lanehart
asked on
100% CPU being used, looks like culprit svchost.exe, please review HJT log
I am having a very very severe problem with a client's computer. He came in one day to use it and it started running very slowly. The newest version of McAfee AV/firewall, installed and nothing showing up in those logs as being removed or problematic. I thought it might just be junk so I used Spybot SD to remove some junk startup items. Still the same problem--when restarting, or any time running the computer svchost.exe dominates the CPU and takes it up to 100%. I was able to get it to go down a couple of times by ending (just trying to see which one was doing it) and then it spikes right back up. Now I can't get it to go back down whatsoever. I REALLY need to have this up and running by the end of the day today. I have done Spybot scans and all I get are cookies, nothing severe. I did another full scan of McAfee AV and didn't turn up anything new. I am currently running Panda Scan online version to see if there is anything else that I can do.
I understand that a Malicious process may be running under svchost.exe, but I don't know which one it is. I hope that this is a pretty easy fix--reformatting is not really an option, by the way, because I know that would be pretty easy otherwise.
Here is a Hijack This log that I just ran:
Logfile of HijackThis v1.99.1
Scan saved at 8:47:22 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\S24EvM on.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\system32\1XConf ig.exe
C:\WINDOWS\system32\RegSrv c.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Intel\NCS\PROSet\PRO NoMgr.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\LVComs X.exe
C:\Program Files\SiteAdvisor\6172\SAS ervice.exe
c:\PROGRA~1\mcafee\msc\mcu imgr.exe
c:\PROGRA~1\COMMON~1\mcafe e\mcproxy\ mcproxy.ex e
C:\PROGRA~1\McAfee\MSC\mcm scsvc.exe
c:\PROGRA~1\mcafee.com\age nt\mcagent .exe
c:\PROGRA~1\COMMON~1\mcafe e\mna\mcna svc.exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmg r.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6172\Sit eAdv.exe
C:\Program Files\HijackThis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0 048AE11321 5} - C:\Program Files\SiteAdvisor\6172\Sit eAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6 309F01C523 1} - C:\Program Files\McAfee\VirusScan\scr iptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\2 .0.1121.24 72\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-1 7FE6E806AA 0} - C:\Program Files\SiteAdvisor\6172\Sit eAdv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRO NoMgr.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mca gent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\Sit eAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\Lase rJet All-in-one\hppdirector.exe
O4 - Global Startup: Principia Online Update.lnk = C:\Program Files\Morningstar\Principi a\Schedupd .exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5 A1EDB1D8A2 1} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5 009F29E09E 1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C 18E1ADA438 9} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B 5AE0DC75AC 9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-A F4222BCF87 9} - C:\Program Files\SiteAdvisor\6172\Sit eAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNoti fy.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog on.dll
O23 - Service: McAfee Application Installer Cleanup (0243601202505172) (0243601202505172mcinstcle anup) - McAfee, Inc. - C:\DOCUME~1\NORMEC~1\LOCAL S~1\Temp\0 24360~1.EX E
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcm scsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe e\mna\mcna svc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~ 1\mcods.ex e
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe e\mcproxy\ mcproxy.ex e
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~ 1\mcshield .exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.ex e
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv c.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrv c.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvM on.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAS ervice.exe
Thanks in advance for all of your expedient help!
I understand that a Malicious process may be running under svchost.exe, but I don't know which one it is. I hope that this is a pretty easy fix--reformatting is not really an option, by the way, because I know that would be pretty easy otherwise.
