1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Svchost.exe high memory usage

Discussion in 'Windows XP' started by cosmokramer, Apr 16, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. cosmokramer

    cosmokramer Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    9
    I have recently become annoyed at the high memory usage of the svchost.exe process. I have 8 of these services running at the moment. I havent had reason to complain until recently when they seem to be using more memory than necessary. I might just be over reacting here but perhaps someone can verify it for me. I have included a hijackthis log at the bottom.
    my system is running WindowsXP SP2, Asus K8VSE deluxe, Athlon 64 3200, 1.75 GB RAM, updated via drivers and windows updates (except one that just came in and I havent done yet).
    These just seem like too much memory for these. I have check at blackviper and didnt really see a lot of things I could turn off. I could be wrong though.


    svchost.exe Username: system mem usage: 33, 240 k
    - DCOM server process launcher
    - terminal services

    svchost.exe Username: network service mem usage: 28,828 k
    - remote procedure call

    svchost.exe Username: system mem usage: 74,020 k
    - 18 services registered to this process.

    svchost.exe Username: network service mem usage: 25,776 k
    - dns client

    svchost.exe Username: local service mem usage: 36,832 k
    - alerter
    - tcp/ip netbios helper
    - ssdp discovery service
    - universal plug and play device host
    - webclient

    svchost.exe Username: system mem usage: 30,988 k
    - windows image acquisition

    svchost.exe Username: system mem usage: 50,436 k
    -automatic updates

    svchost.exe Username: system mem usage: 27,060 k
    - http ssl


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:20:57 AM, on 4/16/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\Ati2evxx.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\Ati2evxx.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    G:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
    G:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
    F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    f:\program files\common files\mcafee\mna\mcnasvc.exe
    f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    F:\WINDOWS\system32\svchost.exe
    F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    F:\WINDOWS\system32\wbem\wmiapsrv.exe
    F:\WINDOWS\system32\svchost.exe
    F:\Program Files\Canon\CAL\CALMAIN.exe
    F:\WINDOWS\System32\svchost.exe
    F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    F:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    F:\WINDOWS\Explorer.EXE
    F:\WINDOWS\system32\wuauclt.exe
    F:\WINDOWS\system32\dllhost.exe
    F:\WINDOWS\system32\ctfmon.exe
    G:\Program Files\RealVNC\VNC4.2\winvnc4.exe
    G:\Program Files\FlashGet\flashget.exe
    F:\WINDOWS\system32\taskmgr.exe
    Q:\ProcessExplorerNt\procexp.exe
    Q:\HiJackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - J:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - F:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
    O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - F:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [mcagent_exe] F:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [OutpostMonitor] G:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
    O4 - HKCU\..\Run: [AlcoholAutomount] "G:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Customize Menu - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Fill Forms - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - F:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
    O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - F:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - G:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar.dll
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126128245015
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
    O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "G:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: g:\progra~1\agnitum\outpos~1\wl_hook.dll
    O21 - SSODL: Notadpol - {46DB9B18-6350-475F-9038-9E0D59B2A077} - (no file)
    O23 - Service: McAfee Application Installer Cleanup (0136681207900384) (0136681207900384mcinstcleanup) - McAfee, Inc. - F:\WINDOWS\TEMP\013668~1.EXE
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - F:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - G:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - F:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - G:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
    O23 - Service: Eset Service (ekrn) - Unknown owner - G:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
    O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - F:\PROGRA~1\WinTV\HCWTVS~1.EXE
    O23 - Service: HDDlife HDD Access service - BinarySense, Ltd. - G:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - f:\program files\mcafee.com\agent\mcdetect.exe (file missing)
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - F:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - G:\Program Files\RealVNC\VNC4.2\winvnc4.exe

    --
    End of file - 11340 bytes
     
  2. cosmokramer

    cosmokramer Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    9
    still getting this problem. any suggestions?
     
  3. cosmokramer

    cosmokramer Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    9
    last bump before i give up.
     
  4. raybro

    raybro

    Joined:
    Apr 26, 2003
    Messages:
    5,822
    NEVER GIVE UP!!! :D Take a look at this thread started by yours truly. Not exactly the same problem, but you may find the thread helpful. Particularly, the link provided for Process Explorer. The little utility provided some insight to the question I had.

