100% CPU being used, looks like culprit svchost.exe, please review HJT log

I am having a very very severe problem with a client's computer. He came in one day to use it and it started running very slowly. The newest version of McAfee AV/firewall, installed and nothing showing up in those logs as being removed or problematic. I thought it might just be junk so I used Spybot SD to remove some junk startup items. Still the same problem--when restarting, or any time running the computer svchost.exe dominates the CPU and takes it up to 100%. I was able to get it to go down a couple of times by ending (just trying to see which one was doing it) and then it spikes right back up. Now I can't get it to go back down whatsoever. I REALLY need to have this up and running by the end of the day today. I have done Spybot scans and all I get are cookies, nothing severe. I did another full scan of McAfee AV and didn't turn up anything new. I am currently running Panda Scan online version to see if there is anything else that I can do.

I understand that a Malicious process may be running under svchost.exe, but I don't know which one it is. I hope that this is a pretty easy fix--reformatting is not really an option, by the way, because I know that would be pretty easy otherwise.

Here is a Hijack This log that I just ran:
Logfile of HijackThis v1.99.1
Scan saved at 8:47:22 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Principia Online Update.lnk = C:\Program Files\Morningstar\Principia\Schedupd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0243601202505172) (0243601202505172mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\NORMEC~1\LOCALS~1\Temp\024360~1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe


Thanks in advance for all of your expedient help!
lanehartAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lamaslanyCommented:
Try disabling Automatic Updates and reboot.  See if the problem persists.

Have you tried ProcExp?  This is a free SysInternals utility from Microsoft that might give you more info on what is running in the svchost.exe that is consuming the CPU cycles.

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lanehartAuthor Commented:
Why would Automatic Updates be causing this? There is no yellow shield in the tray area. Please advise ASAP.

Thanks.
0
lanehartAuthor Commented:
I have ProcExp. Is there a way to export that log to post here?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

lamaslanyCommented:
In the past Automatic Updates has had problems when scanning the local system to see what updates might be needed - the presence of Office was a contributory factor I believe.  This was supposedly fixed several times with various hotfixes/patches but I've no idea whether those updates have been installed on the system.  If you disable AU and reboot you can rule this out pretty quickly.

PS:  You will not see a yellow shield until it has finished looking to see if updatesare needed and then only if updates are requuired.
0
lanehartAuthor Commented:
Okay, for my info, what is the name of the process that does the updates? I believe that it is up to date. It has SP2 XPP and all updates are current. They are now set to download at 3 AM each morning. I am not on location anymore, but I will remote into the machine and restart and then let you know right away if that does the trick. What else do you suggest if that does not work?
0
lamaslanyCommented:
I confess I cannot be sure but I believe that ProcExp is more for real-time monitoring rather than logging.

Is there no instance of svchost.exe that jumps out at you by using high CPU cycles?

If you move your mouse over the 'svchost.exe' consuming all your cycles a tool-tip should appear telling you which services are running within it.
0
lanehartAuthor Commented:
There is an instance--I will get back with you in a few minutes after I am able to do the restart and rule out automatic updates. Do you know why this would have just happened overnight? There were no programs opened, no bad emails, nothing. He doesn't even browse the web--just Outlook, Quicken and Word.
0
lamaslanyCommented:
Stop "Automatic Updates": net stop "Automatic Updates"
Set "Automatic Updates" to disabled: sc config "wuauserv" start= disabled

Alternatively you can make the changes through the Services snap-in.  
0
lamaslanyCommented:
No new software installed recently?

Does the user suspend/hibernate the computer or do they always choose shutdown?  Had the computer restarted overnight following a patch installation?
0
lanehartAuthor Commented:
The computer has not been restarted--in fact it almost never gets shut off. It's actually a Inspiron 300m laptop in a docking station. The only time he turns it off is when he undocks and takes it between his two houses and then he gets there and places it in the other dock.

Here's something else very odd--a new printer showed up yesterday and it was a "automatic" network printer on another computer. It set itself and default. I changed it back to the regular default and this new printer that doens't really exist keeps taking over as default.
0
lamaslanyCommented:
"The computer has not been restarted--in fact it almost never gets shut off... ...The only time he turns it off is when he undocks and takes it between his two houses and then he gets there and places it in the other dock."
And the laptop is left on overnight in the docking station?

Does it get put into stand-by, hibernate or shut down when he moves it?  For example the laptop I am working on rarely gets shut down but is put into stand-by regularly as I move it between work and home.


