1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Processor being used when computer is near idle

Discussion in 'Malware and Virus Removal Archive' started by HowardF, 2010/05/27.

Page 2 of 3
  1. 2010/05/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
    Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
    Click on View > Select Colunms.
    In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
    Go File>Save As, and save the report as Procexp.txt.
    Paste the content into your next reply.
     
    broni,
    #21
  2. 2010/05/29
    HowardF

    HowardF Inactive Thread Starter

    Joined:
    2009/01/02
    Messages:
    76
    Likes Received:
    0
    Thanks for looking into it.

    Here's the log:
    Process PID CPU Private Bytes Working Set Description Company Name Command Line
    System Idle Process 0 46.18 0 K 24 K
    Interrupts n/a 0 K 0 K Hardware Interrupts
    DPCs n/a 0 K 0 K Deferred Procedure Calls
    System 4 1.03 308 K 97,668 K
    smss.exe 296 516 K 1,096 K
    csrss.exe 444 2,656 K 4,404 K
    wininit.exe 516 1,684 K 4,468 K
    avgchsva.exe 548 65,436 K 61,976 K
    avgrsa.exe 556 3,896 K 1,656 K
    avgcsrva.exe 792 17,792 K 21,652 K
    services.exe 624 5,464 K 9,084 K
    svchost.exe 772 5,140 K 9,704 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k DcomLaunch
    LVPrS64H.exe 2700 1,328 K 4,420 K
    WmiPrvSE.exe 4592 5,568 K 10,160 K
    dllhost.exe 1652 2,488 K 6,496 K COM Surrogate Microsoft Corporation C:\WINDOWS\SYSWOW64\DLLHOST.EXE /PROCESSID:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    dllhost.exe 5180 0.68 3,028 K 7,080 K COM Surrogate Microsoft Corporation C:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    svchost.exe 920 4,588 K 8,364 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k RPCSS
    atiesrxx.exe 980 1,756 K 4,236 K AMD External Events Service Module AMD C:\Windows\system32\atiesrxx.exe
    atieclxx.exe 1168 2,520 K 6,248 K
    svchost.exe 328 20,720 K 22,280 K Host Process for Windows Services Microsoft Corporation C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    audiodg.exe 5392 17,520 K 16,712 K
    svchost.exe 428 167,980 K 174,360 K Host Process for Windows Services Microsoft Corporation C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    dwm.exe 1772 1.03 45,100 K 55,116 K Desktop Window Manager Microsoft Corporation "C:\Windows\system32\Dwm.exe "
    WUDFHost.exe 3840 2,228 K 6,104 K
    svchost.exe 684 26,124 K 39,064 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k netsvcs
    svchost.exe 1124 10,292 K 16,800 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k LocalService
    svchost.exe 1224 14,980 K 15,904 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k NetworkService
    vsmon.exe 1632 22,652 K 25,208 K TrueVector Service Check Point Software Technologies LTD C:\Windows\SysWOW64\ZoneLabs\vsmon.exe -service
    spoolsv.exe 1988 8,196 K 14,040 K Spooler SubSystem App Microsoft Corporation C:\Windows\System32\spoolsv.exe
    svchost.exe 2036 9,544 K 12,536 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    taskhost.exe 1504 8,872 K 10,304 K Host Process for Windows Tasks Microsoft Corporation "taskhost.exe "
    AppleMobileDeviceService.exe 2164 1,556 K 4,568 K Apple Mobile Device Service Apple Inc. "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe "
    avgwdsvc.exe 2196 7,696 K 2,776 K AVG Watchdog Service AVG Technologies CZ, s.r.o. "C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe "
    avgnsa.exe 1768 14,932 K 5,636 K
    mDNSResponder.exe 2296 1,912 K 5,516 K Bonjour Service Apple Inc. "C:\Program Files (x86)\Bonjour\mDNSResponder.exe "
    svchost.exe 2360 24.97 9,832 K 18,232 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    LVPrcSrv.exe 2468 3,324 K 6,316 K Logitech LVPrcSrv Module. Logitech Inc. "C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe "
    PnkBstrA.exe 2712 1,220 K 4,020 K C:\Windows\system32\PnkBstrA.exe
    svchost.exe 3748 2,040 K 5,360 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    iPodService.exe 3352 3,520 K 7,620 K iPodService Module (64-bit) Apple Inc. "C:\Program Files\iPod\bin\iPodService.exe "
    wmpnetwk.exe 4012 13,840 K 11,464 K Windows Media Player Network Sharing Service Microsoft Corporation "C:\Program Files\Windows Media Player\wmpnetwk.exe "
    FNPLicensingService.exe 4468 1,788 K 4,452 K Activation Licensing Service Macrovision Europe Ltd. "C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe "
    SearchIndexer.exe 2232 0.34 75,668 K 132,128 K Microsoft Windows Search Indexer Microsoft Corporation C:\Windows\system32\SearchIndexer.exe /Embedding
    SearchProtocolHost.exe 5236 30,568 K 8,868 K
    SearchFilterHost.exe 5044 3,408 K 7,804 K
    svchost.exe 4240 3,468 K 8,108 K Host Process for Windows Services Microsoft Corporation C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    SteamService.exe 1104 7,968 K 8,508 K Steam Client Service (buildbot_winslave01_steam_rel_client_win32@winslave01) Valve Corporation C:\Program Files (x86)\Common Files\Steam\SteamService.exe /RunAsService
    lsass.exe 636 5,032 K 11,756 K Local Security Authority Process Microsoft Corporation C:\Windows\system32\lsass.exe
    lsm.exe 644 2,920 K 4,368 K
    csrss.exe 540 3,096 K 7,812 K
    winlogon.exe 864 3,128 K 7,160 K
    explorer.exe 1796 42,856 K 75,336 K Windows Explorer Microsoft Corporation C:\Windows\Explorer.EXE
    sidebar.exe 2144 55,796 K 48,876 K Windows Desktop Gadgets Microsoft Corporation "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
    SetPoint.exe 2332 6,960 K 16,664 K Logitech SetPoint Event Manager (UNICODE) Logitech, Inc. "C:\Program Files\Logitech\SetPoint\SetPoint.exe"
    SetPoint32.exe 4060 1,404 K 4,888 K "C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe"
    KHALMNPR.exe 4644 6,892 K 11,244 K Logitech KHAL Main Process Logitech, Inc. KHALMNPR.EXE /API
    Steam.exe 5308 88,084 K 50,884 K Steam Valve Corporation "C:\Program Files (x86)\Steam\Steam.exe" -applaunch 10190
    chrome.exe 3108 55,416 K 73,216 K Google Chrome Google Inc. "C:\Users\Howard\AppData\Local\Google\Chrome\Application\chrome.exe"
    chrome.exe 4824 9,968 K 15,456 K Google Chrome Google Inc. "C:\Users\Howard\AppData\Local\Google\Chrome\Application\chrome.exe" --type=extension --lang=en-US --force-fieldtest=DnsImpact/_default_enabled_prefetch/GlobalSdch/_global_enable_sdch/IPv6_Probe/_IPv6_probe_done/ --channel=3108.01138C00.1673464187 --ignored=" --type=renderer "
    chrome.exe 1740 21,168 K 30,664 K Google Chrome Google Inc. "C:\Users\Howard\AppData\Local\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --force-fieldtest=CacheSize/CacheSizeGroup_2/DnsImpact/_default_enabled_prefetch/GlobalSdch/_global_enable_sdch/IPv6_Probe/_IPv6_probe_done/ --channel=3108.01188A80.2050634794
    chrome.exe 4368 20.87 120,568 K 97,168 K Google Chrome Google Inc. "C:\Users\Howard\AppData\Local\Google\Chrome\Application\chrome.exe" --type=plugin --plugin-path= "c:\Program Files (x86)\Microsoft Silverlight\3.0.50106.0\npctrl.dll" --lang=en-US --plugin-data-dir= "C:\Users\Howard\AppData\Local\Google\Chrome\User Data\Default" --channel=3108.0670CA80.2097155974
    chrome.exe 5324 23,324 K 32,684 K Google Chrome Google Inc. "C:\Users\Howard\AppData\Local\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --force-fieldtest=CacheSize/CacheSizeGroup_2/DnsImpact/_default_enabled_prefetch/GlobalSdch/_global_enable_sdch/IPv6_Probe/_IPv6_probe_done/ --channel=3108.07563C00.1545851648
    procexp.exe 5244 2,088 K 5,704 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe"
    procexp64.exe 6056 4.79 26,616 K 44,788 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe"
    acrotray.exe 2992 5,508 K 13,236 K AcroTray Adobe Systems Inc. "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe"
    MOM.exe 2796 40,556 K 5,420 K Catalyst Control Center: Monitoring program Advanced Micro Devices Inc. "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM "
    CCC.exe 4536 62,352 K 6,376 K Catalyst Control Centre: Host application ATI Technologies Inc. "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe" 0
    VCDDaemon.exe 1032 1,764 K 6,256 K Virtual CloneDrive Daemon Elaborate Bytes AG "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    RazerImperatorTray.exe 2008 4,884 K 9,816 K Razer Imperator Configuration Utility Razer USA Ltd "C:\Program Files (x86)\Razer\Imperator\RazerImperatorTray.exe"
    iTunesHelper.exe 1296 5,916 K 13,524 K iTunesHelper Apple Inc. "D:\iTunes\iTunesHelper.exe"
    Z-5 Speakers.exe 4772 14,260 K 23,608 K
    jusched.exe 4776 1,408 K 4,908 K Java(TM) Update Scheduler Sun Microsystems, Inc. "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    avgtray.exe 2400 5,356 K 5,656 K AVG Tray Monitor AVG Technologies CZ, s.r.o. "C:\Program Files (x86)\AVG\AVG9\avgtray.exe"
    zlclient.exe 3480 19,396 K 5,408 K ZoneAlarm Client Check Point Software Technologies LTD "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe "
     
