PDA

View Full Version : svchost.exe mystery...


CerebralAssassin
04-06-09, 11:41
hi guys,

the svchost.exe continually hoggs up 30% of my CPU usage:hea:...and I have a freakin quad core processor for god's sake:hea:....is this normal??I tried to end the freakin task but windows didn't let me...is this process even necessary or will ending the task result in an unstable system:confused:

EscondeR
04-06-09, 11:54
1. Run ARDiag.exe (http://www.tombraiderhub.com/download/ardiag.exe) and post the report.

2. Download Confiker Killer (http://www.tombraiderhub.com/faq/download/esc/kk.exe), disconnect your lan cable and run the utility.

3. Go to www.kaspersky.com and run Online Scanner.

CerebralAssassin
04-06-09, 12:12
Copy the following text and paste it to your report AS IS!!!

---------------------------------------------------------------
AutoRuns Diagnostics for TRF v 0.5 Developed by EscondeR
---------------------------------------------------------------



Program:
"Provides computer protection against viruses
Publisher:
dangerous software hacker attacks internet fraud and spam."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AVP
Program path & name:
"(Verified) Kaspersky Lab""c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
Enabled: [V]


Program:
"Used by the LightScribe software components to support 3rd party disc labeling applications using the LightScribe COM Application Programming Interface (LSCAPI). This service needs to run for LightScribe direct disc labeling to work."
Publisher:
"(Not verified) Hewlett-Packard Company"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
LightScribeService
Program path & name:
"c:\program files\common files\lightscribe\lssrvc.exe"
Enabled: [V]


Program:
"Nero BackItUp Scheduler 3 is responsible to control all jobs created using Nero BackItUp 3. These jobs can create backups of selected files/folders/partitions or complete hard disk to hard disk
Publisher:
network drive disc or FTP."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Nero BackItUp Scheduler 3
Program path & name:
"(Verified) Nero AG""c:\program files\nero\nero8\nero backitup\nbservice.exe"
Enabled: [V]


Program:
"PLFlash DeviceIoControl Service"
Publisher:
"(Not verified) Prolific Technology Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PLFlash DeviceIoControl Service
Program path & name:
"c:\windows\system32\ioctlsvc.exe"
Enabled: [V]


Program:
"Enables network access to local burners via iSCSI protocol."
Publisher:
"(Not verified) Rocket Division Software"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
StarWindServiceAE
Program path & name:
"c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe"
Enabled: [V]


Program:
"IP in IP Tunnel Driver"
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
IpInIp
Program path & name:
File not found: system32\DRIVERS\ipinip.sys"
Enabled: [V]


Program:
"Kaspersky Unified Driver"
Publisher:
"(Verified) Kaspersky Lab"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
kl1
Program path & name:
"c:\windows\system32\drivers\kl1.sys"
Enabled: [V]


Program:
"Kaspersky Lab Pnp Device Filter"
Publisher:
"(Verified) Kaspersky Lab"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
KLFLTDEV
Program path & name:
"c:\windows\system32\drivers\klfltdev.sys"
Enabled: [V]


Program:
"IPX Traffic Filter Driver"
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
NwlnkFlt
Program path & name:
File not found: system32\DRIVERS\nwlnkflt.sys"
Enabled: [V]


Program:
"IPX Traffic Forwarder Driver"
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
NwlnkFwd
Program path & name:
File not found: system32\DRIVERS\nwlnkfwd.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
sptd
Program path & name:
c:\windows\system32\drivers\sptd.sys"
Enabled: [V]


Program:
"Logon Visualizer"
Publisher:
"(Verified) Kaspersky Lab"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
klogon
Program path & name:
"c:\windows\system32\klogon.dll"
Enabled: [V]


Program:
"Προφύλαξη οθόνης για τις φωτογραφίες του Windows Live"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKCU\Control Panel\Desktop\Scrnsave.exe
Entry name:
C:\Windows\WLXPGSS.SCR
Program path & name:
"c:\windows\wlxpgss.scr"
Enabled: [V]