Here is a Hijack This log that I just ran:
Logfile of HijackThis v1.99.1
Scan saved at 8:47:22 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\S24EvM
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\1XConf
C:\WINDOWS\system32\RegSrv
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchos
C:\Program Files\Intel\NCS\PROSet\PRO
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\LVComs
C:\Program Files\SiteAdvisor\6172\SAS
c:\PROGRA~1\mcafee\msc\mcu
c:\PROGRA~1\COMMON~1\mcafe
C:\PROGRA~1\McAfee\MSC\mcm
c:\PROGRA~1\mcafee.com\age
c:\PROGRA~1\COMMON~1\mcafe
C:\Program Files\Google\GoogleToolbar
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmg
C:\WINDOWS\System32\svchos
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6172\Sit
C:\Program Files\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-1
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRO
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mca
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\Sit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\Lase
O4 - Global Startup: Principia Online Update.lnk = C:\Program Files\Morningstar\Principi
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-A
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNoti
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O23 - Service: McAfee Application Installer Cleanup (0243601202505172) (0243601202505172mcinstcle
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcm
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.ex
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrv
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvM
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAS
Thanks in advance for all of your expedient help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have ProcExp. Is there a way to export that log to post here?
In the past Automatic Updates has had problems when scanning the local system to see what updates might be needed - the presence of Office was a contributory factor I believe. This was supposedly fixed several times with various hotfixes/patches but I've no idea whether those updates have been installed on the system. If you disable AU and reboot you can rule this out pretty quickly.
PS: You will not see a yellow shield until it has finished looking to see if updatesare needed and then only if updates are requuired.
PS: You will not see a yellow shield until it has finished looking to see if updatesare needed and then only if updates are requuired.
ASKER
Okay, for my info, what is the name of the process that does the updates? I believe that it is up to date. It has SP2 XPP and all updates are current. They are now set to download at 3 AM each morning. I am not on location anymore, but I will remote into the machine and restart and then let you know right away if that does the trick. What else do you suggest if that does not work?
I confess I cannot be sure but I believe that ProcExp is more for real-time monitoring rather than logging.
Is there no instance of svchost.exe that jumps out at you by using high CPU cycles?
If you move your mouse over the 'svchost.exe' consuming all your cycles a tool-tip should appear telling you which services are running within it.
Is there no instance of svchost.exe that jumps out at you by using high CPU cycles?
If you move your mouse over the 'svchost.exe' consuming all your cycles a tool-tip should appear telling you which services are running within it.
ASKER
There is an instance--I will get back with you in a few minutes after I am able to do the restart and rule out automatic updates. Do you know why this would have just happened overnight? There were no programs opened, no bad emails, nothing. He doesn't even browse the web--just Outlook, Quicken and Word.
Stop "Automatic Updates": net stop "Automatic Updates"
Set "Automatic Updates" to disabled: sc config "wuauserv" start= disabled
Alternatively you can make the changes through the Services snap-in.
Set "Automatic Updates" to disabled: sc config "wuauserv" start= disabled
Alternatively you can make the changes through the Services snap-in.
No new software installed recently?
Does the user suspend/hibernate the computer or do they always choose shutdown? Had the computer restarted overnight following a patch installation?
Does the user suspend/hibernate the computer or do they always choose shutdown? Had the computer restarted overnight following a patch installation?
ASKER
The computer has not been restarted--in fact it almost never gets shut off. It's actually a Inspiron 300m laptop in a docking station. The only time he turns it off is when he undocks and takes it between his two houses and then he gets there and places it in the other dock.
Here's something else very odd--a new printer showed up yesterday and it was a "automatic" network printer on another computer. It set itself and default. I changed it back to the regular default and this new printer that doens't really exist keeps taking over as default.
Here's something else very odd--a new printer showed up yesterday and it was a "automatic" network printer on another computer. It set itself and default. I changed it back to the regular default and this new printer that doens't really exist keeps taking over as default.
"The computer has not been restarted--in fact it almost never gets shut off... ...The only time he turns it off is when he undocks and takes it between his two houses and then he gets there and places it in the other dock."
And the laptop is left on overnight in the docking station?
Does it get put into stand-by, hibernate or shut down when he moves it? For example the laptop I am working on rarely gets shut down but is put into stand-by regularly as I move it between work and home.
The laptop automatically installed itself without the user or an administrator telling it to?? What is the make and model of the printer that appeared?
And the laptop is left on overnight in the docking station?