    BTW... The memory usage you show does seem somewhat excessive. I looked at mine again and still have 7 incidents of svchost running. Memory usage is no where near what yours is. Most are in the range of 2K to 4K with one at 24K. Of course, that's not a very compeling arguement and only a sample of one

    Raybro
     
  5. cosmokramer

    cosmokramer Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    9
    Thanks for the reply raybro. I have process explorer and used it to figure out what services were running and verified they were all valid services running under svchost.exe. To add to this, a reboot and check of the svchosts shows they are running at "normal" memory usage immediately after login. So something must be occurring to make them use more memory.
     
  6. raybro

    raybro

    Joined:
    Apr 26, 2003
    Messages:
    5,822
    I'm no expert on system files, but if you get no further constructive input on this thread, I suggest you go to the M$ Knowledge Base and run a search there regarding svchost.exe and see what you can find that may apply to your situation.

    Good Luck... Raybro
     
  7. jasaiyajin

    jasaiyajin

    Joined:
    Mar 31, 2008
    Messages:
    230
    Could the problem be McAfee related? Try running your system after removing software one by one and looking at the memory consumption.

    In process explorer, there's a physical memory section and a virtual memory section that pertains to each running process. Could you list an example for us of virtual and physical memory consumption for a single running svchost with it's services?
     
  8. oshwyn5

    oshwyn5

    Joined:
    May 23, 2007
    Messages:
    730
    Okay lets start with a simple explanation of SVCHOST , what it does and why you have so many. Just as a dll (dynamic link library) is a program (not an application) which does a specific task as part of a larger application but can be run all by itself by the application rundll32.exe (or dllhost.exe) ; a service is a component of a larger application which cannot run itself, but it can be run by the windows service host svchost.exe even if the application in question (the one which installed and created this service) is not running.
    In windows XP the registry is built from scratch each time your computer boots from several files called hives. The exact number varies depending on your configuration , but generally speaking there are at least five one for each section in the registry. Now each time during the construction of the registry when any services are loaded, if their supporting application is not running an instance of svchost.exe is launched to host them. Each instance of svchost.exe can host many different services.

    So, having eight instances of svchost.exe running is not unusual or bad.
    As you have found out you can see that they are running , to some extent what launched them (the system account, network account, your user account....) and how much cpu usage they have in Task manager.
    Process Explorer and CodeStuff Starter both allow you to get more information as to the specific services running under each svchost entry, although this information is often of little use and overwhelming to the average user. None the less, it is worth installing one of these to have a closer look.

    If you go to start/ run and type services.msc and hit enter you can see many of the services which are installed and their status. Do not mess around in here unless told to do so. There are guides like Black Vipers
    to aid in tweaking these, but the default settings are adequate.
    http://www.blackviper.com/WinXP/servicecfg.htm

    Now as to what causes high CPU usage by svchost.exe.
    In my experience; the most common cause on a properly maintained machine is a problem with an automatic updater. Windows update, and most antivirus or internet security suites run their updaters as services.
    Often if there is a problem, the automatic updater service just keeps running full throttle. The simple solution in most cases is to disable automatic updates for windows (control panel / security center/ manage settings for / automatic updates => turn off.) and your antivirus/ internet security suite (inside the application itself.).
    If this solves it, the next step is to manually go to the windows update site for windows updates and get all the critical updates one at a time. I also recommend checking the custom/ recommended software updates to see if anything like the .net framework which may be required by other applications are not up to date as this can cause the problem too.
    Repeat for your antivirus ,manually run the antivirus updater and again get updates one at a time. This may require many runs of the updaters, but it will identify if one is out of sequence and jamming the update process (if it fails to download / install proceed to the next and then come back for that one).
    Once all updates are installed and you have restarted, return the updaters to automatic status and see if the problem is solved.


    The second most common cause of this problem that I encounter is when someone disables an application improperly. They use MSCONFIG and do not realize that they are disabling the startup entry for the applicaiton, but not its service entries. The services are loading and searching for another component which is not running, so they keep checking. Proper management of applications is a must in the XP and Vista environment. Sure many people still disable things with MSCONFIG and have no problems but this is not safe.
    If you have been using MSConfig as a startup manager please read this.
    http://forums.majorgeeks.com/showthread.php?t=149804
    http://support.microsoft.com/kb/310560


    The third most common cause I see is an improper / incomplete uninstall of an application which leaves behind a service entry after the application is removed.
    I see two of these in your HJT log
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - G:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
    O23 - Service: Eset Service (ekrn) - Unknown owner - G:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)

    You should go to start / run and type services.msc
    hit enter
    Locate Eset HTTP Server
    Double click it to open its options, click stop service if it is running , change startup behavior to disabled.
    Repeat for Eset Service

    Go to start / run and type
    sc delete EhttpSrv
    hit enter
    type
    sc delete ekrn
    hit enter
    (Or you may do this in the command prompt window if you want to- go to start/ run and type cmd and hit enter. Type the sc commands in the black box and hit enter after each)

    Restart your computer and run hijackthis and those two entries should be gone.