    HowardF,
    #22


  3. to hide this advert.

  4. 2010/05/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK...
    We have System Idle Process (CPU not used) at 46.18% (it IS low),
    svchost.exe at 24.97% (abnormally high, but it may be connected to next item)
    chrome.exe Microsoft Silverlight plug-in using 20.87%

    Close Chrome, run Process Explorer one more time and post fresh log.

    However, it's a bed time for me, so I'll check on you tomorrow morning :)
     
    broni,
    #23
  5. 2010/05/29
    HowardF

    HowardF Inactive Thread Starter

    Joined:
    2009/01/02
    Messages:
    76
    Likes Received:
    0
    It's bed time for me as well. Here's the log and thank you again!


    Process PID CPU Private Bytes Working Set Description Company Name Command Line
    System Idle Process 0 66.92 0 K 24 K
    Interrupts n/a 0 K 0 K Hardware Interrupts
    DPCs n/a 0 K 0 K Deferred Procedure Calls
    System 4 308 K 97,676 K
    smss.exe 296 516 K 1,096 K
    csrss.exe 444 2,656 K 4,400 K
    wininit.exe 516 1,684 K 4,468 K
    avgchsva.exe 548 66,324 K 63,896 K
    avgrsa.exe 556 3,896 K 1,724 K
    avgcsrva.exe 792 1.15 17,756 K 22,044 K
    services.exe 624 5,572 K 9,116 K
    svchost.exe 772 5,140 K 9,692 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k DcomLaunch
    LVPrS64H.exe 2700 1,328 K 4,420 K
    WmiPrvSE.exe 4592 5,568 K 10,160 K
    svchost.exe 920 4,728 K 8,480 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k RPCSS
    atiesrxx.exe 980 1,756 K 4,236 K AMD External Events Service Module AMD C:\Windows\system32\atiesrxx.exe
    atieclxx.exe 1168 2,520 K 6,248 K
    svchost.exe 328 20,860 K 22,332 K Host Process for Windows Services Microsoft Corporation C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    audiodg.exe 5392 16,864 K 16,056 K
    svchost.exe 428 158,380 K 163,044 K Host Process for Windows Services Microsoft Corporation C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    dwm.exe 1772 44,960 K 54,984 K Desktop Window Manager Microsoft Corporation "C:\Windows\system32\Dwm.exe "
    WUDFHost.exe 3840 2,228 K 6,104 K
    svchost.exe 684 26,120 K 39,060 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k netsvcs
    svchost.exe 1124 10,144 K 16,960 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k LocalService
    svchost.exe 1224 15,292 K 16,176 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k NetworkService
    vsmon.exe 1632 22,532 K 25,004 K TrueVector Service Check Point Software Technologies LTD C:\Windows\SysWOW64\ZoneLabs\vsmon.exe -service
    spoolsv.exe 1988 8,196 K 14,040 K Spooler SubSystem App Microsoft Corporation C:\Windows\System32\spoolsv.exe
    svchost.exe 2036 9,660 K 13,160 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    taskhost.exe 1504 8,872 K 10,304 K Host Process for Windows Tasks Microsoft Corporation "taskhost.exe "
    AppleMobileDeviceService.exe 2164 1,556 K 4,568 K Apple Mobile Device Service Apple Inc. "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe "
    avgwdsvc.exe 2196 7,704 K 2,872 K AVG Watchdog Service AVG Technologies CZ, s.r.o. "C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe "
    avgnsa.exe 1768 15,580 K 936 K
    mDNSResponder.exe 2296 1,912 K 5,516 K Bonjour Service Apple Inc. "C:\Program Files (x86)\Bonjour\mDNSResponder.exe "
    svchost.exe 2360 25.00 9,784 K 18,232 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    LVPrcSrv.exe 2468 3,324 K 6,320 K Logitech LVPrcSrv Module. Logitech Inc. "C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe "
    PnkBstrA.exe 2712 1,220 K 4,020 K C:\Windows\system32\PnkBstrA.exe
    svchost.exe 3748 2,040 K 5,360 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    iPodService.exe 3352 3,520 K 7,620 K iPodService Module (64-bit) Apple Inc. "C:\Program Files\iPod\bin\iPodService.exe "
    wmpnetwk.exe 4012 13,828 K 11,452 K Windows Media Player Network Sharing Service Microsoft Corporation "C:\Program Files\Windows Media Player\wmpnetwk.exe "