Does it get put into stand-by, hibernate or shut down when he moves it? For example the laptop I am working on rarely gets shut down but is put into stand-by regularly as I move it between work and home.
The laptop automatically installed itself without the user or an administrator telling it to?? What is the make and model of the printer that appeared?
Sorry that last bit should have read:
The laptop automatically installed ^a printer^ without the user or an administrator telling it to?? What is the make and model of the printer that appeared?
The laptop automatically installed ^a printer^ without the user or an administrator telling it to?? What is the make and model of the printer that appeared?
ASKER
The laptop actually gets turned off and then taken out of the docking station. It is not put on Standby when it is taken out. The printer is an HP Officejet 5600.
Looking at the laptop what port does the HP Officejet 5600 try to use? Does it use a local port? (USB; DOT4; TCP/IP)
ASKER
Okay that did not make any different, Auto Updates I mean. Here is a log on Process Explorer under svchost.exe:
--
Logfile of HijackThis v1.99.1
Scan saved at 8:47:22 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\S24EvM on.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\system32\1XConf ig.exe
C:\WINDOWS\system32\RegSrv c.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Intel\NCS\PROSet\PRO NoMgr.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\LVComs X.exe
C:\Program Files\SiteAdvisor\6172\SAS ervice.exe
c:\PROGRA~1\mcafee\msc\mcu imgr.exe
c:\PROGRA~1\COMMON~1\mcafe e\mcproxy\ mcproxy.ex e
C:\PROGRA~1\McAfee\MSC\mcm scsvc.exe
c:\PROGRA~1\mcafee.com\age nt\mcagent .exe
c:\PROGRA~1\COMMON~1\mcafe e\mna\mcna svc.exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmg r.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6172\Sit eAdv.exe
C:\Program Files\HijackThis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0 048AE11321 5} - C:\Program Files\SiteAdvisor\6172\Sit eAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6 309F01C523 1} - C:\Program Files\McAfee\VirusScan\scr iptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\2 .0.1121.24 72\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-1 7FE6E806AA 0} - C:\Program Files\SiteAdvisor\6172\Sit eAdv.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRO NoMgr.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mca gent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\Sit eAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\Lase rJet All-in-one\hppdirector.exe
O4 - Global Startup: Principia Online Update.lnk = C:\Program Files\Morningstar\Principi a\Schedupd .exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5 A1EDB1D8A2 1} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5 009F29E09E 1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C 18E1ADA438 9} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B 5AE0DC75AC 9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-A F4222BCF87 9} - C:\Program Files\SiteAdvisor\6172\Sit eAdv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNoti fy.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog on.dll
O23 - Service: McAfee Application Installer Cleanup (0243601202505172) (0243601202505172mcinstcle anup) - McAfee, Inc. - C:\DOCUME~1\NORMEC~1\LOCAL S~1\Temp\0 24360~1.EX E
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcm scsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe e\mna\mcna svc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~ 1\mcods.ex e
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe e\mcproxy\ mcproxy.ex e
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~ 1\mcshield .exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.ex e
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv c.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrv c.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvM on.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAS ervice.exe
--
Logfile of HijackThis v1.99.1
Scan saved at 8:47:22 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\S24EvM
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\1XConf
C:\WINDOWS\system32\RegSrv
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchos
C:\Program Files\Intel\NCS\PROSet\PRO
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\LVComs
C:\Program Files\SiteAdvisor\6172\SAS
c:\PROGRA~1\mcafee\msc\mcu
c:\PROGRA~1\COMMON~1\mcafe
C:\PROGRA~1\McAfee\MSC\mcm
c:\PROGRA~1\mcafee.com\age
c:\PROGRA~1\COMMON~1\mcafe
C:\Program Files\Google\GoogleToolbar
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmg
C:\WINDOWS\System32\svchos
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SiteAdvisor\6172\Sit
C:\Program Files\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-1
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRO
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mca
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\Sit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\Lase
O4 - Global Startup: Principia Online Update.lnk = C:\Program Files\Morningstar\Principi
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-A
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNoti
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O23 - Service: McAfee Application Installer Cleanup (0243601202505172) (0243601202505172mcinstcle
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcm
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.ex
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrv
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvM
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAS
ASKER
Sorry wrong log! hold on just a second.
