Svchost.exe cpu 100%, logs attached

By davidqxo
Dec 26, 2008
Topic Status:
Not open for further replies.
  1. For some few months I've been wrestling with svchost.exe intermittently using up 90+ percent of the CPU and slowing things to a crawl. It does this for a minute after every restart, and then throughout the day, every 5 or 10 or 15 minutes or so it does it again, usually for about a minute each time. I haven't been able to associate it with anything.

    I've got four or five svchost processes running at any time, and the one showing the problem is associated with Windows network services. It has over a dozen different network related threads (RAS, DMCP, Fax, etc., etc.) associated with it.

    Nothing I've tried has helped, and I've reached a point of frustration where I could really use some outside help. Most recently I updated all my hardware drivers, with no benefit. So now I've gone through all the steps in the "8 Steps" message in this forum. The logs are attached.

    The Cisco VPN is for a client. The problem predated that installation, but I'm perfectly willing to nuke it if someone wants me to for troubleshooting. Likewise, the LogMeIn installation is for supporting my mother and sister on occasion. The problem predated that, but I'm willing to nuke it, too.

    I noticed in the logs a few Trojan files found in unused areas (not in active programs). Those were old files from way before the problem. I have, of course, cleaned them up.

    Thank you.
    --David
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    The Mbam log shows " No action taken." That means you didn't check for removal. You will need to run Malwarebytes again (after you have disabled Teatimer) and be sure this is done: * Make sure that everything is checked, and click Remove Selected.

    Have SAS remove the Tracking Cookies, then
    Reset Firefox Cookies:
    Ope Firefox> Tools> Privacy> Cookies> UNCHECK 'allow third party Cookies.'

    You also might want to consider getting the following add-ons:
    AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865
    Easy List: http://easylist.adblockplus.org/
    (get all 3 lists)

    For the Av scan: did you quarantine then delete these?
    "8 viruses and/or unwanted programs were found"

    This Real Time process need to be temporarily disabled while doing the scans;
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    How to disable Spybot's TeaTimer
    Please disable Eraser while cleaning:
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide

    Did you set these Restrictions?
    The bottom line on the processes is that you have too many on startup! Do this for me:
    Boot into Safe Mode:
    Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK everything except processes for Avira> Apply> OK>

    Start> Run> services.msc> change the Startup Type on each of these Services to Manual:
    Remove 024 Desktop from HijackThis:
    Reboot into Normal Mode***
    ***Note: you will get a nag message when you reboot that you can ignore and close after checking 'don't show this message again'. Stay in Selective Startup.

    Do you notice a difference?

    Now run Malwarebytes and HijackThis again, with Teatimer turned off and attach new logs.
  3. davidqxo

    davidqxo Newcomer, in training Topic Starter

    Recommendations complete. Improvement evident

    Thanks so much, Bobbye. The generosity and expertise shown at this site is incredible to see. I followed all the steps you outlined, encountering only two difficulties.
    1) Unable to switch PML Driver to Manual, even when in Safe mode. Error message given below.
    2) Unable to fix 024 Desktop item reported by HijackThis. No "Web" tab found under Customize Desktop.

    I report on all the steps below. But first the result: no trouble observed thus far! Excellent.

    I had taken a previous step that also helped with this. Searching TechSpot for svchost I found a referral to BlackViper (details below). Following recommendations there I switched many startup services to Manual, same as you suggested.

    svchost troubleshooting notes 2008-12-27

    I DID remove the tracking cookies reported by MalwareBytes, after getting the report. New logs for all scans attached.

    Firefox:
    Unchecked "Allow third party cookies".
    Enabled AdBlock Plus. (I see I already had this installed, but it was disabled. Revisiting the site and reading the FAQ disabused me of the notion that it was blocking desired content. Will keep enabled with the three lists.)
    Exported and removed custom filters.
    Deleted all filters and subscribed to EasyList, EasyElement, and EasyPrivacy.

    Carbonite: Disabled from its control panel.

