• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Kinster

I need help, svchost taking up 100% of cpu usage.

7 posts in this topic

Greetings, I have been directed here from microsoft's newsgroups. I am told to create a hijackthis log file and post it here so experts can help me. I've read around and I understand that help can be slow, I will wait patiently for help to eventually come my way.

 

I believe my comp has been infected by something but I don't know what. Here are my symptoms, after having my computer on for about a day, it will get ridiculously slow. Upon hitting Ctrl+Alt+Del and bringing up the task manager, I found that one of the svchosts are taking up 100% of cpu usage. That is why things get really slow.

 

I've tried the suggested steps but I still have the problem. I've scanned with the latest updated Ad-Aware, Spybot, CWShredder and Norton Antivirus. All turned up clean. Hijackthis is my last resort. I hope you experts here can help me solve this problem. It's tiring having to restart every once in a while. Thank you.

 

Here is my Hijackthis log:

 

Logfile of HijackThis v1.98.0

Scan saved at 11:18:43 PM, on 7/4/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

E:\WINDOWS\system32\spoolsv.exe

E:\WINDOWS\Explorer.EXE

E:\Program Files\Common Files\Symantec Shared\ccApp.exe

E:\WINDOWS\System32\CTHELPER.EXE

E:\WINDOWS\System32\WinSVCservice.exe

D:\Norton AntiVirus\navapsvc.exe

D:\IE New Window Maximizer\iemaximizer.exe

D:\Norton AntiVirus\AdvTools\NPROTECT.EXE

E:\WINDOWS\System32\nvsvc32.exe

E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

D:\TorrentStorm\TorrentStorm.exe

D:\TorrentStorm\Downloader\tor020.exe

D:\TorrentStorm\Downloader\tor020.exe

D:\TorrentStorm\Downloader\tor020.exe

E:\WINDOWS\System32\svchost.exe

D:\Hijack This\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] D:\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] E:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] D:\Creative\SBLive\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [uPNPService] WinSVCservice.exe

O4 - HKLM\..\RunServices: [uPNPService] WinSVCservice.exe

O4 - HKCU\..\Run: [iE New Window Maximizer] D:\IE New Window Maximizer\iemaximizer.exe

O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe

O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CE073722-DDEA-4E5D-8BAF-7806C1978397}: NameServer = 202.188.0.133 202.188.1.5

Share this post


Link to post
Share on other sites

I thank you for your fast reply and provided link. I have read and understood little of what I've read. I'm not a technical person, so sorry. How can I be sure that my svchost instance is running something 'bad' or 'good'? I still don't know what to 'fix' in my Hijackthis list...

 

More help is appreciated.

Share this post


Link to post
Share on other sites

=== Reboot in Safe Mode ===

 

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

 

Check the following items in HijackThis.

O4 - HKLM\..\Run: [uPNPService] WinSVCservice.exe

O4 - HKLM\..\RunServices: [uPNPService] WinSVCservice.exe

 

 

Close all windows except HijackThis and click Fix checked.

 

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)

C:\windows\System32\WinSVCservice.exe

 

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406

**Show Hidden and System files and folders

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

 

Reboot in normal mode.

 

 

HiJackThis version 198.0 is now available.

If you do already have it installed, download it from here:

http://209.133.47.12/~merijn/files/HijackThis.exe

http://downloads.net-integration.net/HijackThis.exe

http://www.computercops.biz/downloads-file-328.html

 

Then run HiJackThis again and post a new log in this thread.

 

 

Also, your Hosts file may be corrupt:

 

=== Begin Hosts File Reset ===

1.Download the Hoster from here:

http://members.aol.com/toadbee/hoster.zip

2. Install the program and run it.

3. Press 'Restore Original Hosts' and press 'OK'

4. Exit Program.

 

Note: This program also has a Hosts file backup facility that may want to use if you have added custom entries to the Hosts file.

=== End Canned Speech ===

Share this post


Link to post
Share on other sites

Thanks for your help! :)

 

First of all, I enabled windows xp's firewall after I posted my first post here with my HJT log. Enabling the firewall has stopped svchost from taking up 100% of my cpu usage.