    The fourth most likely cause is a virtual drive (like Alcohol 120% ) which is running as a service. Sometimes these develop problems over time sometimes they just are not properly compatible with your hardware configuration. So you may want to try disabling the virtual drive (burn its contents first if there is anything mounted)



    I will leave it to a malware guy to tell you what to do with this.
    O21 - SSODL: Notadpol - {46DB9B18-6350-475F-9038-9E0D59B2A077} - (no file)
    It appears to be a leftover ShellServiceObjectDelayLoad entry which is not on any of the master databases of approved applications. This means it is most likely a leftover from an incomplete cleaning of malware. Did you have one of the smitfraud infections recently ? Anything popping up warnings about your being infected and prompting you to buy a removal product?



    However this is something you can deal with now
    F:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    This is a very old version of java runtime environment with over 300 security exploits. Please go to control panel => add/remove programs and uninstall all versions of java and java runtime environment listed. Best to start with the oldest.
    When done please go to one of these sites and get one of the latest versions 1.6.0_05 or 1.6.0_06
    http://majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html
    http://www.java.com/en/download/index.jsp
    It may also be worth running the secunia online software inspector scanner
    http://secunia.com/software_inspector/
    to see if you have any other software with major security holes.

    Finally
    F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    Unless you are a web page designer or software author (VBS or java) no need to have this running.
    Please go to Internet Explorer => Tools => Internet Options => advanced=> browsing
    Check "Disable script debugging Internet Explorer"
    Check "Disable script debugging other"
    Uncheck "notify me of every script error"

    Apply and restart.
     
  9. cosmokramer

    cosmokramer Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    9
    Great explanation and thanks for the time it took.



    I originally thought the windows updates were causing this as well. I had an update that wouldnt install for some reason, and still wont. I thought the update was constantly running then and causing it. Disabling it didnt help as I disabled it awhile back. the one that wont install is Security Update for Windows XP (KB944338).



    I thought i had uninstalled this. Dumb mistake on my part! A couple days ago i went back and looked and uninstalled it. the services are gone now as well.

    Done.


    I dont know what that is either and it is hard to find information on. I have not had an infection recently at all. No warnings about spyware infections or anything.
    Another I am curious about is this one...O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - F:\Program Files\WinPcap\rpcapd.exe
    I am not sure what it is.


    Removed and installed updated version.


    Done.
    Here is an updated hijackthis log
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:43:35 PM, on 5/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\Ati2evxx.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\Ati2evxx.exe
    G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    f:\program files\common files\mcafee\mna\mcnasvc.exe
    f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    F:\WINDOWS\system32\svchost.exe
    F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    F:\WINDOWS\system32\wbem\wmiapsrv.exe
    F:\Program Files\Canon\CAL\CALMAIN.exe
    F:\WINDOWS\Explorer.EXE
    F:\PROGRA~1\McAfee.com\Agent\mcagent.exe
    F:\WINDOWS\System32\svchost.exe
    F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    F:\WINDOWS\system32\ctfmon.exe
    F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    Q:\HiJackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - J:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - F:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
    O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - F:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [mcagent_exe] F:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [OutpostMonitor] G:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Customize Menu - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Fill Forms - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - F:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
    O9 - Extra 'Tools' menuitem: Acronis Pop-up Blocker - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - F:\PROGRA~1\Acronis\PRIVAC~1\POP-UP~1.DLL
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - G:\Program Files\Agnitum\Outpost Security Suite Pro\ie_bar.dll
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - G:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1210471143602
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: g:\progra~1\agnitum\outpos~1\wl_hook.dll
    O21 - SSODL: Notadpol - {46DB9B18-6350-475F-9038-9E0D59B2A077} - (no file)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - F:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - G:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - F:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - F:\PROGRA~1\WinTV\HCWTVS~1.EXE
    O23 - Service: HDDlife HDD Access service - Unknown owner - G:\Program Files\BinarySense\HDDlife 3\hldasvc.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - f:\program files\mcafee.com\agent\mcdetect.exe (file missing)
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - F:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - F:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - G:\Program Files\RealVNC\VNC4.2\winvnc4.exe