The laptop automatically installed itself without the user or an administrator telling it to??  What is the make and model of the printer that appeared?
0
lamaslanyCommented:
Sorry that last bit should have read:

The laptop automatically installed ^a printer^ without the user or an administrator telling it to??  What is the make and model of the printer that appeared?
0
lanehartAuthor Commented:
The laptop actually gets turned off and then taken out of the docking station. It is not put on Standby when it is taken out. The printer is an HP Officejet 5600.
0
lamaslanyCommented:
Looking at the laptop what port does the HP Officejet 5600 try to use?  Does it use a local port?  (USB; DOT4; TCP/IP)
0
lanehartAuthor Commented:
Okay that did not make any different, Auto Updates I mean. Here is a log on Process Explorer under svchost.exe:

--

Logfile of HijackThis v1.99.1
Scan saved at 8:47:22 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Principia Online Update.lnk = C:\Program Files\Morningstar\Principia\Schedupd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Application Installer Cleanup (0243601202505172) (0243601202505172mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\NORMEC~1\LOCALS~1\Temp\024360~1.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
0
lanehartAuthor Commented:
Sorry wrong log! hold on just a second.
0
lanehartAuthor Commented:
Here is the Proc Exp list for svchost.exe

Description:      Generic Host Process for Win32 Services
Company:      Microsoft Corporation
Name:      svchost.exe
Version:      5.01.2600.2180
Path:      C:\WINDOWS\system32\svchost.exe
Command Line:      C:\WINDOWS\system32\svchost -k rpcss
PID:      1232
Parent PID:      1004
Session ID:      0
User:      NT AUTHORITY\NETWORK SERVICE
Auth ID:      00000000:000003e4
Architecture:      32-bit
Virtualized:      n/a
Integrity:      n/a
Started:      2/9/2008 9:51:25 AM
Ended:      (Running)
Modules:
svchost.exe      0x1000000      0x6000      C:\WINDOWS\system32\svchost.exe
rsaenh.dll      0xFFD0000      0x28000      C:\WINDOWS\system32\rsaenh.dll
xpsp2res.dll      0x20000000      0x2C5000      C:\WINDOWS\system32\xpsp2res.dll
UxTheme.dll      0x5AD70000      0x38000      C:\WINDOWS\system32\UxTheme.dll
NETAPI32.dll      0x5B860000      0x54000      C:\WINDOWS\system32\NETAPI32.dll
ShimEng.dll      0x5CB70000      0x26000      C:\WINDOWS\system32\ShimEng.dll
comctl32.dll      0x5D090000      0x9A000      C:\WINDOWS\system32\comctl32.dll
hnetcfg.dll      0x662B0000      0x58000      C:\WINDOWS\system32\hnetcfg.dll
AcGenral.DLL      0x6F880000      0x1CA000      C:\WINDOWS\AppPatch\AcGenral.DLL
mswsock.dll      0x71A50000      0x3F000      C:\WINDOWS\system32\mswsock.dll
wshtcpip.dll      0x71A90000      0x8000      C:\WINDOWS\System32\wshtcpip.dll
WS2HELP.dll      0x71AA0000      0x8000      c:\windows\system32\WS2HELP.dll
WS2_32.dll      0x71AB0000      0x17000      c:\windows\system32\WS2_32.dll
WINSTA.dll      0x76360000      0x10000      C:\WINDOWS\system32\WINSTA.dll
IMM32.DLL      0x76390000      0x1D000      C:\WINDOWS\system32\IMM32.DLL
USERENV.dll      0x769C0000      0xB3000      C:\WINDOWS\system32\USERENV.dll
rpcss.dll      0x76A80000      0x63000      c:\windows\system32\rpcss.dll
WINMM.dll      0x76B40000      0x2D000      C:\WINDOWS\system32\WINMM.dll
iphlpapi.dll      0x76D60000      0x19000      C:\WINDOWS\system32\iphlpapi.dll
DNSAPI.dll      0x76F20000      0x27000      C:\WINDOWS\system32\DNSAPI.dll
WTSAPI32.dll      0x76F50000      0x8000      C:\WINDOWS\system32\WTSAPI32.dll
WLDAP32.dll      0x76F60000      0x2C000      C:\WINDOWS\system32\WLDAP32.dll
winrnr.dll      0x76FB0000      0x8000      C:\WINDOWS\System32\winrnr.dll
rasadhlp.dll      0x76FC0000      0x6000      C:\WINDOWS\system32\rasadhlp.dll
CLBCATQ.DLL      0x76FD0000      0x7F000      C:\WINDOWS\system32\CLBCATQ.DLL
COMRes.dll      0x77050000      0xC5000      C:\WINDOWS\system32\COMRes.dll
OLEAUT32.dll      0x77120000      0x8B000      C:\WINDOWS\system32\OLEAUT32.dll
comctl32.dll      0x773D0000      0x103000      C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
ole32.dll      0x774E0000      0x13D000      C:\WINDOWS\system32\ole32.dll
MSACM32.dll      0x77BE0000      0x15000      C:\WINDOWS\system32\MSACM32.dll
VERSION.dll      0x77C00000      0x8000      C:\WINDOWS\system32\VERSION.dll
msvcrt.dll      0x77C10000      0x58000      C:\WINDOWS\system32\msvcrt.dll
ADVAPI32.dll      0x77DD0000      0x9B000      C:\WINDOWS\system32\ADVAPI32.dll
RPCRT4.dll      0x77E70000      0x91000      C:\WINDOWS\system32\RPCRT4.dll
GDI32.dll      0x77F10000      0x47000      C:\WINDOWS\system32\GDI32.dll
SHLWAPI.dll      0x77F60000      0x76000      C:\WINDOWS\system32\SHLWAPI.dll
Secur32.dll      0x77FE0000      0x11000      c:\windows\system32\Secur32.dll
kernel32.dll      0x7C800000      0xF5000      C:\WINDOWS\system32\kernel32.dll
ntdll.dll      0x7C900000      0xB0000      C:\WINDOWS\system32\ntdll.dll
SHELL32.dll      0x7C9C0000      0x817000      C:\WINDOWS\system32\SHELL32.dll
msi.dll      0x7D1E0000      0x2BE000      C:\WINDOWS\system32\msi.dll
USER32.dll      0x7E410000      0x90000      C:\WINDOWS\system32\USER32.dll
0
lanehartAuthor Commented:
Is that a high number to DLL's to be running under that process? I tried the other instances of SVCHOST.exe but but they are all showing the same, so there must just be one.