Program:
"Mozilla 2 Virtual Keyboard"
Publisher:
"(Verified) Kaspersky Lab"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
Entry name:
C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd.dll
Program path & name:
"c:\program files\kaspersky lab\kaspersky internet security 2009\mzvkbd.dll"
Enabled: [V]


Program:
"Mozilla 3 Virtual Keyboard"
Publisher:
"(Verified) Kaspersky Lab"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
Entry name:
C:\PROGRA~1\KASPER~1\KASPER~2\mzvkbd3.dll
Program path & name:
"c:\program files\kaspersky lab\kaspersky internet security 2009\mzvkbd3.dll"
Enabled: [V]


Program:
"kldialhk"
Publisher:
"(Verified) Kaspersky Lab"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
Entry name:
C:\PROGRA~1\KASPER~1\KASPER~2\adialhk.dll
Program path & name:
"c:\program files\kaspersky lab\kaspersky internet security 2009\adialhk.dll"
Enabled: [V]


Program:
"Kaspersky OE plugin loader"
Publisher:
"(Verified) Kaspersky Lab"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
Entry name:
C:\PROGRA~1\KASPER~1\KASPER~2\kloehk.dll
Program path & name:
"c:\program files\kaspersky lab\kaspersky internet security 2009\kloehk.dll"
Enabled: [V]


Program:
"Adobe Acrobat SpeedLauncher"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
Adobe Reader Speed Launcher
Program path & name:
"c:\program files\adobe\reader 9.0\reader\reader_sl.exe"
Enabled: [V]


Program:
"Nero BackItUp"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
NBKeyScan
Program path & name:
"c:\program files\nero\nero8\nero backitup\nbkeyscan.exe"
Enabled: [V]


Program:
"Virtual DAEMON Manager"
Publisher:
"(Verified) DAEMON Tools Code Signing Services"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
DAEMON Tools
Program path & name:
"c:\program files\daemon tools\daemon.exe"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
SunJavaUpdateSched
Program path & name:
"c:\program files\java\jre6\bin\jusched.exe"
Enabled: [V]


Program:
"Kaspersky Anti-Virus"
Publisher:
"(Verified) Kaspersky Lab"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
AVP
Program path & name:
"c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
Enabled: [V]


Program:
N/A
Publisher:
"(Verified) Hewlett-Packard Company"
Entry path:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
Entry name:
LightScribe Control Panel
Program path & name:
"c:\program files\common files\lightscribe\lsrunonce.exe"
Enabled: [V]


Program:
"RegistrationReminder MFC Application"
Publisher:
N/A
Entry path:
C:\Users\Jacob\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup
Entry name:
Registration Chessmaster® Grandmaster Edition.LNK
Program path & name:
c:\program files\ubisoft\chessmaster grandmaster edition\register\registrationreminder.exe"
Enabled: [V]


Program:
"Adobe PDF Helper for Internet Explorer"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Adobe PDF Link Helper
Program path & name:
"c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll"
Enabled: [V]


Program:
"IE Virtual Keyboard"
Publisher:
"(Verified) Kaspersky Lab"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
IEVkbdBHO Class
Program path & name:
"c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Not verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Java(tm) Plug-In 2 SSV Helper
Program path & name:
"c:\program files\java\jre6\bin\jp2ssv.dll"
Enabled: [V]


Program:
"Cover Designer"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
NeroCoverEd Live Icons
Program path & name:
"c:\program files\nero\nero8\nero coverdesigner\coveredextension.dll"
Enabled: [V]


Program:
"Nero Digital Shell Extension"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
NeroDigitalIconHandler
Program path & name:
"c:\program files\common files\nero\lib\nerodigitalext.dll"
Enabled: [V]


Program:
"Nero Digital Shell Extension"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
NeroDigitalPropSheetHandler
Program path & name:
"c:\program files\common files\nero\lib\nerodigitalext.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WinRAR shell extension
Program path & name:
c:\program files\winrar\rarext.dll"
Enabled: [V]


Program:
"Shell Extension for jetAudio"
Publisher:
"(Not verified) COWON America"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
jetAudio
Program path & name:
"c:\program files\jetaudio\jetflext.dll"
Enabled: [V]