    FNPLicensingService.exe 4468 1,788 K 4,452 K Activation Licensing Service Macrovision Europe Ltd. "C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe "
    SearchIndexer.exe 2232 1.15 78,712 K 134,712 K Microsoft Windows Search Indexer Microsoft Corporation C:\Windows\system32\SearchIndexer.exe /Embedding
    SearchProtocolHost.exe 5236 1.92 30,568 K 8,412 K
    SearchFilterHost.exe 5512 0.77 5,108 K 9,392 K
    svchost.exe 4240 3,520 K 8,124 K Host Process for Windows Services Microsoft Corporation C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    lsass.exe 636 0.77 5,028 K 11,748 K Local Security Authority Process Microsoft Corporation C:\Windows\system32\lsass.exe
    lsm.exe 644 2,920 K 4,372 K
    csrss.exe 540 0.38 3,096 K 6,588 K
    winlogon.exe 864 3,128 K 7,160 K
    explorer.exe 1796 51,696 K 86,964 K Windows Explorer Microsoft Corporation C:\Windows\Explorer.EXE
    sidebar.exe 2144 55,812 K 48,892 K Windows Desktop Gadgets Microsoft Corporation "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
    SetPoint.exe 2332 6,960 K 16,664 K Logitech SetPoint Event Manager (UNICODE) Logitech, Inc. "C:\Program Files\Logitech\SetPoint\SetPoint.exe"
    SetPoint32.exe 4060 1,404 K 4,888 K "C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe"
    KHALMNPR.exe 4644 6,892 K 11,244 K Logitech KHAL Main Process Logitech, Inc. KHALMNPR.EXE /API
    procexp.exe 6084 2,096 K 5,680 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe"
    procexp64.exe 5632 1.92 25,404 K 41,872 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe"
    acrotray.exe 2992 5,508 K 13,236 K AcroTray Adobe Systems Inc. "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe"
    MOM.exe 2796 39,528 K 5,852 K Catalyst Control Center: Monitoring program Advanced Micro Devices Inc. "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM "
    CCC.exe 4536 62,352 K 7,168 K Catalyst Control Centre: Host application ATI Technologies Inc. "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe" 0
    VCDDaemon.exe 1032 1,764 K 6,256 K Virtual CloneDrive Daemon Elaborate Bytes AG "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    RazerImperatorTray.exe 2008 4,884 K 9,816 K Razer Imperator Configuration Utility Razer USA Ltd "C:\Program Files (x86)\Razer\Imperator\RazerImperatorTray.exe"
    iTunesHelper.exe 1296 5,916 K 13,524 K iTunesHelper Apple Inc. "D:\iTunes\iTunesHelper.exe"
    Z-5 Speakers.exe 4772 14,260 K 23,608 K
    jusched.exe 4776 1,408 K 4,908 K Java(TM) Update Scheduler Sun Microsystems, Inc. "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    avgtray.exe 2400 5,356 K 5,688 K AVG Tray Monitor AVG Technologies CZ, s.r.o. "C:\Program Files (x86)\AVG\AVG9\avgtray.exe"
    zlclient.exe 3480 19,396 K 4,732 K ZoneAlarm Client Check Point Software Technologies LTD "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe "
     
    HowardF,
    #24
  6. 2010/05/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK, now we're down to one culprit, svchost.exe at 25.00%
    The user in this case is LocalServiceAndNoImpersonation, which I believe is some shell extension (right click).

    Download, and install ShellExView: http://www.nirsoft.net/utils/shexview.html
    Make sure to get 64-bit version.
    Open it. Click on Type column to sort all entries.
    Right click, and Disable all non-Microsoft Context Menu types entries.
    Restart computer, and post fresh PE log.
     
    broni,
    #25
  7. 2010/05/29
    HowardF

    HowardF Inactive Thread Starter

    Joined:
    2009/01/02
    Messages:
    76
    Likes Received:
    0
    All done. I don't know if this helps but my CPU monitor has been showing me that the processing has been cycling through my cores. For example, it would show core 1 at 75-80% for one session, then after a restart, it would be core 2 at those numbers while the rest of the cores stay from 0-25%.

