TechSpot

Clean scans after Antivirus Pro 2009, now what?

By Husky44
Nov 19, 2008
  1. Follow on from Sunday's posts below: I performed the 8 steps successfully. I just ran MBAM and SAS again. Scans came up clean (See attached). Now to my 2 remaining questions:

    1) I still have a svchost.exe file running that's consuming all available CPU capacity (99% in task manager). How do I stop this?

    2) When I go to shut down using the "Turn Off" button (Windows XP Home Edition), I have a small shield like the Windows Security Manager logo on the upper right corner of the button along with a statement that says "Click Turn Off to install important updates and turn off your computer". Is this legit? Antivirus Pro 2009 counterfeited the Security Manager logo, so I'm a little leery of using this.

    Is there anything I need to do to correct these two (possibly related, since they occurred after my infestation) problems? Is there anything else I should run?

    Thanks for all the help! This has been a great site to find!

    Greg
     

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Good job!

    Yes that is a legit process for windows to ask for a Shutdown to install some updates. And will not install them if you reboot. So do it!

    Now for the Svchost the following will show what each svchost is running and from where (perhaps a rogue running from wrong location)

    Drag mouse and copy all inside the box below all (notice Slider)
    Code:
    @echo off
    cd\
    attrib svchost.exe /s >"%USERPROFILE%"\Desktop\Tasklist.txt
    %SystemRoot%\system32\cmd.exe /c %windir%\system32\tasklist.exe /svc >>"%USERPROFILE%"\Desktop\Tasklist.txt
    exit
    exit
    Then open a CMD prompt and paste directly to the black screen it should close the CMD prompt.

    Now there is a new icon on the desktop Tasklist.txt. Post back contents of both!

    Mike
     
  3. Husky44

    Husky44 TS Rookie Topic Starter Posts: 28


    Mike: Thanks for the response. Ran the Windows updates. Also ran the command prompt script you provided above. You said "Post back contents of both". I've attached the text file produced, but not sure what else you were expecting?

    Thanks,
    Greg
     

    Attached Files:

  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Is the high CPU hog still present??

    Do the copy paste again as it did not run correctly, my mistake!

    Code:
    @echo off
    cd\
    attrib svchost.exe /s >"%USERPROFILE%"\Desktop\Tasklist.txt
    tasklist.exe /svc >>"%USERPROFILE%"\Desktop\Tasklist.txt
    exit
    exit
    Then resend!

    Mike
     
  5. Husky44

    Husky44 TS Rookie Topic Starter Posts: 28

    Not sure when you said "my mistake", if you wanted me to run the new script or the old one.

    I couldn't attach the 2 task lists. It kept saying I'd already attached them, no matter what I named them. Here are the contents, pasted in:

    first one was with the original script
    C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
    C:\WINDOWS\ServicePackFiles\i386\svchost.exe
    A C:\WINDOWS\system32\svchost.exe


    second one is with the new script

    C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
    C:\WINDOWS\ServicePackFiles\i386\svchost.exe
    A C:\WINDOWS\system32\svchost.exe


    Hog is present; when I ran the script prior to the first reply, I forgot to restart my machine first, so I'd already killed it in task manager before I ran the script.

    Thanks again.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    For some reason it is having a problem running the below line. Paste it to the cmd prompt and let me know the results.

    Code:
    tasklist.exe /svc >>"%USERPROFILE%"\Desktop\Tasklist.txt
    exit
    
    Mike

    Edit: You have XP Home and Tasklist comes only with XP Pro. But works just fine in Home.

    Go here download it http://www.computerhope.com/download/winxp/tasklist.exe

    Once downloaded move it to the Windows folder.
    Then run the paste operation again..

    svchost can run multiple processes under cover. This will show us what.

    Actually run it with the hog running. Kill it the hog and run it again and we can see the before and after.

    Mike
     
  7. Husky44

    Husky44 TS Rookie Topic Starter Posts: 28

    That made a difference!

    Files attached. The one I thought would be the hog wasn't. Thanks for all your help!
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    OK the process you killed PID (Process ID) #2716 was a cmd prompt.

    Likely running in the background. Did you kill a svchost or a cmd.

    Go back into taskmgr click View then Select columns. Then make sure boxes beginning at PID and the next 5 are checked. This will allow you to see the PID and more info. Note: PID's can change after a reboot, but will stay the same unless stopped and restarted.

    OK I need to take a deep look at your startups.

    So do the below:

    http://www.tombraiderhub.com/download/ardiag.exe
    when run give it a couple minutes it will produce a text file post the contents back here.

    Mike
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This may assist in dealing with what you are seeing:Looking over your Tasklist: Identifying the processes:
    And a note on using the msconfig utility:
    A note on changing the Startup Type for a Service:
    Norton processes: There are processes running from three different versions of Norton:
    All related to HP Digital Imaging. None need to be on Startup:
    Relating to Java:
    How to turn off Machine Debug Manager in Office XP
    11. ZuneBusEnum:Zune Bus Enumerator aids in wireless sync> Service can be set to Manual Startup
    12.BCMSMMSG.exe : BCM voicemodem driver. Required for dial-up if you have one of these modems
    The following are all related to CyberPatrol Internet Security Software.
    17.cpkbinst.exe : Comodo Firewall
    18.CTSysVol.exe : Creative Volume Manager.> only needed when using Creative.
    19 ctfmon.exe> Office
    20.GoogleToolbarNotifier.exe> updates. Should be disabled and removed from Registry.
    21.msmsgs.exe: Messenger
    22.wcescomm.exe: Active sync for use with Windows CE based palm PC
    23.rapimgr.exe : Microsoft ActiveSync Module> noted for excessive use of resources.
    24.iPodService.exe: This service is used by Itunes for using your Ipod. If you do not use Itunes you can disable this service. It does not need to start on boot.
    25.iexplore.exe: Internet Explorer
    26.wmiprvse.exe: Windows Management Instrumentation Provider Service.
    28.cmd.exe: Command Prompt. Has it's uses but should only be listed when being used.
    29.tasklist.exe : the extra program you're running to learn what these processes are.

    This is only meant to be a guide for you. All of the processes ARE legitimate but many of the processes listed here do NOT need to start on boot. They can be UNCHECKED on Startup and/or their Service can be reset to Manual.

    NOTE: As noticed, I have not dealt with those processes showing as svchost.exe.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...