Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe hogging cpu


  • Please log in to reply
15 replies to this topic

#1 oldmanbill

oldmanbill

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 14 September 2015 - 10:52 AM

Hi,

CPU being hogged by svchost.exe roughly 50%.

Process Explorer shows sub tasks: tasking.exe and  googleupdate.exe

When I scroll over either of those, PE shows "error opening process" .

If I try to suspend either task I get "access denied".

Mini Tool Box txt attached.


Edited by hamluis, 14 September 2015 - 01:18 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 14 September 2015 - 02:41 PM

Hi oldmanbill :)

My name is Aura and I'll be assisting you with your issue. I don't see your MiniToolBox log attached, can you run it again by following the instructions below please?

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the executable file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator;
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      B8oLpa3.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 oldmanbill

oldmanbill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 15 September 2015 - 01:51 PM

Thanks Aura for responding.

I ran MTB again and pasting the report.

Please let me know if you get it.

Thanks. Bill

MiniToolBox by Farbar  Version: 25-07-2015 01
Ran by admin (administrator) on 15-09-2015 at 14:35:09
Running from "C:\Users\admin\Downloads"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Model: OptiPlex GX620 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================



========================= IP Configuration: ================================

802.11n USB Wireless LAN Card = Wireless Network Connection (Connected)
Broadcom NetXtreme 57xx Gigabit Controller = Local Area Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 3 (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global defaultcurhoplimit=128 icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : admin-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lan

Wireless LAN adapter Wireless Network Connection 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
   Physical Address. . . . . . . . . : 00-E0-4C-81-80-8B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : 00-E0-4C-81-80-8B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : 802.11n USB Wireless LAN Card
   Physical Address. . . . . . . . . : 00-E0-4C-81-80-8A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::7000:ae6c:e7e8:2f3a%13(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.30(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, September 15, 2015 7:24:32 AM
   Lease Expires . . . . . . . . . . : Wednesday, September 16, 2015 1:24:32 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 318824524
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-0D-05-24-00-13-72-A7-2E-11
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
   Physical Address. . . . . . . . . : 00-13-72-A7-2E-11
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:c669:f440:389f:2fac:3f57:fee1(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::389f:2fac:3f57:fee1%18(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Reusable ISATAP Interface {422D0C9A-0966-4693-A878-EEECFC73737C}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{908DB226-6C64-4F2B-A9AB-565ABB0E97C3}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{41FE381F-6E5E-4B41-9509-FAE2DD11DDA6}:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Default Gateway . . . . . . . . . : 
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.lan:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.30%37(Preferred) 
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{4B3BB338-C9B5-4DA3-BAA1-B15343719E46}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  minglehotspot.lan
Address:  192.168.1.1

Name:    google.com.lan
Addresses:  198.105.244.64
	  198.105.254.64


Pinging google.com [198.70.249.242] with 32 bytes of data:
Reply from 198.70.249.242: bytes=32 time=92ms TTL=54
Reply from 198.70.249.242: bytes=32 time=109ms TTL=54

Ping statistics for 198.70.249.242:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 92ms, Maximum = 109ms, Average = 100ms
Server:  minglehotspot.lan
Address:  192.168.1.1

Name:    yahoo.com.lan
Addresses:  198.105.254.64
	  198.105.244.64


Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=110ms TTL=44
Reply from 98.138.253.109: bytes=32 time=125ms TTL=44

Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 110ms, Maximum = 125ms, Average = 117ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 15...00 e0 4c 81 80 8b ......Microsoft Virtual WiFi Miniport Adapter #2
 14...00 e0 4c 81 80 8b ......Microsoft Virtual WiFi Miniport Adapter
 13...00 e0 4c 81 80 8a ......802.11n USB Wireless LAN Card
 11...00 13 72 a7 2e 11 ......Broadcom NetXtreme 57xx Gigabit Controller
  1...........................Software Loopback Interface 1
 18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 36...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 37...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
 38...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.30     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.30    281
     192.168.1.30  255.255.255.255         On-link      192.168.1.30    281
    192.168.1.255  255.255.255.255         On-link      192.168.1.30    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.30    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.30    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 18     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 18     58 2001::/32                On-link
 18    306 2001:0:c669:f440:389f:2fac:3f57:fee1/128
                                    On-link
 13    281 fe80::/64                On-link
 18    306 fe80::/64                On-link
 37    281 fe80::5efe:192.168.1.30/128
                                    On-link
 18    306 fe80::389f:2fac:3f57:fee1/128
                                    On-link
 13    281 fe80::7000:ae6c:e7e8:2f3a/128
                                    On-link
  1    306 ff00::/8                 On-link
 18    306 ff00::/8                 On-link
 13    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/14/2015 10:54:28 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2015 10:39:23 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2015 10:37:50 AM) (Source: Application Hang) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17937 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 484

Start Time: 01d0eefa78be62d7

Termination Time: 31

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id:

Error: (09/14/2015 10:34:35 AM) (Source: Application Hang) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17937 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1984

Start Time: 01d0eefa6fd39b30

Termination Time: 7

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id:

Error: (09/14/2015 09:28:13 AM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 11.0.9600.17937 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: f48

Start Time: 01d0eef1187f1b00

Termination Time: 16

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id: 612ba1c5-5ae4-11e5-b245-001372a72e11

Error: (09/14/2015 09:28:07 AM) (Source: Application Error) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.17937, time stamp: 0x55a7f8da
Faulting module name: IMM32.DLL, version: 6.1.7601.17514, time stamp: 0x4ce7ba53
Exception code: 0xc0000005
Fault offset: 0x000117c4
Faulting process id: 0x1178
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3

Error: (09/14/2015 07:42:06 AM) (Source: Application Hang) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17937 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1814

Start Time: 01d0eee1eec9dfe6

Termination Time: 36

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id:

Error: (09/14/2015 07:38:53 AM) (Source: Application Hang) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17937 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1a88

Start Time: 01d0eee137534962

Termination Time: 48

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id:

Error: (09/14/2015 07:26:56 AM) (Source: Windows Backup) (User: )
Description: The backup did not complete because of an error writing to the backup location E:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).

Error: (09/13/2015 08:41:34 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (09/15/2015 01:57:24 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (09/15/2015 01:40:24 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (09/14/2015 04:51:07 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/14/2015 04:51:07 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/14/2015 04:50:57 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/14/2015 04:50:57 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/14/2015 04:49:19 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/14/2015 04:49:19 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/13/2015 07:57:27 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

Error: (09/13/2015 07:57:27 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.


Microsoft Office Sessions:
=========================
Error: (09/14/2015 10:54:28 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2015 10:39:23 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2015 10:37:50 AM) (Source: Application Hang)(User: )
Description: IEXPLORE.EXE11.0.9600.1793748401d0eefa78be62d731C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Error: (09/14/2015 10:34:35 AM) (Source: Application Hang)(User: )
Description: IEXPLORE.EXE11.0.9600.17937198401d0eefa6fd39b307C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Error: (09/14/2015 09:28:13 AM) (Source: Application Hang)(User: )
Description: iexplore.exe11.0.9600.17937f4801d0eef1187f1b0016C:\Program Files\Internet Explorer\iexplore.exe612ba1c5-5ae4-11e5-b245-001372a72e11

Error: (09/14/2015 09:28:07 AM) (Source: Application Error)(User: )
Description: IEXPLORE.EXE11.0.9600.1793755a7f8daIMM32.DLL6.1.7601.175144ce7ba53c0000005000117c4117801d0eef130cd680cC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Windows\system32\IMM32.DLL6f35ffa2-5ae4-11e5-b245-001372a72e11