 

Moving on to your instructions, I couldn't find the two items you wanted me to fix in hijackthis. The two items are:

 

O4 - HKLM\..\Run: [uPNPService] WinSVCservice.exe

O4 - HKLM\..\RunServices: [uPNPService] WinSVCservice.exe

 

They are not in my HJT log anymore since I enabled windows xp's firewall. However, I did follow your instructions and deleted "WinSVCservice.exe" in safe mode.

 

Lastly, I also restored original hosts as you instructed.

 

Now that the svchost problem has been solved, I find that my computer is still acting sluggish and slow sometimes. Especially after having it on for a day or two with no restarts. Additionally, whenever I try to open image files with ACDsee, I get the following error message:

 

"Windows cannot find 'D:\Nikon 2\DSCN4399.JPG'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then cilck Search."

 

It is not only that specific file, I get the same error message everytime I try to open image files. (The path to the file changes for other image files but it is the same message everytime) I have to keep on trying to open it for 2 or 3 times, only then will it open normally, it is very frustating because I have to wait a minute between tries, (the mouse cursor turns into an hourglass after double-clicking the image file) I have to wait until it finishes whatever it is doing then the error message comes up, I click OK, and nothing happens, then I try double clicking the image file again, sometimes the error message comes up again, sometimes my picture will finally open.

 

Do you think there are still other baddies in my computer? Or do I simply need to get a faster machine?

 

Finally, I need your expert advice regarding firewalls. I find that having the firewall disabled, my downloads with BitTorrent is noticably faster. After enabling xp's firewall to prevent svchost from hogging up cpu usage, I notice that my BitTorrent downloads are slowed ten times when compared to not having the firewall on. Is is safe not to have it off so I can download faster? Do I need some other firewalls and abandon xp's built in firewall? Please help.

 

Here is my updated HJT log:

 

Logfile of HijackThis v1.98.0

Scan saved at 3:21:05 PM, on 7/12/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

E:\WINDOWS\system32\spoolsv.exe

E:\WINDOWS\Explorer.EXE

E:\Program Files\Common Files\Symantec Shared\ccApp.exe

E:\WINDOWS\System32\CTHELPER.EXE

D:\IE New Window Maximizer\iemaximizer.exe

E:\Program Files\MSN Messenger\MsnMsgr.Exe

D:\Norton AntiVirus\navapsvc.exe

D:\Norton AntiVirus\AdvTools\NPROTECT.EXE

E:\WINDOWS\System32\nvsvc32.exe

E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

E:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\Hijack This\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] D:\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [updReg] E:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] D:\Creative\SBLive\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\System32\\NeroCheck.exe

O4 - HKCU\..\Run: [iE New Window Maximizer] D:\IE New Window Maximizer\iemaximizer.exe

O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\ICQ\ICQ.exe

O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CE073722-DDEA-4E5D-8BAF-7806C1978397}: NameServer = 202.188.0.133 202.188.1.5

Share this post


Link to post
Share on other sites

OK your log is finally clean. Re firewalls, you might try ZoneAlarm Free.

 

At last, your system is clean and free of spyware! Want to keep it that way?

 

Here are some simple steps you can take to reduce the chance of infection in the future.

 

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

 

1. Adjust your security settings for ActiveX:]

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

 

2. Download and install the following free programs

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

1. Install Spyware Detection and Removal Programs:

You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.

a. AdAware: http://www.lavasoft.de/

b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

 

 

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

 

 

Good luck, and thanks for coming to our forums for help with your security and malware issues.

Share this post


Link to post
Share on other sites

Oh, I'm glad to hear that my log is clean. Thank you very much. I am now downloading ZoneAlarm and SpywareGuard. AdAware, SpyBot S&D and SpywareBlaster, I already have. Looking forward to a clean fast machine after I have installed all these. Thanks again! Don't mind if I come back when I encounter any more problems? :)

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0