    Here's the new PE log:

    Process PID CPU Private Bytes Working Set Description Company Name Command Line
    System Idle Process 0 74.23 0 K 24 K
    Interrupts n/a 0 K 0 K Hardware Interrupts
    DPCs n/a 0 K 0 K Deferred Procedure Calls
    System 4 312 K 97,804 K
    smss.exe 296 544 K 1,128 K
    csrss.exe 444 2,332 K 4,144 K
    wininit.exe 504 1,712 K 4,464 K
    avgchsva.exe 536 34,488 K 4,856 K
    avgrsa.exe 544 3,868 K 1,328 K
    avgcsrva.exe 768 13,744 K 6,356 K
    services.exe 580 5,712 K 9,264 K
    svchost.exe 916 5,328 K 9,704 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k DcomLaunch
    LVPrS64H.exe 2852 1,528 K 4,612 K
    COCIManager.exe 4368 2,968 K 7,456 K Camera Control Interface Logitech Inc. "C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe" -Embedding
    WmiPrvSE.exe 4444 3,780 K 8,468 K
    WmiPrvSE.exe 5688 3,008 K 6,352 K
    dllhost.exe 4568 3,088 K 7,032 K COM Surrogate Microsoft Corporation C:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    svchost.exe 1152 4,468 K 8,328 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k RPCSS
    atiesrxx.exe 1300 1,808 K 4,352 K AMD External Events Service Module AMD C:\Windows\system32\atiesrxx.exe
    atieclxx.exe 1704 2,524 K 6,076 K
    svchost.exe 1332 20,592 K 21,500 K Host Process for Windows Services Microsoft Corporation C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    audiodg.exe 1472 16,036 K 15,964 K
    svchost.exe 1364 0.38 103,140 K 108,468 K Host Process for Windows Services Microsoft Corporation C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    dwm.exe 1900 35,308 K 54,768 K Desktop Window Manager Microsoft Corporation "C:\Windows\system32\Dwm.exe "
    WUDFHost.exe 5152 2,224 K 6,072 K
    svchost.exe 1404 26,444 K 33,536 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k netsvcs
    taskeng.exe 2448 2,096 K 5,124 K
    svchost.exe 1524 10,172 K 16,728 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k LocalService
    svchost.exe 1604 14,780 K 14,936 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k NetworkService
    vsmon.exe 1684 22,264 K 24,208 K TrueVector Service Check Point Software Technologies LTD C:\Windows\SysWOW64\ZoneLabs\vsmon.exe -service
    spoolsv.exe 1572 8,336 K 14,212 K Spooler SubSystem App Microsoft Corporation C:\Windows\System32\spoolsv.exe
    svchost.exe 1484 9,452 K 14,144 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    taskhost.exe 2060 4,208 K 8,340 K Host Process for Windows Tasks Microsoft Corporation "taskhost.exe "
    AppleMobileDeviceService.exe 2296 1,564 K 4,556 K Apple Mobile Device Service Apple Inc. "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe "
    avgwdsvc.exe 2316 7,284 K 732 K AVG Watchdog Service AVG Technologies CZ, s.r.o. "C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe "
    avgnsa.exe 2692 11,676 K 1,684 K
    mDNSResponder.exe 2244 1,936 K 5,488 K Bonjour Service Apple Inc. "C:\Program Files (x86)\Bonjour\mDNSResponder.exe "
    svchost.exe 2424 25.00 10,100 K 18,664 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    LVPrcSrv.exe 2588 2,604 K 6,192 K Logitech LVPrcSrv Module. Logitech Inc. "C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe "
    PnkBstrA.exe 2836 1,272 K 4,072 K C:\Windows\system32\PnkBstrA.exe
    SearchIndexer.exe 3684 38,988 K 14,012 K Microsoft Windows Search Indexer Microsoft Corporation C:\Windows\system32\SearchIndexer.exe /Embedding
    SearchProtocolHost.exe 4296 3,416 K 6,384 K
    SearchFilterHost.exe 4496 2,576 K 5,828 K
    svchost.exe 4776 2,096 K 5,368 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    iPodService.exe 4852 3,252 K 7,256 K iPodService Module (64-bit) Apple Inc. "C:\Program Files\iPod\bin\iPodService.exe "
    FNPLicensingService.exe 4680 1,772 K 4,408 K Activation Licensing Service Macrovision Europe Ltd. "C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe "
    wmpnetwk.exe 5004 13,972 K 30,240 K Windows Media Player Network Sharing Service Microsoft Corporation "C:\Program Files\Windows Media Player\wmpnetwk.exe "
    svchost.exe 5180 3,552 K 8,140 K Host Process for Windows Services Microsoft Corporation C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    svchost.exe 5444 1,184 K 2,784 K Host Process for Windows Services Microsoft Corporation C:\Windows\System32\svchost.exe -k WerSvcGroup
    sppsvc.exe 4744 2,836 K 8,408 K Microsoft Software Protection Platform Service Microsoft Corporation C:\Windows\system32\sppsvc.exe
    lsass.exe 596 4,660 K 11,188 K Local Security Authority Process Microsoft Corporation C:\Windows\system32\lsass.exe
    lsm.exe 604 2,920 K 4,440 K
    csrss.exe 528 0.38 2,984 K 6,424 K
    winlogon.exe 724 3,236 K 7,192 K
    explorer.exe 1924 43,164 K 75,356 K Windows Explorer Microsoft Corporation C:\Windows\Explorer.EXE
    sidebar.exe 2572 54,268 K 46,672 K Windows Desktop Gadgets Microsoft Corporation "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
    SetPoint.exe 2764 7,056 K 16,784 K Logitech SetPoint Event Manager (UNICODE) Logitech, Inc. "C:\Program Files\Logitech\SetPoint\SetPoint.exe"
    SetPoint32.exe 1788 1,452 K 4,816 K "C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe"
    KHALMNPR.exe 3400 7,788 K 12,028 K Logitech KHAL Main Process Logitech, Inc. KHALMNPR.EXE /API
    procexp.exe 1752 2,168 K 5,608 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe"
    procexp64.exe 3528 23,812 K 40,952 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe"
    acrotray.exe 3256 5,072 K 12,404 K AcroTray Adobe Systems Inc. "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe"
    VCDDaemon.exe 3272 1,716 K 5,688 K Virtual CloneDrive Daemon Elaborate Bytes AG "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    LWS.exe 3352 12,896 K 16,360 K Camera Software Logitech Inc. "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
    iTunesHelper.exe 3520 6,040 K 13,088 K iTunesHelper Apple Inc. "D:\iTunes\iTunesHelper.exe"
    MOM.exe 3552 39,084 K 5,148 K Catalyst Control Center: Monitoring program Advanced Micro Devices Inc. "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM "
    CCC.exe 4596 66,420 K 8,772 K Catalyst Control Centre: Host application ATI Technologies Inc. "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe" 0
    Z-5 Speakers.exe 3576 8,788 K 15,120 K
    jusched.exe 3580 1,468 K 4,708 K Java(TM) Update Scheduler Sun Microsystems, Inc. "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    avgtray.exe 3568 5,396 K 4,488 K AVG Tray Monitor AVG Technologies CZ, s.r.o. "C:\Program Files (x86)\AVG\AVG9\avgtray.exe"
    zlclient.exe 3560 20,028 K 7,852 K ZoneAlarm Client Check Point Software Technologies LTD "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe "
     