Error: (09/14/2015 07:42:06 AM) (Source: Application Hang)(User: )
Description: IEXPLORE.EXE11.0.9600.17937181401d0eee1eec9dfe636C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Error: (09/14/2015 07:38:53 AM) (Source: Application Hang)(User: )
Description: IEXPLORE.EXE11.0.9600.179371a8801d0eee13753496248C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Error: (09/14/2015 07:26:56 AM) (Source: Windows Backup)(User: )
Description: E:\The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006)

Error: (09/13/2015 08:41:34 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


=========================== Installed Programs ============================

Adobe Flash Player 18 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 18.0.0.232 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.12) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)
Amazon Kindle (HKCU\...\Amazon Kindle) (Version:  - Amazon)
Audacity 2.0.6 (HKLM-x32\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
Bible Library (Uninstall) (HKLM-x32\...\BibleLibrary) (Version: 7 - Ellis Enterprises, Inc.)
Bing Bar (HKLM-x32\...\{3611CA6C-5FCA-4900-A329-6A118123CCFC}) (Version: 7.1.355.0 - Microsoft Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 5.06 - Piriform)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Doxillion Document Converter (HKLM-x32\...\Doxillion) (Version: 2.31 - NCH Software)
EaseUS Partition Master 10.2 Trial Edition (HKLM-x32\...\EaseUS Partition Master Trial Edition_is1) (Version:  - EaseUS)
EasyWorship 2009 (HKLM-x32\...\{A92509EA-B526-4869-B8B3-A39E20DBBE7A}_is1) (Version: 2009.01.09 - Softouch Development, Inc.)
Express Zip (HKLM-x32\...\ExpressZip) (Version: 2.28 - NCH Software)
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
Google Chrome (HKLM-x32\...\{D486950F-500E-358B-9CC4-16104753329E}) (Version: 65.205.49289 - Google, Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.28.15 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
HP Deskjet 2510 series Basic Device Software (HKLM\...\{293CC68A-32BA-4BA4-84BD-0DCF6583566F}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Deskjet 2510 series Help (HKLM-x32\...\{234DADAD-3C3C-4FB1-90A4-0AF015D56E18}) (Version: 27.0.0 - Hewlett Packard)
HP Deskjet 2510 series Setup Guide (HKLM-x32\...\{216C7F38-4BBC-4E9A-8392-C9FA21B54386}) (Version: 27.0.0 - Hewlett Packard)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Junk Mail filter update (HKLM-x32\...\{0BE9E708-5DC0-4963-9CFD-0AA519090E79}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
KeyText v3 (HKLM-x32\...\KeyText_is1) (Version:  - MJMSoft Design)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft OneDrive (HKCU\...\OneDriveSetup.exe) (Version: 17.0.4035.0328 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{38F03569-A636-4CF3-BDDE-032C8C251304}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{DD67BE4B-7E62-4215-AFA3-F123A800A389}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
OpenOffice 4.1.1 (HKLM-x32\...\{9395F41D-0F80-432E-9A59-B8E477E7E163}) (Version: 4.11.9775 - Apache Software Foundation)
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9.140.239 - Google, Inc.)
Prism Video File Converter (HKLM-x32\...\Prism) (Version: 2.45 - NCH Software)
Ralink RT2870 Wireless LAN Card (HKLM-x32\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.13.0 - Ralink)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.45.0 - SAMSUNG Electronics Co., Ltd.)
Sierra Wireless USB MUX Driver Package (HKLM-x32\...\{5600094C-5EA0-4BE8-9ECE-4C9B726AC9D9}) (Version: 0.60.9 - Sierra Wireless)
SparkChess 8.2.0 (HKLM-x32\...\{4A481391-9E7B-4360-8D08-3E48F8CFBC43}_is1) (Version: 8.2.0 - Media Division srl)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Stellar Phoenix Password Recovery (HKLM-x32\...\Stellar Phoenix Password Recovery_is1) (Version: 1.5.0.0 - Stellar Information Systems Ltd.)
TaxACT 2012 - 1040 Edition (HKLM-x32\...\TaxACT 2012 - 1040 Edition) (Version:  - 2nd Story Software, Inc.)
TaxACT 2012 Kentucky (HKLM-x32\...\TaxACT 2012 Kentucky) (Version:  - 2nd Story Software, Inc.)
TaxACT 2013 - 1040 Edition (HKLM-x32\...\TaxACT 2013 - 1040 Edition) (Version:  - TaxACT, Inc.)
TaxACT 2013 Kentucky (HKLM-x32\...\TaxACT 2013 Kentucky) (Version:  - TaxACT, Inc.)
TaxACT 2014 - 1040 Edition (HKLM-x32\...\TaxACT 2014 - 1040 Edition) (Version: 1.00 - TaxACT, Inc.)
TaxACT 2014 Kentucky (HKLM-x32\...\TaxACT 2014 Kentucky) (Version: 1.01 - TaxACT, Inc.)
thinkorswim (HKLM\...\9968-4488-2169-7623) (Version: desktop - thinkorswim, Inc)
TrueCrypt (HKLM-x32\...\TrueCrypt) (Version: 7.0a - TrueCrypt Foundation)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Webroot SecureAnywhere (HKLM-x32\...\WRUNINST) (Version: 9.0.2.21 - Webroot)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
WordWeb (HKLM-x32\...\WordWeb) (Version: 7 - WordWeb Software)
YTD Video Downloader 4.9.1 (HKLM-x32\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 4.9.1 - GreenTree Applications SRL)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 53%
Total physical RAM: 3574.14 MB
Available physical RAM: 1676.29 MB
Total Virtual: 7146.48 MB
Available Virtual: 4964.61 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:74.41 GB) (Free:10.68 GB) NTFS

