratic, however after applying the hotfix things seem to have reached normalcy).
So I was right in my very first post all along, that this was caused by windows auto-update software.
If you'd turned off autoupdates you would have found out that that was the one causing it.
If you'd turned off autoupdates you would have found out that that was the one causing it.
"So I was right in my very first post all along"
Yes, rpggamergirl, you are correct once again. We may only ignore your comments at our own peril :)
Yes, rpggamergirl, you are correct once again. We may only ignore your comments at our own peril :)
ASKER