    HowardF,
    #26
  8. 2010/05/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It's still the same.
    Restart in safe mode and post new PE log from there.
     
    broni,
    #27
  9. 2010/05/29
    HowardF

    HowardF Inactive Thread Starter

    Joined:
    2009/01/02
    Messages:
    76
    Likes Received:
    0
    Here it is:

    Process PID CPU Private Bytes Working Set Description Company Name Command Line
    System Idle Process 0 100.00 0 K 24 K
    Interrupts n/a 0 K 0 K Hardware Interrupts
    DPCs n/a 0 K 0 K Deferred Procedure Calls
    System 4 112 K 1,616 K
    smss.exe 260 584 K 1,136 K Windows Session Manager Microsoft Corporation \SystemRoot\System32\smss.exe
    csrss.exe 404 1,868 K 3,524 K Client Server Runtime Process Microsoft Corporation %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    wininit.exe 440 1,856 K 4,432 K Windows Start-Up Application Microsoft Corporation wininit.exe
    services.exe 536 4,276 K 6,940 K Services and Controller app Microsoft Corporation C:\Windows\system32\services.exe
    svchost.exe 652 4,480 K 8,756 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k DcomLaunch
    svchost.exe 728 2,584 K 5,688 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k RPCSS
    svchost.exe 812 5,788 K 8,228 K Host Process for Windows Services Microsoft Corporation C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    svchost.exe 852 5,232 K 10,300 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k netsvcs
    svchost.exe 904 1,916 K 4,632 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
    svchost.exe 944 1,596 K 3,888 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k NetworkService
    lsass.exe 544 3,424 K 8,868 K Local Security Authority Process Microsoft Corporation C:\Windows\system32\lsass.exe
    lsm.exe 552 2,640 K 4,168 K Local Session Manager Service Microsoft Corporation C:\Windows\system32\lsm.exe
    csrss.exe 448 2,216 K 4,712 K Client Server Runtime Process Microsoft Corporation %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    winlogon.exe 488 2,160 K 5,224 K Windows Logon Application Microsoft Corporation winlogon.exe
    explorer.exe 744 37,104 K 52,296 K Windows Explorer Microsoft Corporation C:\Windows\Explorer.EXE
    ctfmon.exe 1048 2,020 K 3,484 K CTF Loader Microsoft Corporation ctfmon.exe
    procexp.exe 1448 2,068 K 5,432 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe"
    procexp64.exe 1464 18,764 K 32,064 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe "
     
    HowardF,
    #28
  10. 2010/05/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK, in safe mode, it's perfect - 100%

    While in safe mode....