ASKER
Here is the Proc Exp list for svchost.exe
Description: Generic Host Process for Win32 Services
Company: Microsoft Corporation
Name: svchost.exe
Version: 5.01.2600.2180
Path: C:\WINDOWS\system32\svchos t.exe
Command Line: C:\WINDOWS\system32\svchos t -k rpcss
PID: 1232
Parent PID: 1004
Session ID: 0
User: NT AUTHORITY\NETWORK SERVICE
Auth ID: 00000000:000003e4
Architecture: 32-bit
Virtualized: n/a
Integrity: n/a
Started: 2/9/2008 9:51:25 AM
Ended: (Running)
Modules:
svchost.exe 0x1000000 0x6000 C:\WINDOWS\system32\svchos t.exe
rsaenh.dll 0xFFD0000 0x28000 C:\WINDOWS\system32\rsaenh .dll
xpsp2res.dll 0x20000000 0x2C5000 C:\WINDOWS\system32\xpsp2r es.dll
UxTheme.dll 0x5AD70000 0x38000 C:\WINDOWS\system32\UxThem e.dll
NETAPI32.dll 0x5B860000 0x54000 C:\WINDOWS\system32\NETAPI 32.dll
ShimEng.dll 0x5CB70000 0x26000 C:\WINDOWS\system32\ShimEn g.dll
comctl32.dll 0x5D090000 0x9A000 C:\WINDOWS\system32\comctl 32.dll
hnetcfg.dll 0x662B0000 0x58000 C:\WINDOWS\system32\hnetcf g.dll
AcGenral.DLL 0x6F880000 0x1CA000 C:\WINDOWS\AppPatch\AcGenr al.DLL
mswsock.dll 0x71A50000 0x3F000 C:\WINDOWS\system32\mswsoc k.dll
wshtcpip.dll 0x71A90000 0x8000 C:\WINDOWS\System32\wshtcp ip.dll
WS2HELP.dll 0x71AA0000 0x8000 c:\windows\system32\WS2HEL P.dll
WS2_32.dll 0x71AB0000 0x17000 c:\windows\system32\WS2_32 .dll
WINSTA.dll 0x76360000 0x10000 C:\WINDOWS\system32\WINSTA .dll
IMM32.DLL 0x76390000 0x1D000 C:\WINDOWS\system32\IMM32. DLL
USERENV.dll 0x769C0000 0xB3000 C:\WINDOWS\system32\USEREN V.dll
rpcss.dll 0x76A80000 0x63000 c:\windows\system32\rpcss. dll
WINMM.dll 0x76B40000 0x2D000 C:\WINDOWS\system32\WINMM. dll
iphlpapi.dll 0x76D60000 0x19000 C:\WINDOWS\system32\iphlpa pi.dll
DNSAPI.dll 0x76F20000 0x27000 C:\WINDOWS\system32\DNSAPI .dll
WTSAPI32.dll 0x76F50000 0x8000 C:\WINDOWS\system32\WTSAPI 32.dll
WLDAP32.dll 0x76F60000 0x2C000 C:\WINDOWS\system32\WLDAP3 2.dll
winrnr.dll 0x76FB0000 0x8000 C:\WINDOWS\System32\winrnr .dll
rasadhlp.dll 0x76FC0000 0x6000 C:\WINDOWS\system32\rasadh lp.dll
CLBCATQ.DLL 0x76FD0000 0x7F000 C:\WINDOWS\system32\CLBCAT Q.DLL
COMRes.dll 0x77050000 0xC5000 C:\WINDOWS\system32\COMRes .dll
OLEAUT32.dll 0x77120000 0x8B000 C:\WINDOWS\system32\OLEAUT 32.dll