========================= Users: ========================================

User accounts for \\ADMIN-PC

admin                    Administrator            Guest                    


**** End of log ****


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 15 September 2015 - 01:57 PM

I can see that you're running a 64-bit version of Windows with 3.5GB of RAM. Usually, you want to have at least 4GB of RAM to run 64-bit versions of Windows 7 and above.

I also see that you are using Google Chrome 32-bit, which most likely takes up A LOT of your RAM. Google Chrome uses a lot of RAM by default, but it's worse when you run the 32-bit version on 64-bit version of Windows. Reason is that 32-bit programs on 64-bit version of Windows doesn't run natively, they are emulated and therefore requires additional resources (RAM and CPU) to run. One way to counter that would be to uninstall Google Chrome 32-bit, and install the 64-bit version of it. It should help. The 64-bit version of Google Chrome can be found at the link below, under Download Chrome for another platform and selecting Windows 10/8/7 64-bit.

https://www.google.com/chrome/browser/desktop/

The googleupdate.exe that runs under svchost.exe (from what you said) should therefore also be running in 64-bit and takes less RAM. Extensions can also takes a lot of RAM in Google Chrome. If you are using Adblock or Adblock Plus for instance, you could switch to uBlock Origin which is more efficient and takes way less resources.

You can also uninstall the following programs:
  • Bing Bar;
  • Java 8 Update 45 - Outdated;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 oldmanbill

oldmanbill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 15 September 2015 - 03:26 PM

Thanks Aura.

I have a bad memory socket so limits memory option.

