TechSpot

100% CPU usage..svchost.exe & regscan.exe HJT log

By bakwas
Aug 30, 2006
Topic Status:
Not open for further replies.
  1. Hello everyone,

    The cpu usage in the task manager is at a 100% and my pc is extremely slow.

    In the task manager svchost.exe and regscan.exe are at the top when I sort by cpu usage.

    When I use Process Explorer, the svchost that's taking up 100% cpu has wuauclt.exe attached to it..

    Prior to this I used to see a process wnword.exe
    in the process list. I think I managed to get rid of it by deleting it.

    I ran HijackThis and i am attaching the results..

    Thanks in advance

    HijackThis Log
  2. fastco

    fastco TS Rookie Posts: 1,511

    Hi, your computer is infected with a nasty program, regscan.exe
    Please download Ewido Anti-spyware and save that file to your desktop.
    This is a 30 day trial of the program http://www.ewido.net/en/download/

    1. Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
    2. Once the setup is complete you will need run Ewido and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
    * Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
    * Select "Automatically generate report after every scan"
    * Un-select "Only if threats were found"

    Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

    Next, please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.

    1. IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
    2. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    3. Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
    4. If you have any infections you will prompted, then select "Apply all actions"
    5. Next select the "Reports" icon at the top.
    6. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    7. Close Ewido and reboot your system back into Normal Mode and post back with the Ewido results. thumbup2.gif

    Please post a fresh HJT log when complete!!
  3. bakwas

    bakwas TS Rookie Topic Starter

    Cannot Start Ewido.Exe in safe mode

    Thanks for the reply...

    I installed ewido.exe as per the instructions detailed by fastco. The installation was fine.
    Now when I run windows in safe mode, as the mouse does not work , I selected the ewido.exe icon on the desktop using the cursor keys.
    When I hit enter nothing happens.

    Any pointers is highly appreciated.

    Thanks in advance
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Please post a fresh HJT log from normal mode, if you can.

    Regards Howard :wave: :wave:
  5. bakwas

    bakwas TS Rookie Topic Starter

    HJT log in the normal mode

    I have attached the new HJT log in normal mode.
    There was a ewido.err file in the ewido directory, which had access_voilation
    and the version is 4.0

    Thanks
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    It appears you`re not running any antivirus or firewall softwear. This is a huge security risk.

    I suggest you download and install the free AVG antivirus programme from HERE. You should also download and install either the free Zonealarm or the free Kerio firewall programmes from HERE and HERE. Make sure you run the AVG updates.

    Download the Pocket killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    regscan.exe
    http.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [Internet Explorer] c:\Program Files\Internet Explorer\shttps\http.exe

    O4 - HKCU\..\Run: [Regscan] G:\WINNT\system32\regscan.exe

    O20 - AppInit_DLLs: scanregw.dll

    O20 - Winlogon Notify: NavLogon - G:\WINNT\System32\NavLogon.dll

    Click on the fix checked button.

    Close HJT.

    Run a full system scan with AVG and delete whatever it finds.

    Locate and delete the following bold files and/or directories(if there).

    G:\WINNT\system32\regscan.exe
    c:\Program Files\Internet Explorer\shttps\http.exe


    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into Killbox.

    G:\winnt\system32\scanregw.dll

    Once your system has rebooted, rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of bakwas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. bakwas

    bakwas TS Rookie Topic Starter

    Thanks Howard.

    The steps really helped and my PC's performance it so much better now.

    Attached is the new HJT log

    Shobha
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Well done, your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of bakwas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. bakwas

    bakwas TS Rookie Topic Starter

    A second pc is infected with adware..

    My second pc has ad POP up.. I just can't do any thing..
    Iwent into safe mode and ran adware6.0 .. it found 130 critical objects and I had it quarantine .. but that didn't fix anything..

    I have attached the HJT log .I could run hijackthis.exe in the safe mode only ...
    Any advice is highly appreciated

    Thanks in advance..
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your second pc is absolutely infested with viruses/worms/spyware etc.

    I suggest you reformat and reinstall from scatch.

    Regards Howard :)

    This thread is for the use of bakwas only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. Packrat1947

    Packrat1947 TS Rookie

    Windows update

    Hello,
    Lots of people have the same problem. The "wuauclt.exe " is the Windows updater. You probably have it set for "notify". Turn off updates and see if that fixes the problem. It did on my customer's old box. I used Process Explorer to pinpoint the problem.

    BTW, Microsoft bought out Sysinternals. Everyone should head that way and download all of Mark's programs for their archives. MS said they will leave his site as is - but who knows?

    Also, there is another fix about changing the Remote Procedural Call settings in Services. This seems to work too.

    Packrat1947
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.