comctl32.dll 0x773D0000 0x103000 C:\WINDOWS\WinSxS\x86_Micr osoft.Wind ows.Common -Controls_ 6595b64144 ccf1df_6.0 .2600.2982 _x-ww_ac3f 9c03\comct l32.dll
ole32.dll 0x774E0000 0x13D000 C:\WINDOWS\system32\ole32. dll
MSACM32.dll 0x77BE0000 0x15000 C:\WINDOWS\system32\MSACM3 2.dll
VERSION.dll 0x77C00000 0x8000 C:\WINDOWS\system32\VERSIO N.dll
msvcrt.dll 0x77C10000 0x58000 C:\WINDOWS\system32\msvcrt .dll
ADVAPI32.dll 0x77DD0000 0x9B000 C:\WINDOWS\system32\ADVAPI 32.dll
RPCRT4.dll 0x77E70000 0x91000 C:\WINDOWS\system32\RPCRT4 .dll
GDI32.dll 0x77F10000 0x47000 C:\WINDOWS\system32\GDI32. dll
SHLWAPI.dll 0x77F60000 0x76000 C:\WINDOWS\system32\SHLWAP I.dll
Secur32.dll 0x77FE0000 0x11000 c:\windows\system32\Secur3 2.dll
kernel32.dll 0x7C800000 0xF5000 C:\WINDOWS\system32\kernel 32.dll
ntdll.dll 0x7C900000 0xB0000 C:\WINDOWS\system32\ntdll. dll
SHELL32.dll 0x7C9C0000 0x817000 C:\WINDOWS\system32\SHELL3 2.dll
msi.dll 0x7D1E0000 0x2BE000 C:\WINDOWS\system32\msi.dl l
USER32.dll 0x7E410000 0x90000 C:\WINDOWS\system32\USER32 .dll
Description: Generic Host Process for Win32 Services
Company: Microsoft Corporation
Name: svchost.exe
Version: 5.01.2600.2180
Path: C:\WINDOWS\system32\svchos
Command Line: C:\WINDOWS\system32\svchos
PID: 1232
Parent PID: 1004
Session ID: 0
User: NT AUTHORITY\NETWORK SERVICE
Auth ID: 00000000:000003e4
Architecture: 32-bit
Virtualized: n/a
Integrity: n/a
Started: 2/9/2008 9:51:25 AM
Ended: (Running)
Modules:
svchost.exe 0x1000000 0x6000 C:\WINDOWS\system32\svchos
rsaenh.dll 0xFFD0000 0x28000 C:\WINDOWS\system32\rsaenh
xpsp2res.dll 0x20000000 0x2C5000 C:\WINDOWS\system32\xpsp2r
UxTheme.dll 0x5AD70000 0x38000 C:\WINDOWS\system32\UxThem
NETAPI32.dll 0x5B860000 0x54000 C:\WINDOWS\system32\NETAPI
ShimEng.dll 0x5CB70000 0x26000 C:\WINDOWS\system32\ShimEn
comctl32.dll 0x5D090000 0x9A000 C:\WINDOWS\system32\comctl
hnetcfg.dll 0x662B0000 0x58000 C:\WINDOWS\system32\hnetcf
AcGenral.DLL 0x6F880000 0x1CA000 C:\WINDOWS\AppPatch\AcGenr
mswsock.dll 0x71A50000 0x3F000 C:\WINDOWS\system32\mswsoc
wshtcpip.dll 0x71A90000 0x8000 C:\WINDOWS\System32\wshtcp
WS2HELP.dll 0x71AA0000 0x8000 c:\windows\system32\WS2HEL
WS2_32.dll 0x71AB0000 0x17000 c:\windows\system32\WS2_32
WINSTA.dll 0x76360000 0x10000 C:\WINDOWS\system32\WINSTA
IMM32.DLL 0x76390000 0x1D000 C:\WINDOWS\system32\IMM32.