I uninstalled Chrome, uninstalled Bing bar, uninstalled Java 8 update 45, rebooted, started I/E shortly after that svchost PID 392 eating 50% cpu. MTB report follows:

 

MiniToolBox by Farbar  Version: 25-07-2015 01
Ran by admin (administrator) on 15-09-2015 at 16:17:25
Running from "C:\Users\admin\Downloads"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Model: OptiPlex GX620 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

 

========================= IP Configuration: ================================

802.11n USB Wireless LAN Card = Wireless Network Connection (Connected)
Broadcom NetXtreme 57xx Gigabit Controller = Local Area Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 3 (Media disconnected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global defaultcurhoplimit=128 icmpredirects=enabled

popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : admin-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lan

Wireless LAN adapter Wireless Network Connection 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #2
   Physical Address. . . . . . . . . : 00-E0-4C-81-80-8B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : 00-E0-4C-81-80-8B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : 802.11n USB Wireless LAN Card
   Physical Address. . . . . . . . . : 00-E0-4C-81-80-8A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::7000:ae6c:e7e8:2f3a%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.30(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, September 15, 2015 4:12:20 PM
   Lease Expires . . . . . . . . . . : Wednesday, September 16, 2015 4:12:23 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 318824524
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-0D-05-24-00-13-72-A7-2E-11
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
   Physical Address. . . . . . . . . : 00-13-72-A7-2E-11
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:c669:fe40:30ae:3b8a:3f57:fee1(Preferred)
   Link-local IPv6 Address . . . . . : fe80::30ae:3b8a:3f57:fee1%18(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Reusable ISATAP Interface {422D0C9A-0966-4693-A878-EEECFC73737C}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.lan:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.30%20(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{4B3BB338-C9B5-4DA3-BAA1-B15343719E46}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  minglehotspot.lan
Address:  192.168.1.1

Name:    google.com.lan
Addresses:  2620:118:7002::1064
   2620:118:7008::1064
   198.105.244.64
   198.105.254.64

Pinging google.com [198.70.249.231] with 32 bytes of data:
Reply from 198.70.249.231: bytes=32 time=74ms TTL=54
Reply from 198.70.249.231: bytes=32 time=63ms TTL=54

Ping statistics for 198.70.249.231:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 63ms, Maximum = 74ms, Average = 68ms
Server:  minglehotspot.lan
Address:  192.168.1.1

Name:    yahoo.com.lan
Addresses:  2620:118:7008::1064
   2620:118:7002::1064
   198.105.244.64
   198.105.254.64

Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=145ms TTL=41
Reply from 98.139.183.24: bytes=32 time=160ms TTL=41

Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 145ms, Maximum = 160ms, Average = 152ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 15...00 e0 4c 81 80 8b ......Microsoft Virtual WiFi Miniport Adapter #2
 14...00 e0 4c 81 80 8b ......Microsoft Virtual WiFi Miniport Adapter
 13...00 e0 4c 81 80 8a ......802.11n USB Wireless LAN Card
 11...00 13 72 a7 2e 11 ......Broadcom NetXtreme 57xx Gigabit Controller
  1...........................Software Loopback Interface 1
 18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.30     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.30    281
     192.168.1.30  255.255.255.255         On-link      192.168.1.30    281
    192.168.1.255  255.255.255.255         On-link      192.168.1.30    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.30    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.30    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 18     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 18     58 2001::/32                On-link
 18    306 2001:0:c669:fe40:30ae:3b8a:3f57:fee1/128
                                    On-link
 13    281 fe80::/64                On-link
 18    306 fe80::/64                On-link
 20    281 fe80::5efe:192.168.1.30/128
                                    On-link
 18    306 fe80::30ae:3b8a:3f57:fee1/128
                                    On-link
 13    281 fe80::7000:ae6c:e7e8:2f3a/128
                                    On-link
  1    306 ff00::/8                 On-link
 18    306 ff00::/8                 On-link
 13    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/15/2015 04:12:41 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/15/2015 02:37:59 PM) (Source: Application Hang) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17937 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 3ac

Start Time: 01d0efdd42bf3dcc

Termination Time: 3270

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id:

Error: (09/14/2015 10:54:28 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2015 10:39:23 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2015 10:37:50 AM) (Source: Application Hang) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17937 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 484

Start Time: 01d0eefa78be62d7

Termination Time: 31

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id:

Error: (09/14/2015 10:34:35 AM) (Source: Application Hang) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17937 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1984