    Go Start>Run (Start Search in Vista), type in:
    msconfig
    Click OK (hit Enter in Vista).

    Click on Startup tab.
    Click Disable all
    IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.

    Click Services tab.
    Put checkmark in Hide all Microsoft services
    Click Disable all.

    Click OK.
    Restart computer in Normal Mode.

    NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
    If you use Windows firewall, you're fine.

    Post new PE log.
     
    broni,
    #29
  11. 2010/05/29
    HowardF

    HowardF Inactive Thread Starter

    Joined:
    2009/01/02
    Messages:
    76
    Likes Received:
    0
    Here's the new log:

    Process PID CPU Private Bytes Working Set Description Company Name Command Line
    System Idle Process 0 99.62 0 K 24 K
    Interrupts n/a 0 K 0 K Hardware Interrupts
    DPCs n/a 0 K 0 K Deferred Procedure Calls
    System 4 312 K 97,840 K
    smss.exe 296 524 K 1,108 K
    csrss.exe 444 2,068 K 3,644 K
    wininit.exe 516 1,760 K 4,444 K
    avgchsva.exe 548 33,092 K 1,824 K
    avgrsa.exe 556 3,584 K 6,140 K
    avgcsrva.exe 784 13,612 K 80,848 K
    services.exe 624 3,120 K 6,276 K
    svchost.exe 768 2,980 K 5,988 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k DcomLaunch
    svchost.exe 124 3,136 K 6,580 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k RPCSS
    svchost.exe 528 2,460 K 6,452 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k netsvcs
    PnkBstrA.exe 1120 1,204 K 4,112 K C:\Windows\system32\PnkBstrA.exe
    sppsvc.exe 1216 2,928 K 8,880 K Microsoft Software Protection Platform Service Microsoft Corporation C:\Windows\system32\sppsvc.exe
    lsass.exe 636 3,988 K 10,384 K
    lsm.exe 644 2,400 K 3,988 K
    csrss.exe 540 21,572 K 13,988 K
    winlogon.exe 252 2,072 K 5,444 K
    explorer.exe 1264 38,204 K 55,204 K Windows Explorer Microsoft Corporation C:\Windows\Explorer.EXE
    procexp.exe 1152 1,888 K 5,388 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe"
    procexp64.exe 1172 0.38 16,616 K 31,132 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe"
    zlclient.exe 1596 11,348 K 16,084 K ZoneAlarm Client Check Point Software Technologies LTD "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"

    Process PID CPU Private Bytes Working Set Description Company Name Command Line
    System Idle Process 0 99.62 0 K 24 K
    Interrupts n/a 0 K 0 K Hardware Interrupts
    DPCs n/a 0 K 0 K Deferred Procedure Calls
    System 4 312 K 97,840 K
    smss.exe 296 524 K 1,108 K
    csrss.exe 444 2,068 K 3,644 K
    wininit.exe 516 1,760 K 4,444 K
    avgchsva.exe 548 33,092 K 1,824 K
    avgrsa.exe 556 3,584 K 6,140 K
    avgcsrva.exe 784 13,612 K 80,848 K
    services.exe 624 3,120 K 6,276 K
    svchost.exe 768 2,980 K 5,988 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k DcomLaunch
    svchost.exe 124 3,136 K 6,580 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k RPCSS
    svchost.exe 528 2,460 K 6,452 K Host Process for Windows Services Microsoft Corporation C:\Windows\system32\svchost.exe -k netsvcs
    PnkBstrA.exe 1120 1,204 K 4,112 K C:\Windows\system32\PnkBstrA.exe
    sppsvc.exe 1216 2,928 K 8,880 K Microsoft Software Protection Platform Service Microsoft Corporation C:\Windows\system32\sppsvc.exe
    lsass.exe 636 3,988 K 10,384 K
    lsm.exe 644 2,400 K 3,988 K
    csrss.exe 540 21,572 K 13,988 K
    winlogon.exe 252 2,072 K 5,444 K
    explorer.exe 1264 38,204 K 55,204 K Windows Explorer Microsoft Corporation C:\Windows\Explorer.EXE
    procexp.exe 1152 1,888 K 5,388 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe"
    procexp64.exe 1172 0.38 16,616 K 31,132 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Howard\Downloads\ProcessExplorer\procexp.exe"
    zlclient.exe 1596 11,348 K 16,084 K ZoneAlarm Client Check Point Software Technologies LTD "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe "
     