Program:
"Script Monitor Internet Explorer plugin"
Publisher:
"(Verified) Kaspersky Lab"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Web traffic protection statistics
Program path & name:
"c:\program files\kaspersky lab\kaspersky internet security 2009\scieplgn.dll"
Enabled: [V]


Program:
"Nero Digital Shell Extension"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
NeroDigitalColumnHandler Class
Program path & name:
"c:\program files\common files\nero\lib\nerodigitalext.dll"
Enabled: [V]


Program:
"PDF Shell Extension"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
PDF Shell Extension
Program path & name:
"c:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
Enabled: [V]


Program:
"DeviceVM Url Search Hook"
Publisher:
"(Verified) DeviceVM Inc."
Entry path:
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
Entry name:
dvmurl.dll
Program path & name:
"c:\windows\system32\dvmurl.dll"
Enabled: [V]



2) which lan cable?you mean the ethernet cable?:confused:

3) they said it won't run cause I already have Kaspersky Internet security 8.0:p

Punaxe
04-06-09, 12:37
At point 2 he meant: physically disconnect from the Internet. That means either pulling out the cable or using the hardware switch for your wireless device (or both, I guess).

EscondeR
04-06-09, 12:44
@ 2: Yup.

@ 3: Is it regularly updated?

Update Windows Installer to the latest version if you have Automatic Updates active.

Actually your system seems to be OK (virus-wise). How long does it consume 30% CPu time usually?

http://support.microsoft.com/kb/932494
http://support.microsoft.com/kb/927891

CerebralAssassin
04-06-09, 13:25
here's #2!!:p

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/kk.jpg


@ 3: Is it regularly updated?

yup.it updates by itself!!:p

Update Windows Installer to the latest version if you have Automatic Updates active.

Actually your system seems to be OK (virus-wise). How long does it consume 30% CPu time usually?

http://support.microsoft.com/kb/932494
http://support.microsoft.com/kb/927891

I looked for windows installer in my pc but I don't have it!!:confused:isn't that solution for XP?I have vista?:confused:

yes,it's always at 30% even when I'm not doing anything?:confused:

EscondeR
05-06-09, 05:07
At least we know now it's not the Confiker Worm :)


1. Open Task Manager by right-clicking the taskbar and then clicking Task
Manager.

2. Click the Processes tab.

3. Click Show processes from all users. If you are prompted for an
administrator password or confirmation, type the password or provide
confirmation.

4. Right-click an instance of svchost.exe, and then click Go to Service(s).
The services associated with the process are highlighted on the Services
tab.

5. Make a list of all services run with all instances of svchost.exe and post it here.

CerebralAssassin
05-06-09, 14:27
http://i145.photobucket.com/albums/r206/CerebralAssassin1983/ca.jpg

^the ones highlighted are the problematic ones...or do you want all the services?:confused:

EscondeR
06-06-09, 08:16
I need all of them. And it'll be even better if you use Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) to form the list (screenshot) :)

CerebralAssassin
07-06-09, 14:46
http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer1.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer2.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer3.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer4.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer5.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer6.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer7.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer8.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer9.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer10.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer11.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer12.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer13.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer14.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer15.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer16.jpg

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/processexplorer17.jpg

EscondeR
08-06-09, 05:22
I tried to end the freakin task but windows didn't let me...is this process even necessary or will ending the task result in an unstable system:confused:
Unfortunately this instance of svchost.exe is hosting DCOM Server Launcher Process - vital process for Vista. Therefore instead of shutting svchost.exe itself, download and run Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx), look for Mobsync.exe entry and completely disable it, then reboot.

CerebralAssassin
08-06-09, 10:54
I can't find it through the program you gave me,only this I found:confused:

http://i145.photobucket.com/albums/r206/CerebralAssassin1983/mobsync.jpg

EscondeR
08-06-09, 10:57
Go to control Panel > Sync Center and disable syncronization there.

CerebralAssassin
08-06-09, 11:07
http://i145.photobucket.com/albums/r206/CerebralAssassin1983/synccenter.jpg

it's empty:confused::confused:

EscondeR
08-06-09, 11:20
Do you have any mobile phone syncronization/bluetooth software installed? Uninstall it.

CerebralAssassin
08-06-09, 11:52
nope :(