Start Time: 01d0eefa6fd39b30

Termination Time: 7

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id:

Error: (09/14/2015 09:28:13 AM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 11.0.9600.17937 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: f48

Start Time: 01d0eef1187f1b00

Termination Time: 16

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id: 612ba1c5-5ae4-11e5-b245-001372a72e11

Error: (09/14/2015 09:28:07 AM) (Source: Application Error) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.17937, time stamp: 0x55a7f8da
Faulting module name: IMM32.DLL, version: 6.1.7601.17514, time stamp: 0x4ce7ba53
Exception code: 0xc0000005
Fault offset: 0x000117c4
Faulting process id: 0x1178
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3

Error: (09/14/2015 07:42:06 AM) (Source: Application Hang) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17937 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1814

Start Time: 01d0eee1eec9dfe6

Termination Time: 36

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id:

Error: (09/14/2015 07:38:53 AM) (Source: Application Hang) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17937 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1a88

Start Time: 01d0eee137534962

Termination Time: 48

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id:

System errors:
=============
Error: (09/15/2015 01:57:24 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (09/15/2015 01:40:24 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (09/14/2015 04:51:07 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/14/2015 04:51:07 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/14/2015 04:50:57 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/14/2015 04:50:57 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/14/2015 04:49:19 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/14/2015 04:49:19 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/13/2015 07:57:27 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

Error: (09/13/2015 07:57:27 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

Microsoft Office Sessions:
=========================
Error: (09/15/2015 04:12:41 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/15/2015 02:37:59 PM) (Source: Application Hang)(User: )
Description: IEXPLORE.EXE11.0.9600.179373ac01d0efdd42bf3dcc3270C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Error: (09/14/2015 10:54:28 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2015 10:39:23 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2015 10:37:50 AM) (Source: Application Hang)(User: )
Description: IEXPLORE.EXE11.0.9600.1793748401d0eefa78be62d731C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Error: (09/14/2015 10:34:35 AM) (Source: Application Hang)(User: )
Description: IEXPLORE.EXE11.0.9600.17937198401d0eefa6fd39b307C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Error: (09/14/2015 09:28:13 AM) (Source: Application Hang)(User: )
Description: iexplore.exe11.0.9600.17937f4801d0eef1187f1b0016C:\Program Files\Internet Explorer\iexplore.exe612ba1c5-5ae4-11e5-b245-001372a72e11

Error: (09/14/2015 09:28:07 AM) (Source: Application Error)(User: )
Description: IEXPLORE.EXE11.0.9600.1793755a7f8daIMM32.DLL6.1.7601.175144ce7ba53c0000005000117c4117801d0eef130cd680cC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Windows\system32\IMM32.DLL6f35ffa2-5ae4-11e5-b245-001372a72e11

Error: (09/14/2015 07:42:06 AM) (Source: Application Hang)(User: )
Description: IEXPLORE.EXE11.0.9600.17937181401d0eee1eec9dfe636C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Error: (09/14/2015 07:38:53 AM) (Source: Application Hang)(User: )
Description: IEXPLORE.EXE11.0.9600.179371a8801d0eee13753496248C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