It seems to be taking up the most memory of everything in Task Manager, so it looks like it must be something inside it. Sorry to be such a pain--just really want to get this taken care of.

I am getting ready to run out to a meeting for a couple of hours. I will keep apprised as to the posts on my Blackberry while I'm out and try to respond appropriately. Thanks again for you quick help!!
0
lanehartAuthor Commented:
Very sorry Vee_Mod. Can you please leave these on here since I am already working with someone who seems competent? In the future I will utilize that feature; I was previously unaware that it existed. Thanks.
0
lamaslanyCommented:
I'm happy to follow the question if it moves zones.

@lanehart:  the more eyes the better - I'm not an expert when it comes to HJ logs (although nothing jumps out at me so far)
0
lanehartAuthor Commented:
Okay, I am back from the meeting now and ready to get back in to this.
0
orangutangCommented:
Also, in Process Explorer, double-click "explorer.exe", click the "Services" tab, and list the services here.
0
DebugNTCommented:
To dig in and figure out what is going on, you could use the Sysinternals tool to it's full intention.
1. Install the debugging tools from windows.
      http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
2. Make a new folder called c:\websymbols
3. Start Process Explorer / Options / Configure Symbols
      dbghelp.dll Path and brows to
            C:\Program Files\Debugging Tools for Windows\dbghelp.dll
      Symbal Path and paste in
            srv*c:\websymbols*http://msdl.microsoft.com/download/symbols

4. Double Click on the svchost.exe experiencing the problem.
5. Click on the Threads Tab
6. Watch this Screen for the line that has High CPU
7. Double Click on Line and view the 'Stack for thread #' Window
8. Hold down shift key and click on the largest number (expand the window if you have to)
9. Click copy
10. Paste the results into this thread and the %CPU it was taking.
0
lanehartAuthor Commented:
I have attached a file of the Explorer.exe processes. I will post back in a couple of minutes with the last expert's suggestion. Very oddly, after walking away for a few hours the CPU time is back under control. How could this be explained? Please stay tuned and let me know what the possible cause could be. Thanks again
procexp.txt
0
orangutangCommented:
Oops, I meant to say "svchost.exe":
Also, in Process Explorer, double-click the "svchost.exe" that's using up the most CPU, click the "Services" tab, and list the services here.
0
johnb6767Commented:
And once you double click SVCHOST.EXE, there will be another module using the CPU... Double click that one and paste the call stack here......
0
lanehartAuthor Commented:
Okay guys...I have been thinking about this for several days. The problem is now solved, unfortunately I don't know exactly which fix solved it. Perhaps, even, there there multiple fixes that solved it! It may have had something to do with reinstalling McAfee...but again I am not sure.
0
Brew_CityCommented:
This is my first post since joining a few days ago.
I solved my issue using a lot of the steps provided here and one additional, so I figured I would pass on.

Issue:
svchost.exe spikes the CPU to 100% every time I open Disk Management.  The screen will say "connecting to logical disk manager", but never does anything.

Resolution:
I downloaded the Process Explorer app mention above and ran it while I tried to access Disk Management.  I clicked on the svchost.exe that was causing the spike so I would list the services it was running.  Logical Disk Manager [dmserver] was part of this process tree, so I made the conclusion it was causing my problem.  Next I opened a command prompt, ran sfc /scannow and inserted Server 2003 R2.  It ran through, replaced 4 .dlls and my server has been working fine since.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.