Page 1 of 2

svchost.exe

Posted: 26 Aug 2006, 18:05
by toast
Hey, all.
Some times when Im randomly flocking the internet, my computer freezes up. I pull up my task manager and its "svchost.exe". Its using 99%, and the mem usage is about 99,000K (Im estimating but I know it gets really up there)....
When I kill it, everything goes haywire and bounces back to normal.
My question is -why does it use so many resources? What is causing it?

~thanks~ Toast

Posted: 27 Aug 2006, 03:23
by bad_brain
hm, impossible to say without more information....please run hijack this and post the log here, you can get it here:
http://www.merijn.org/downloads.html

:wink:

don't touch that dial!

Posted: 27 Aug 2006, 12:05
by DNR
:roll: svchost.exe has been a popular question by neos checking their processes. Do not mess with it. As long as the file is located in C:\Windows\System32 it is a part of the windows OS. It is a generic host processor for services to run. You can have several svchost.exe running, each controlling a service. If svchost.exe or scvhost.exe(note misspelling) is located in a directory other than C:\Windows\System32 then it is likely a trojan using a common windows process name to hide.

DNR

Hijackthis log.

Posted: 27 Aug 2006, 14:30
by toast
Logfile of HijackThis v1.99.1
Scan saved at 4:25:25 PM, on 8/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\PROGRA~1\navnt\DefWatch.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\PROGRA~1\navnt\Rtvscan.exe
C:\PROGRA~1\navnt\SavRoam.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\navnt\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iTunes\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\navnt\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Microsoft Office OneNote 2007 (Beta) Quick Launch.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: KODAK Software Updater.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 2570863916
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2570851760
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\navnt\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iTunes\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\navnt\Rtvscan.exe
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\navnt\SavRoam.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



~~~thanks~~toast

Posted: 28 Aug 2006, 07:24
by DNR
don't get too focused on svchost.exe (if in the the C:\Windows\System32 directory), your computer crash could be entirely unrelated.

You have the HP Pavilion laptop, it looks like you recently purchased (by looking at the results of hijackthis) The pavilion series is pretty good, a decent price range for a worthy chipset. If you have recently purchased this computer and it has not been working right since day one, it is likely damaged by shipping and handling. If the computer was working fine, but started acting up after you downloaded software, or even installed software via disk, or deleted any files, then it is likely software related. Back up all your porn and reinstall.

I have the AMD chipset sempron 2800+ Compaq Presario M2000, with almost the same software setup as you. The only time I have had crashes was trying to surf in IE (7.0 beta) and start AIM at the same time.
If it is a new computer you can at first try a reinstall with the recovery disk, or return it to the place you brought it (15 day return policy or else free checkup/repair). If you have to send it out for repair, save yourself some time and call HP yourself, they will send you a mailing kit, a box and padding to ship it back to them. I got mine back in a week (not this box). The best option is to exchange it for another brand new in the box.

DNR

Posted: 28 Aug 2006, 13:14
by toast
Lol, thanks!

~toast

Posted: 28 Aug 2006, 13:48
by bad_brain
I agree with DNR, there seem to be no real malware on the system, but A LOT of unneccessary entries, to make it short: you box is a mess... :lol:
either XP is running for a long time already or you test a lot of programs....so it's time for a new install imo, will be much less time consumpting than looking for the cause of the problem...and your system will be much faster afterwards too.... :wink:

p.s. when done you can post the new log and I'll tell you what services you should disable, there are plenty of apps on your system which connect to the net in the background....like the real player *yuk* ...you really should use media player classic instead, it can be found in the downloads here..simply search for Realplayer Alternative, it's free from spyware and plays almost any media file... :wink:

Posted: 28 Aug 2006, 13:59
by toast
Alright...
Thanks to you too!

Ill get back to you later...

:)
~toast

Posted: 04 Sep 2006, 10:44
by toast
Okay, I repaired it (the os) not reinstalled it.
And it looks/ feels the same as before. Cept now I got a whole new error message.
I ran Hijack again and it looks the same as before.... (eh?)

Would you still like me to post the 2nd log?

~T

Posted: 04 Sep 2006, 12:37
by bad_brain
a repair install is worth nothing because only the system files are replaced, all settings and the rest of the files (malware or not) stay on the system....so nothing has changed.
for example: let's say systemfile XXX is not working because some registry settings done by a game you've installed are messed up. now a repair install will only replace file XXX but the registry settings still stay corrupted and XXX will still not work.
backup all files you need to DVDs or an extra HDD and do a new install (a real one)....it's the only way to get a fresh and clean system... :wink:

Posted: 04 Sep 2006, 14:52
by toast
Alright.
Ill be back.

Eh,I hate computers. I give up programming.

T

Posted: 04 Sep 2006, 15:04
by Gogeta70
Heh, we all know how that feels...

Posted: 04 Sep 2006, 15:18
by toast
So if and when I reinstall, my programs will be lost, correct? Like my firewall, anti-everything and so forth, will have to be replaced correct?

Arg.

Posted: 04 Sep 2006, 15:22
by bad_brain
1 dollar for every time I have said this and I would be a rich man.... :lol:
I have to install XP twice a year (if nothing unusual happens), you'll have fun again when you notice how fast your system is after then new install....don't worry, that's normal... :wink:

Posted: 04 Sep 2006, 15:36
by toast
After all the shit this baby has gone thru, I doubt it.

Oh, well.