Windows XP sp 2 / avast 4 home edition with last virus database
I use tasklist /svc to show all the process, and it seems all are normal. However, there exists a svchost process that eats up almost all memory. I’ve searched the whole disk and only found one svchost program in c:/windows/system32.
currently, avast could not detect any problem at the start-up scan. However, the anti-spy software spybot-search & destroy gives a warming to close it.
Thank you!
http://www.xinyubbs.net/UploadFile/2007-5/2007512101037957.jpg
And svchost.exe is not misspelled in any way?
You could try a SuperAntiSpyware scan
http://www.superantispyware.com/
It’s a bit more advanced than Spybot, imo. Just use the free version.
If you haven’t run SuperAntiSpyware yet please do, putting in quarantine anything it finds. You can post the SAS log as well as a HijackThis log in your next response:
Click here to download HJTsetup.exe
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
.
If the logs are too long for a single post simply split them into pieces.
Does svchost.exe remain that high for long periods?
system
May 15, 2007, 10:55am
4
All the processes running in the system:
AGRSMMSG.exe 1784 C:\WINDOWS\AGRSMMSG.exe
ashDisp.exe 1340 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
ashServ.exe 200 C:\Program Files\Alwil Software\Avast4\ashServ.exe
ashWebSv.exe 3112 C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
Ati2evxx.exe 680 C:\WINDOWS\system32\Ati2evxx.exe
Ati2evxx.exe 1176 C:\WINDOWS\System32\Ati2evxx.exe
avgas.exe 1604 G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
csrss.exe 856 C:\WINDOWS\system32\csrss.exe
ctfmon.exe 1868 C:\WINDOWS\system32\ctfmon.exe
EvtEng.exe 1524 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
Explorer.EXE 760 C:\WINDOWS\Explorer.EXE
EzEjMnAp.Exe 1360 C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
guard.exe 644 g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
ibmpmsvc.exe 1100 C:\WINDOWS\System32\ibmpmsvc.exe
lsass.exe 936 C:\WINDOWS\system32\lsass.exe
MsnMsgr.Exe 1896 C:\Program Files\MSN Messenger\MsnMsgr.Exe
QCONSVC.EXE 1140 C:\WINDOWS\System32\QCONSVC.EXE
RegSrvc.exe 2268 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
rundll32.exe 1320 C:\WINDOWS\system32\rundll32.exe
runiep.exe 1352 C:\Program Files\Rising\AntiSpyware\runiep.exe
S24EvMon.exe 1552 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
services.exe 924 C:\WINDOWS\system32\services.exe
smss.exe 784 C:\WINDOWS\System32\smss.exe
spoolsv.exe 528 C:\WINDOWS\system32\spoolsv.exe
svchost.exe 1188 C:\WINDOWS\system32\svchost.exe
svchost.exe 1256 C:\WINDOWS\system32\svchost.exe
svchost.exe 1396 C:\WINDOWS\System32\svchost.exe
svchost.exe 1632 C:\WINDOWS\System32\svchost.exe
svchost.exe 1776 C:\WINDOWS\System32\svchost.exe
tfswctrl.exe 1816 C:\WINDOWS\system32\dla\tfswctrl.exe
tgcmd.exe 1496 C:\Program Files\Support.com\bin\tgcmd.exe
tp4serv.exe 1208 C:\WINDOWS\system32\tp4serv.exe
TPHKMGR.exe 1468 C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
TpKmpSVC.exe 2344 C:\WINDOWS\system32\TpKmpSVC.exe
TPONSCR.exe 1716 C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
TpScrex.exe 1728 C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
winlogon.exe 880 C:\WINDOWS\system32\winlogon.exe
wuauclt.exe 3600 C:\WINDOWS\system32\wuauclt.exe
wuauclt.exe 3944 C:\WINDOWS\system32\wuauclt.exe
system
May 15, 2007, 10:55am
5
Logfile of HijackThis v1.99.1
Scan saved at 6:49:40 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Rising\AntiSpyware\runiep.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [runeip] C:\Program Files\Rising\AntiSpyware\runiep.exe
O4 - HKLM..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM..\Run: [TP4EX] tp4ex.exe
O4 - HKLM..\Run: [tgcmd] “C:\Program Files\Support.com\bin\tgcmd.exe” /server
O4 - HKLM..\Run: [!AVG Anti-Spyware] “G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [AVP Monitor] G:\Program Files\avp3.5\avpm.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra ‘Tools’ menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169765832282
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
system
May 15, 2007, 10:58am
6
after checking the relationship between processes, i found the svchost is the parent process for two wuauclt.exe .
So currently, the system cannot update.
Hi askool,
Your momentary problems could have to do with a bug with the Windows Automatic Updater store, disable this an get your updates and patches manually, that will sort out your problems with svchost using up all your cycles. Another solution is Users are advised to install the new WSUS 3.0 client installeren, even if they do not use WSUSfor installing updates.
polonus
If you turn off Automatic Updates does the cpu usage go down?
You should update your Java to Version 6 Update 1 and uninstall older versions in Add/Remove Programs
http://www.java.com/en/download/manual.jsp
A third party firewall would also be useful.
Hi all,
Thank you so much for your help! i approached microsoft for the help . they gave methe following solution:
http://www.microsoft.com/downloads/details.aspx?familyid=7A81B0CD-A0B9-497E-8A89-404327772E5A&displaylang=en
it seems that the problem is gone now.
Best regards,
Askool
system
May 27, 2007, 11:57am
10
So there really is a reason for all those Microsoft updates ;D
Thanks for following up. Very helpful to know this.