    --
    End of file - 10361 bytes
     
  10. cosmokramer

    cosmokramer Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    9

    For example:

    svchost.exe - alerter, lmhosts, ssdpsrv, webclient
    Virtual memory- Private bytes - 5, 180 K
    virtual size- 42, 064 K

    Physical memory:
    working set- 33,380 K
    WS private: 4,692 K
    WS Shareable : 28688K
    WS Shared: 28,380 K
    Peak working set - 33920 K
     
  11. jasaiyajin

    jasaiyajin

    Joined:
    Mar 31, 2008
    Messages:
    230
    To confirm, I will need to know how every service is starting, may I have the txt output from your C: drive after running this command:
    WMIC /OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid

    In the meanwhile, you can try removing anything McAfee related as a test and running your system. Put it back if you really need it, but it looks like a resource hog to me.

    It may also be beneficial to look into a Security Task Manager http://www.neuber.com/taskmanager/
     
  12. cosmokramer

    cosmokramer Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    9
    Caption CommandLine ProcessId
    System Idle Process 0
    System 4
    smss.exe \SystemRoot\System32\smss.exe 928
    csrss.exe F:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 988
    winlogon.exe winlogon.exe 1024
    services.exe F:\WINDOWS\system32\services.exe 1068
    lsass.exe F:\WINDOWS\system32\lsass.exe 1080
    ati2evxx.exe F:\WINDOWS\system32\Ati2evxx.exe 1244
    svchost.exe F:\WINDOWS\system32\svchost -k DcomLaunch 1264
    svchost.exe F:\WINDOWS\system32\svchost -k rpcss 1380
    svchost.exe F:\WINDOWS\System32\svchost.exe -k netsvcs 1492
    svchost.exe F:\WINDOWS\system32\svchost.exe -k NetworkService 1576
    ati2evxx.exe Ati2evxx.exe -Client 1604
    svchost.exe F:\WINDOWS\system32\svchost.exe -k LocalService 1740
    aawservice.exe "G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe" 1768
    spoolsv.exe F:\WINDOWS\system32\spoolsv.exe 1916
    schedul2.exe "F:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe" 2032
    acs.exe 332
    DkService.exe "F:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe" 456
    mcmscsvc.exe F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe 752
    McNASvc.exe "f:\program files\common files\mcafee\mna\mcnasvc.exe" 844
    McProxy.exe f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 924
    Mcshield.exe F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe 992
    MDM.EXE "F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" 1548
    StarWindServiceAE.exe "G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe" 1728
    svchost.exe F:\WINDOWS\system32\svchost.exe -k imgsvc 2008
    ULCDRSvr.exe "F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" 2096 wmiapsrv.exe F:\WINDOWS\system32\wbem\wmiapsrv.exe 2260
    CALMAIN.exe "F:\Program Files\Canon\CAL\CALMAIN.exe" 2368
    svchost.exe F:\WINDOWS\System32\svchost.exe -k HTTPFilter 3224
    mcsysmon.exe F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe 432
    mcagent.exe F:\PROGRA~1\McAfee.com\Agent\mcagent.exe -Embedding 3816
    explorer.exe F:\WINDOWS\Explorer.EXE 3680
    op_mon.exe 1328
    jusched.exe "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" 2808
    ctfmon.exe "F:\WINDOWS\system32\ctfmon.exe" 1480
    flashget.exe "G:\Program Files\FlashGet\flashget.exe" 708
    firefox.exe "G:\Program Files\Mozilla Firefox\firefox.exe" 3372
    wmic.exe "F:\WINDOWS\System32\Wbem\WMIC.exe" /OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid 3448
    wmiprvse.exe F:\WINDOWS\system32\wbem\wmiprvse.exe 2200
     
  13. jasaiyajin

    jasaiyajin

    Joined:
    Mar 31, 2008
    Messages:
    230
    Remove everything mcafee, check svchost mem usage then report your findings here.
     
  14. cosmokramer

    cosmokramer Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    9
    I since I posted my last reply, I have removed Mcafee. I have not had the high memory usage on svchost.exe since removing Mcafee. Have to say that I never expected it to be Mcafee because I have used it for a long time without issue. Makes me wonder if I did something to cause this.
    At any rate we can mark this solved in my opinion.
    thanks to all for your help. :)
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/704243