Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost process (Windowsautoupdate) running at 100% permanantly


  • This topic is locked This topic is locked
4 replies to this topic

#1 zimmer46

zimmer46

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 30 October 2013 - 08:35 AM

Background.  It's an old laptop used by a relative for basic internet browsing and Facebook keeping in touch with family.  It was experiencing very slow browsing when moving page to page or trying to open menus etc.  I looked at it and spotted that the CPU was running constantly at 100% and the cooling fan was working overtime.  Identified that it was an svchost process and after a bit of Googling narrowed it down to the Windowsautoupdate process.  If I stop the process that CPU returns to normal and the laptop works well.   As a work around I have been disabling the automatic update process.  However, I posted on the forums to check if there was anything else going on and also to try find a solution.

 

I have been referred here following help from Broni on the "Am I infected" section of the forum.   The previous thread showing all steps worked through can be found here

 

http://www.bleepingcomputer.com/forums/t/511712/very-slow-browser-and-security-certificate-errors/

 

DDS log and attach files below. 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by User at 12:13:57 on 2013-10-30
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.542 [GMT 0:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{606DAE6E-B549-4731-9025-9187F86A52CE} : DHCPNameServer = 192.168.0.1
Notify: igfxcui - igfxsrvc.dll
LSA: Authentication Packages =  msv1_0 nwprovau
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\g5ue6l3q.default\
FF - ExtSQL: 2013-09-20 14:48; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: 2013-09-23 18:04; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2013-09-25 15:41:07 105176 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-09-23 18:33:58 920064 ----a-w- c:\windows\system32\wininet.dll
2013-09-23 18:33:57 43520 ------w- c:\windows\system32\licmgr10.dll
2013-09-23 18:33:57 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-23 18:33:56 18944 ----a-w- c:\windows\system32\corpol.dll
2013-09-23 18:06:48 385024 ------w- c:\windows\system32\html.iec
2013-09-18 08:15:00 65184 ----a-w- c:\windows\apppatch\MATSShim.DLL
2013-08-29 01:31:44 1878656 ----a-w- c:\windows\system32\win32k.sys
2013-08-09 01:56:45 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-09 00:55:08 144128 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-08-09 00:55:06 5376 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-08-05 13:30:32 1289728 ----a-w- c:\windows\system32\ole32.dll
.
============= FINISH: 12:26:20.09 ===============
 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 zimmer46

zimmer46
  • Topic Starter

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 30 October 2013 - 12:52 PM

I think I may have stumbled on the solution. I found the following info and applied a hotfix to IE8 and restarted the WindowsAutoUpdate process and so far it seems to be OK. I have pasted the info below if it helps, but Mods feel free to remove this if its not appropriate.

===========================

"This issue comes about because Windows Update is heavily reliant on components of Internet Explorer. If these components are not up-to-date, later versions of Windows Update Agent (that's the engine that scans for and manages updates) may fail or exhibit very poor performance.



For folks that are doing a fresh install of Windows XP, the problem will always reveal itself when you try to do your first Windows Update. By initiating an update via the Windows Update website or enabling automatic updates, Windows will first upgrade Windows Update Agent. You cannot prevent this from happening. After that, Windows Update will fail or perform poorly thanks to the dated components of Internet Explorer 6.



For folks that have an existing Windows XP installation, this problem may still pop up if you have not been regularly updating your Internet Explorer installation.



It is NOT necessary to install a new version of Internet Explorer to resolve this issue. What is actually required is to install the latest cumulative security update for whatever version of Internet Explorer you have installed. This will be IE6, IE7, or IE8 (if you're doing a fresh install of Windows XP it will naturally be IE6). This will upgrade the various components of your Internet Explorer installation. Thereafter Windows Update will perform as it should.



The latest updates are dated October 2013 (as of writing this). Download and install the update that corresponds with your currently installed version of Internet Explorer:



IE6: WindowsXP-KB2879017-x86-ENU.exe
http://www.microsoft...s.aspx?id=40612



IE7: IE7-WindowsXP-KB2879017-x86-ENU.exe
http://www.microsoft...s.aspx?id=40519



IE8: IE8-WindowsXP-KB2879017-x86-ENU.exe
http://www.microsoft...s.aspx?id=40390"

Edited by zimmer46, 30 October 2013 - 12:54 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 PM

Posted 03 November 2013 - 09:24 AM

Hi,

Having reviewed you topic with broni it seems that his problem has been solved.

Can I close this topic?

#4 zimmer46

zimmer46
  • Topic Starter

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 03 November 2013 - 11:14 AM

Sorry I should have posted a note on here too. Yes, please close the topic. If I encounter any problems I will start a new thread.

Thanks again.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 PM

Posted 03 November 2013 - 02:33 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users