=========================== Installed Programs ============================

Adobe Flash Player 18 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 18.0.0.232 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.12) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)
Amazon Kindle (HKCU\...\Amazon Kindle) (Version:  - Amazon)
Audacity 2.0.6 (HKLM-x32\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
Bible Library (Uninstall) (HKLM-x32\...\BibleLibrary) (Version: 7 - Ellis Enterprises, Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.06 - Piriform)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Doxillion Document Converter (HKLM-x32\...\Doxillion) (Version: 2.31 - NCH Software)
EaseUS Partition Master 10.2 Trial Edition (HKLM-x32\...\EaseUS Partition Master Trial Edition_is1) (Version:  - EaseUS)
EasyWorship 2009 (HKLM-x32\...\{A92509EA-B526-4869-B8B3-A39E20DBBE7A}_is1) (Version: 2009.01.09 - Softouch Development, Inc.)
Express Zip (HKLM-x32\...\ExpressZip) (Version: 2.28 - NCH Software)
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
HP Deskjet 2510 series Basic Device Software (HKLM\...\{293CC68A-32BA-4BA4-84BD-0DCF6583566F}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Deskjet 2510 series Help (HKLM-x32\...\{234DADAD-3C3C-4FB1-90A4-0AF015D56E18}) (Version: 27.0.0 - Hewlett Packard)
HP Deskjet 2510 series Setup Guide (HKLM-x32\...\{216C7F38-4BBC-4E9A-8392-C9FA21B54386}) (Version: 27.0.0 - Hewlett Packard)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Junk Mail filter update (HKLM-x32\...\{0BE9E708-5DC0-4963-9CFD-0AA519090E79}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
KeyText v3 (HKLM-x32\...\KeyText_is1) (Version:  - MJMSoft Design)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft OneDrive (HKCU\...\OneDriveSetup.exe) (Version: 17.0.4035.0328 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Movie Maker (HKLM-x32\...\{38F03569-A636-4CF3-BDDE-032C8C251304}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{DD67BE4B-7E62-4215-AFA3-F123A800A389}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
OpenOffice 4.1.1 (HKLM-x32\...\{9395F41D-0F80-432E-9A59-B8E477E7E163}) (Version: 4.11.9775 - Apache Software Foundation)
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9.140.239 - Google, Inc.)
Prism Video File Converter (HKLM-x32\...\Prism) (Version: 2.45 - NCH Software)
Ralink RT2870 Wireless LAN Card (HKLM-x32\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.13.0 - Ralink)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.45.0 - SAMSUNG Electronics Co., Ltd.)
Sierra Wireless USB MUX Driver Package (HKLM-x32\...\{5600094C-5EA0-4BE8-9ECE-4C9B726AC9D9}) (Version: 0.60.9 - Sierra Wireless)
SparkChess 8.2.0 (HKLM-x32\...\{4A481391-9E7B-4360-8D08-3E48F8CFBC43}_is1) (Version: 8.2.0 - Media Division srl)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Stellar Phoenix Password Recovery (HKLM-x32\...\Stellar Phoenix Password Recovery_is1) (Version: 1.5.0.0 - Stellar Information Systems Ltd.)
TaxACT 2012 - 1040 Edition (HKLM-x32\...\TaxACT 2012 - 1040 Edition) (Version:  - 2nd Story Software, Inc.)
TaxACT 2012 Kentucky (HKLM-x32\...\TaxACT 2012 Kentucky) (Version:  - 2nd Story Software, Inc.)
TaxACT 2013 - 1040 Edition (HKLM-x32\...\TaxACT 2013 - 1040 Edition) (Version:  - TaxACT, Inc.)
TaxACT 2013 Kentucky (HKLM-x32\...\TaxACT 2013 Kentucky) (Version:  - TaxACT, Inc.)
TaxACT 2014 - 1040 Edition (HKLM-x32\...\TaxACT 2014 - 1040 Edition) (Version: 1.00 - TaxACT, Inc.)
TaxACT 2014 Kentucky (HKLM-x32\...\TaxACT 2014 Kentucky) (Version: 1.01 - TaxACT, Inc.)
thinkorswim (HKLM\...\9968-4488-2169-7623) (Version: desktop - thinkorswim, Inc)
TrueCrypt (HKLM-x32\...\TrueCrypt) (Version: 7.0a - TrueCrypt Foundation)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Webroot SecureAnywhere (HKLM-x32\...\WRUNINST) (Version: 9.0.2.21 - Webroot)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
WordWeb (HKLM-x32\...\WordWeb) (Version: 7 - WordWeb Software)
YTD Video Downloader 4.9.1 (HKLM-x32\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 4.9.1 - GreenTree Applications SRL)