USERENV.dll 0x769C0000 0xB3000 C:\WINDOWS\system32\USEREN
rpcss.dll 0x76A80000 0x63000 c:\windows\system32\rpcss.
WINMM.dll 0x76B40000 0x2D000 C:\WINDOWS\system32\WINMM.
iphlpapi.dll 0x76D60000 0x19000 C:\WINDOWS\system32\iphlpa
DNSAPI.dll 0x76F20000 0x27000 C:\WINDOWS\system32\DNSAPI
WTSAPI32.dll 0x76F50000 0x8000 C:\WINDOWS\system32\WTSAPI
WLDAP32.dll 0x76F60000 0x2C000 C:\WINDOWS\system32\WLDAP3
winrnr.dll 0x76FB0000 0x8000 C:\WINDOWS\System32\winrnr
rasadhlp.dll 0x76FC0000 0x6000 C:\WINDOWS\system32\rasadh
CLBCATQ.DLL 0x76FD0000 0x7F000 C:\WINDOWS\system32\CLBCAT
COMRes.dll 0x77050000 0xC5000 C:\WINDOWS\system32\COMRes
OLEAUT32.dll 0x77120000 0x8B000 C:\WINDOWS\system32\OLEAUT
comctl32.dll 0x773D0000 0x103000 C:\WINDOWS\WinSxS\x86_Micr
ole32.dll 0x774E0000 0x13D000 C:\WINDOWS\system32\ole32.
MSACM32.dll 0x77BE0000 0x15000 C:\WINDOWS\system32\MSACM3
VERSION.dll 0x77C00000 0x8000 C:\WINDOWS\system32\VERSIO
msvcrt.dll 0x77C10000 0x58000 C:\WINDOWS\system32\msvcrt
ADVAPI32.dll 0x77DD0000 0x9B000 C:\WINDOWS\system32\ADVAPI
RPCRT4.dll 0x77E70000 0x91000 C:\WINDOWS\system32\RPCRT4
GDI32.dll 0x77F10000 0x47000 C:\WINDOWS\system32\GDI32.
SHLWAPI.dll 0x77F60000 0x76000 C:\WINDOWS\system32\SHLWAP
Secur32.dll 0x77FE0000 0x11000 c:\windows\system32\Secur3
kernel32.dll 0x7C800000 0xF5000 C:\WINDOWS\system32\kernel
ntdll.dll 0x7C900000 0xB0000 C:\WINDOWS\system32\ntdll.
SHELL32.dll 0x7C9C0000 0x817000 C:\WINDOWS\system32\SHELL3
msi.dll 0x7D1E0000 0x2BE000 C:\WINDOWS\system32\msi.dl
USER32.dll 0x7E410000 0x90000 C:\WINDOWS\system32\USER32
ASKER
Is that a high number to DLL's to be running under that process? I tried the other instances of SVCHOST.exe but but they are all showing the same, so there must just be one.
It seems to be taking up the most memory of everything in Task Manager, so it looks like it must be something inside it. Sorry to be such a pain--just really want to get this taken care of.
I am getting ready to run out to a meeting for a couple of hours. I will keep apprised as to the posts on my Blackberry while I'm out and try to respond appropriately. Thanks again for you quick help!!
It seems to be taking up the most memory of everything in Task Manager, so it looks like it must be something inside it. Sorry to be such a pain--just really want to get this taken care of.
I am getting ready to run out to a meeting for a couple of hours. I will keep apprised as to the posts on my Blackberry while I'm out and try to respond appropriately. Thanks again for you quick help!!
ASKER
Very sorry Vee_Mod. Can you please leave these on here since I am already working with someone who seems competent? In the future I will utilize that feature; I was previously unaware that it existed. Thanks.
I'm happy to follow the question if it moves zones.
@lanehart: the more eyes the better - I'm not an expert when it comes to HJ logs (although nothing jumps out at me so far)
@lanehart: the more eyes the better - I'm not an expert when it comes to HJ logs (although nothing jumps out at me so far)
ASKER
Okay, I am back from the meeting now and ready to get back in to this.
