Svchost.exe cpu 100%, logs attached

Status
Not open for further replies.
For some few months I've been wrestling with svchost.exe intermittently using up 90+ percent of the CPU and slowing things to a crawl. It does this for a minute after every restart, and then throughout the day, every 5 or 10 or 15 minutes or so it does it again, usually for about a minute each time. I haven't been able to associate it with anything.

I've got four or five svchost processes running at any time, and the one showing the problem is associated with Windows network services. It has over a dozen different network related threads (RAS, DMCP, Fax, etc., etc.) associated with it.

Nothing I've tried has helped, and I've reached a point of frustration where I could really use some outside help. Most recently I updated all my hardware drivers, with no benefit. So now I've gone through all the steps in the "8 Steps" message in this forum. The logs are attached.

The Cisco VPN is for a client. The problem predated that installation, but I'm perfectly willing to nuke it if someone wants me to for troubleshooting. Likewise, the LogMeIn installation is for supporting my mother and sister on occasion. The problem predated that, but I'm willing to nuke it, too.

I noticed in the logs a few Trojan files found in unused areas (not in active programs). Those were old files from way before the problem. I have, of course, cleaned them up.

Thank you.
--David
 
The Mbam log shows " No action taken." That means you didn't check for removal. You will need to run Malwarebytes again (after you have disabled Teatimer) and be sure this is done: * Make sure that everything is checked, and click Remove Selected.

Have SAS remove the Tracking Cookies, then
Reset Firefox Cookies:
Ope Firefox> Tools> Privacy> Cookies> UNCHECK 'allow third party Cookies.'

You also might want to consider getting the following add-ons:
AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865
Easy List: http://easylist.adblockplus.org/
(get all 3 lists)

For the Av scan: did you quarantine then delete these?
"8 viruses and/or unwanted programs were found"

This Real Time process need to be temporarily disabled while doing the scans;
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
How to disable Spybot's TeaTimer
* Run Spybot and click Mode in the top menu
* Select Advanced Mode.
* Then expand the Tools selection in the left pane by clicking on it.
* Now in the left pane Resident.
* Now in the right window pane, uncheck TeaTimer. Keep the Resident "SDHelper" option checked.
* Now quit Spybot and REBOOT your PC.

Please disable Eraser while cleaning:
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide

Did you set these Restrictions?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
The bottom line on the processes is that you have too many on startup! Do this for me:
Boot into Safe Mode:
Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK everything except processes for Avira> Apply> OK>

Start> Run> services.msc> change the Startup Type on each of these Services to Manual:
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\TABC Systems\TABC VPN Client\cvpnd.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\GEARSEC.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - c:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe

Remove 024 Desktop from HijackThis:
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)

The following is the only removal that has worked:
Start> Control Panel> Display> Desktop> Customize Desktop> Web tab> uncheck and delete everything you find in there (except for "My current home page")> Also remove the check mark from the the Lock Desktop Items box if it is checked> Apply> OK> Close.
Reboot into Normal Mode***
***Note: you will get a nag message when you reboot that you can ignore and close after checking 'don't show this message again'. Stay in Selective Startup.

Do you notice a difference?

Now run Malwarebytes and HijackThis again, with Teatimer turned off and attach new logs.
 
Recommendations complete. Improvement evident

Thanks so much, Bobbye. The generosity and expertise shown at this site is incredible to see. I followed all the steps you outlined, encountering only two difficulties.
1) Unable to switch PML Driver to Manual, even when in Safe mode. Error message given below.
2) Unable to fix 024 Desktop item reported by HijackThis. No "Web" tab found under Customize Desktop.

I report on all the steps below. But first the result: no trouble observed thus far! Excellent.

I had taken a previous step that also helped with this. Searching TechSpot for svchost I found a referral to BlackViper (details below). Following recommendations there I switched many startup services to Manual, same as you suggested.

svchost troubleshooting notes 2008-12-27

I DID remove the tracking cookies reported by MalwareBytes, after getting the report. New logs for all scans attached.

Firefox:
Unchecked "Allow third party cookies".
Enabled AdBlock Plus. (I see I already had this installed, but it was disabled. Revisiting the site and reading the FAQ disabused me of the notion that it was blocking desired content. Will keep enabled with the three lists.)
Exported and removed custom filters.
Deleted all filters and subscribed to EasyList, EasyElement, and EasyPrivacy.

Carbonite: Disabled from its control panel.

Internet Explorer restrictions: These sounds like options I set in SpybotSD.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Services.msc - changed to manual.
Ones marked "new" I newly changed. Others I previously changed after visiting BlackViper.

www . blackviper . com/WinXP/servicecfg.htm
Black Viper's Windows XP x86 (32-bit) Service Pack 3 Service Configurations using the "SAFE" column.

Carbonite - new
Canon Camera Access Library 8
Cisco Systems
GEARSecurity - new
Google Updater Service
InstallDriver Table Manager
Imapi Helper
InCD - new
iPod Service
LogMeIn
LogMeIn Maintenance Service
LVCOMSER - new
Process Monitor

Pml Driver HPZ12 - Access Denied! Get this error message:
Unable to open service Pml Driver HPZ12 for writing on Local Computer.
Error 5: Access is denied.
Unable to change even when booted to Safe Mode!?

Sandboxie Service
WebDrive Service - new

SpybotSD:
Checked for updates: None found.
Disabled Spybot TeaTimer.
Kept SD Resident enabled.

Eraser: Disabled.

SUPERAntiSpyware:
Custom scan: log attached. No trouble found.
Memory
Registry
Startup items
Cookies
Directories: C:\Windows; C:\Documents and Settings

AV scan: Yes, first quarantined, then deleted 8 items found.

Remove 024 Desktop from HijackThis: No "Web" tab found under Customize Desktop, only "General", and all boxes there are unchecked.
 
I found answers to the hpzipm12 service problem here:
forums.techguy.org/all-other-software/519535-solved-hp-pml-driver.html
 
Wrapping up

This has been educational and highly productive. Thank you, Bobbye! I've bookmarked TechSpot, and I won't be a stranger in the future.

The fix to no "Web" tab under Customize Desktop was resolved by Googling those terms. Turned out to be a registry setting under:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
After making that change I get no more 024 items.

I think I had set NoDesktopCustomize ages ago as a security measure.

The bleepingcomputer download domain gets a 404 not found error, so no OTCleanup download. But that's no problem. I manually cleaned up the SUPERAntispyware dll, and copied the new tools into my admin tools folder.

Made a final restart check. Made a new restore point. Cleaned up old one. I'm good to go.

Process Explorer shows system running clean and quiet now. Many more CPU cycles returned to productive availability. I can now get some more utility out of this old but good workhorse.

Once again, thank you, Bobbye.
--David
 
Status
Not open for further replies.
Back