    HowardF,
    #30
  12. 2010/05/29
    HowardF

    HowardF Inactive Thread Starter

    Joined:
    2009/01/02
    Messages:
    76
    Likes Received:
    0
    Sorry, I've got to head out so I won't be back until later tonight. Thank you very much for your dedication to this problem! Check back later! :)
     
    HowardF,
    #31
  13. 2010/05/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks very good - System Idle at 99.62%
    Now, you have work to do...hahaha...lot of time and patience needed :)

    Some non-MS service, or startup is causing your issue.
    Now, you need to start re-enabling services and startups, you just disabled, BUT one-by-one, restarting computer each time, and running PE after each restart, until you see System Idle Process serious drop, from current 99%, or so.
    Basically, you should watch for reappearing of this line:
    ...which is not currently present, after you disabled all those items.

    Start with re-enabling services. I have a hint, it may be either AVG, or ZA.
     
    broni,
    #32
  14. 2010/05/29
    HowardF

    HowardF Inactive Thread Starter

    Joined:
    2009/01/02
    Messages:
    76
    Likes Received:
    0
    Haha, actually, when you said to disable the non-MS services from the context menu, I had a feeling it would come back to re-enabling them. Would I be following the same procedure then? Using ShellExView and enabling them one-by-one? I have a feeling that's the case so I'll start and wait for your confirmation.

    The thing with your hint is that I installed those services after it happened, so it could very well be something else. Guess we'll see!
     
    HowardF,
    #33
  15. 2010/05/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No. PE log in your reply #26 still shows high CPU usage.
    What helped was my reply #29 (disabling services and startups through "msconfig ").
    You have to go back to "msconfig" and start re-enabling services and startups from there.
    One-by-one.
     
    broni,
    #34
  16. 2010/05/29
    HowardF

    HowardF Inactive Thread Starter

    Joined:
    2009/01/02
    Messages:
    76
    Likes Received:
    0
    Oh. Ouch. Better get started if I want to sleep tonight, I guess.

    I tried re-enabling each of the non-MS services and startups and none of them triggered a system idle percentage to drop under 99%. Am I doing something wrong?

    My process is going to msconfig, choosing one startup, enabling it, restarting, then launching PE as soon as it restarts and checking for idle percentage. Could it be a MS service/startup?
     
    Last edited: 2010/05/29
    HowardF,
    #35
  17. 2010/05/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Hahaha...
     
    broni,
    #36
  18. 2010/05/30
    HowardF

    HowardF Inactive Thread Starter

    Joined:
    2009/01/02
    Messages:
    76
    Likes Received:
    0
    So none of the non-MS services/startup programs have caused it to drop below 99% and I haven't seen an svchost with PID of 2424. Should I start re-enabling a MS service/startup?
     
    HowardF,
    #37
  19. 2010/05/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    This is exactly what I wanted you to do. I thought, you're on it already...LOL
    One-by-one, restarting computer each and every time and running PE each time.
     
    broni,
    #38
  20. 2010/05/30
    HowardF

    HowardF Inactive Thread Starter

    Joined:
    2009/01/02
    Messages:
    76
    Likes Received:
    0
    This is strange. I went through every MS service and nothing badgered my system idle percentage at all. So I went to my startups and there was only one MS startup so I enabled it. With only that MS startup enabled, I was able to maintain a system idle or 99%. However, as soon as I re-enabled all my startups, I was back up to the same madness with my cores.

    In the new PE, I'm finding the same svchost as before, using 25% of my CPU. From the looks of it, I went into services.msc and disabled the services that it was affecting -

    - Function Discovery Resource Publication
    - SSDP Discovery
    - UPnP Device Host
    - Windows Connect Now

    But the final service that seems to be stuck is the Windows Font Cache Service. Is there a way to disable this or is this a known bug and can be fixed?
     
    HowardF,
    #39
  21. 2010/05/30
    HowardF

    HowardF Inactive Thread Starter

    Joined:
    2009/01/02
    Messages:
    76
    Likes Received:
    0
    Okay, I just restarted and the problem seems to be gone. I disabled the Windows Font Cache Service since that seemed to be the one that was hanging my system. I also located an svchost for the services listed above so those seem to be fine. My system idle is about normal, 98% so that seems to have done it. Thanks a lot for pointing me in this direction!!
     
    HowardF,
    #40
Page 2 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...