Also, in Process Explorer, double-click "explorer.exe", click the "Services" tab, and list the services here.
To dig in and figure out what is going on, you could use the Sysinternals tool to it's full intention.
1. Install the debugging tools from windows.
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
2. Make a new folder called c:\websymbols
3. Start Process Explorer / Options / Configure Symbols
dbghelp.dll Path and brows to
C:\Program Files\Debugging Tools for Windows\dbghelp.dll
Symbal Path and paste in
srv*c:\websymbols*http://msdl.microsoft.com/download/symbols
4. Double Click on the svchost.exe experiencing the problem.
5. Click on the Threads Tab
6. Watch this Screen for the line that has High CPU
7. Double Click on Line and view the 'Stack for thread #' Window
8. Hold down shift key and click on the largest number (expand the window if you have to)
9. Click copy
10. Paste the results into this thread and the %CPU it was taking.
1. Install the debugging tools from windows.
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
2. Make a new folder called c:\websymbols
3. Start Process Explorer / Options / Configure Symbols
dbghelp.dll Path and brows to
C:\Program Files\Debugging Tools for Windows\dbghelp.dll
Symbal Path and paste in
srv*c:\websymbols*http://msdl.microsoft.com/download/symbols
4. Double Click on the svchost.exe experiencing the problem.
5. Click on the Threads Tab
6. Watch this Screen for the line that has High CPU
7. Double Click on Line and view the 'Stack for thread #' Window
8. Hold down shift key and click on the largest number (expand the window if you have to)
9. Click copy
10. Paste the results into this thread and the %CPU it was taking.
ASKER
I have attached a file of the Explorer.exe processes. I will post back in a couple of minutes with the last expert's suggestion. Very oddly, after walking away for a few hours the CPU time is back under control. How could this be explained? Please stay tuned and let me know what the possible cause could be. Thanks again
procexp.txt
procexp.txt
Oops, I meant to say "svchost.exe":
Also, in Process Explorer, double-click the "svchost.exe" that's using up the most CPU, click the "Services" tab, and list the services here.
Also, in Process Explorer, double-click the "svchost.exe" that's using up the most CPU, click the "Services" tab, and list the services here.
And once you double click SVCHOST.EXE, there will be another module using the CPU... Double click that one and paste the call stack here......
ASKER
Okay guys...I have been thinking about this for several days. The problem is now solved, unfortunately I don't know exactly which fix solved it. Perhaps, even, there there multiple fixes that solved it! It may have had something to do with reinstalling McAfee...but again I am not sure.
This is my first post since joining a few days ago.
I solved my issue using a lot of the steps provided here and one additional, so I figured I would pass on.
Issue:
svchost.exe spikes the CPU to 100% every time I open Disk Management. The screen will say "connecting to logical disk manager", but never does anything.
Resolution:
I downloaded the Process Explorer app mention above and ran it while I tried to access Disk Management. I clicked on the svchost.exe that was causing the spike so I would list the services it was running. Logical Disk Manager [dmserver] was part of this process tree, so I made the conclusion it was causing my problem. Next I opened a command prompt, ran sfc /scannow and inserted Server 2003 R2. It ran through, replaced 4 .dlls and my server has been working fine since.
I solved my issue using a lot of the steps provided here and one additional, so I figured I would pass on.
Issue:
svchost.exe spikes the CPU to 100% every time I open Disk Management. The screen will say "connecting to logical disk manager", but never does anything.
Resolution:
I downloaded the Process Explorer app mention above and ran it while I tried to access Disk Management. I clicked on the svchost.exe that was causing the spike so I would list the services it was running. Logical Disk Manager [dmserver] was part of this process tree, so I made the conclusion it was causing my problem. Next I opened a command prompt, ran sfc /scannow and inserted Server 2003 R2. It ran through, replaced 4 .dlls and my server has been working fine since.
ASKER
Thanks.