========================= Devices: ================================

========================= Memory info: ===================================

Percentage of memory in use: 49%
Total physical RAM: 3574.14 MB
Available physical RAM: 1793.39 MB
Total Virtual: 7146.48 MB
Available Virtual: 5665.36 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:74.41 GB) (Free:12.26 GB) NTFS

========================= Users: ========================================

User accounts for \\ADMIN-PC

admin                    Administrator            Guest                   

**** End of log ****



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 15 September 2015 - 05:44 PM

You uninstalled Google Chrome, but it seems that the Google Update Helper is still installed and most likely still running. Follow the instructions below please.

EndqYRa.pngRegistry - Export Uninstall Keys
  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Run as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the following commands, one after the other. You'll know when you're ready to input the next command when a new line with a blinking cursor will appear under the precedent one:
    Note: You can copy and paste these commands instead of typing them. To copy a command inside the command prompt, move your mouse over the blinking cursor, right-click and select Paste. You must have copied the command prior to that (via Ctrl + C or left-click and Copy).
    • reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall /s > "%userprofile%\Desktop\hklm_uninstall32.txt"
  • Once you're done running the commands, a file will have appeared on your desktop:
    • hklm_uninstall32.txt
  • Create a new folder on your Desktop and move the file inside it. Once done, archive (.zip) the folder (right-click on it, select Send to... and select Compressed archive (.zip));
  • Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;
Also, if you right-click on the svchost.exe process in the Task Manager and select Go to service(s), which ones are highlighted?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 oldmanbill

oldmanbill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 16 September 2015 - 07:05 AM

New folder.zip (file://ADMIN-PC/Users/admin/OneDrive/New%20folder.zip)
 



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 16 September 2015 - 07:10 AM

This is a local path, I cannot download the file like this. You need to go on the OneDrive website and give me the download URL for that file :)

http://metadataconsulting.blogspot.ca/2014/05/how-to-get-direct-download-link-from.html

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 oldmanbill

oldmanbill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 16 September 2015 - 07:53 AM

<iframe src="https://onedrive.live.com/embed?cid=373E0204FF78F9B8&resid=373E0204FF78F9B8%21142&authkey=AJJAl_9Kot_RoLM" width="98" height="120" frameborder="0" scrolling="no"></iframe>

#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 16 September 2015 - 08:00 AM

Thank you :) Do you use Picasa (by Google)?

Also, if you right-click on the svchost.exe process (the one that have the highest RAM usage) in the Task Manager and select Go to service(s), which ones are highlighted?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 oldmanbill

oldmanbill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 16 September 2015 - 08:11 AM

Yes, I do use Picasa.
System is working ok right now. When svchost hogs the cpu again, I will check the active services and update.
Thanks!

#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 16 September 2015 - 08:15 AM

Alright so we'll leave the Google Updater program since it handles Picasa as well :) And no problem bill! A tip, I have past experiences where svchost.exe hogging the CPU usage was because there was Windows Update pending to be installed or currently installing. So if it happens again, you can also go in your Windows Update panel and click on Check for updates in the left pane, then install the Windows Update that are found if there's any.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 oldmanbill

oldmanbill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 17 September 2015 - 06:54 AM

Thanks again Aura, I did have a dozen outstanding updates. I ran them.
This morning, after starting I/E svchost hogged again for 10 minutes. This time the service that was doing it was windefend. Is it malware?

#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:29 AM

Posted 17 September 2015 - 07:11 AM

Alright :) Windows Defender, open it and check if it wants to update its database or scan your system for malware. If it would make you safer, I can walk you through basic malware scans to make sure that you're not infected.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 oldmanbill

oldmanbill
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 17 September 2015 - 07:41 AM

Thanks. I see that it is a spyware service from msft.
I ran MBAM and Spybot. System is clean.
Maybe my problem was the outstanding updates.
I'll update if I have any more problems.
Thanks for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users