    Internet Explorer restrictions: These sounds like options I set in SpybotSD.
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Services.msc - changed to manual.
    Ones marked "new" I newly changed. Others I previously changed after visiting BlackViper.

    www . blackviper . com/WinXP/servicecfg.htm
    Black Viper's Windows XP x86 (32-bit) Service Pack 3 Service Configurations using the "SAFE" column.

    Carbonite - new
    Canon Camera Access Library 8
    Cisco Systems
    GEARSecurity - new
    Google Updater Service
    InstallDriver Table Manager
    Imapi Helper
    InCD - new
    iPod Service
    LogMeIn
    LogMeIn Maintenance Service
    LVCOMSER - new
    Process Monitor

    Pml Driver HPZ12 - Access Denied! Get this error message:
    Unable to open service Pml Driver HPZ12 for writing on Local Computer.
    Error 5: Access is denied.
    Unable to change even when booted to Safe Mode!?

    Sandboxie Service
    WebDrive Service - new

    SpybotSD:
    Checked for updates: None found.
    Disabled Spybot TeaTimer.
    Kept SD Resident enabled.

    Eraser: Disabled.

    SUPERAntiSpyware:
    Custom scan: log attached. No trouble found.
    Memory
    Registry
    Startup items
    Cookies
    Directories: C:\Windows; C:\Documents and Settings

    AV scan: Yes, first quarantined, then deleted 8 items found.

    Remove 024 Desktop from HijackThis: No "Web" tab found under Customize Desktop, only "General", and all boxes there are unchecked.
  4. davidqxo

    davidqxo Newcomer, in training Topic Starter

    I found answers to the hpzipm12 service problem here:
    forums.techguy.org/all-other-software/519535-solved-hp-pml-driver.html
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Nice job! So you found and did this: Very good!
    But let's check this again:
    When you click on Customize Desktop, a new screen opens. The new screen has 2 tabs> Genral and Web. Choose the Web tab, then follow to remove all Sites except your home page and uncheck 'lock desktop items'> Apply> OK.

    Re Firefox: I think you'll be pleased with the 2 add-ons. I've had them for over 4 years and haven't thought I was missing anything with an exception> on a few occasions, when I've had a blank page load, I've gone into AdBlock Plus Options(throught Tools) and temporarily disabled the add-on. I found this in cases when the site wants to reload a page right after the initial page-AdBlock will stop that. But the good it does is abundant!

    Mbam and SAS are clean. I see this entry in HijackThis:
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
    But identified it as a legitimate entry related to Adobe Products so it can stay.

    This entry tells me you still have an outdated Java program:
    O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
    So let's do this:
    Update Java:
    But you are running clean and lean! Has you original problem with high CPU usage by the svchost.ese processes been resolved with resetting the Services? There is still some room for resetting if needed.

    If system is now running well, we can remove the cleaning tools:
    Clear your existing System Restore points and establish a new clean restore point:
    It has been a pleasure working with you! If you need more help or still have problems, please let me know.
  6. davidqxo

    davidqxo Newcomer, in training Topic Starter

    Wrapping up

    This has been educational and highly productive. Thank you, Bobbye! I've bookmarked TechSpot, and I won't be a stranger in the future.

    The fix to no "Web" tab under Customize Desktop was resolved by Googling those terms. Turned out to be a registry setting under:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
    After making that change I get no more 024 items.

    I think I had set NoDesktopCustomize ages ago as a security measure.

    The bleepingcomputer download domain gets a 404 not found error, so no OTCleanup download. But that's no problem. I manually cleaned up the SUPERAntispyware dll, and copied the new tools into my admin tools folder.

    Made a final restart check. Made a new restore point. Cleaned up old one. I'm good to go.

    Process Explorer shows system running clean and quiet now. Many more CPU cycles returned to productive availability. I can now get some more utility out of this old but good workhorse.

    Once again, thank you, Bobbye.
    --David
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    David, my fault for not updating the OTCleanIT download. I though I had. Put the following in the address bar and the download will come up:
    http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    You've done a good job. It is refreshing to work with someone who knows his way around the system and can handle some things on his own! I did mention those Policy Restrictions early on and am glad you were able to backtrack and find the 024 demon.

    Let us know if we can be of more help.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.