svchost.exe help needed

[cody]

ok here is my situation, every time I boot up my computer i
find that one of five svchost.exe processes is using up
nearly all my cpu. this problem starts several minutes
after windows has been started, or if i try and open up MY
COMPUTER or any other task that looks for my harddrives. I
can shut down the offending process in the task manager and
the computer will run fine until I once again try to access
my drive c: or D: or if I surf the internet. I cannot do
things like open up saved files on my computer cause when i
do svchost.exe starts to use up nearly 100 percent of the
processor. I have tried using several spyware programs
that found nothing, I have run norton, avg, trend, and
their online virus scanners to no avail, (nothing was
found), I have downloaded and run worm fix tools for the
blast worm, the fxSasser worm,and the FixSbigF worm. I am
running out of things to check, anyone have any Idea how to
fix this problem? anyone else experiencing the same thing?
oh I also downloaded the patches commonly associated with
this problem as well.... not sure if i was supposed to
install them in safe mode or not.... oh and i am running
windows xp. Please help.
..

 

[cody]

something else i should mention: the program that the
guilty svchost is running is stisvc, not sure if that helps
or not. any info would be sooo welcome

 

[Mandy Shaw]

Have you tried HijackThis and msconfig? They list exactly what is loading up
when you start IE and Windows respectively. Can be a bit of an eye-opener. I
found a major infestation through HijackThis when nothing else had spotted
it (and I tried all the same things as you have).
Mandy

 

[cody]

I have tried hijackthis but the problem is I don't know
what to fix after a scan..... the stisvc that is running in
the guilty svchost.exe process is not listed as far as i
can see though.... so i did not fix any of the files in
hijackthis.... thanks for the reply though

 

[Mandy Shaw]

I've just Googled for "stisvc" and found this, which looks relevant:
http://www.computing.net/security/wwwboard/forum/11640.html
Might be worth a read if you've not seen it.
Alternatively, why don't you post up the output from HijackThis? Hopefully
someone may be able to pinpoint what you should fix.
This doesn't seem to be the greatest forum for getting answers to these
sorts of questions - I posted what i thought was an interesting problem
weeks ago and no-one has got back to me /at all/, rather depressingly.
Expert Exchange seems pretty good and helpful as an alternative, you could
try that.
Mandy

 

[Guest]

gee thanks for the help i will try posting the hijackthis
results here and at expert exchange this is my log file...
not sure if this is the best way to post it... seems kinda
messy... but if anyone can figure this stuff out that would
be awsome.


Scan saved at 2:50:55 AM, on 28/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\sfmgr\sfmgr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP
Share-to-Web\hpgs2wnd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alias\Alias SketchBook Pro
1.0\AliasSketchSnap.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\cmd.exe
C:\Documents and Settings\cody\Desktop\HijackThis.exe
C:\Documents and Settings\cody\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://v4.windowsupdate.microsoft.com/
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) -
{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\cody\Application
Data\Mozilla\Profiles\default\pznyy2yo.slt\prefs.js)
O2 - BHO: (no name) -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -
{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} -
C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: NAV Helper -
{BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio -
{8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR -
{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} -
C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program
Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program
Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon]
C:\Program Files\Hewlett-Packard\PhotoSmart\HP
Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] C:\Program
Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef
/Migration32
O4 - HKLM\..\Run: [hpppta] C:\Program
Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan
Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [EM_EXEC]
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CXMon] "C:\Program
Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program
Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [ASUS Probe] C:\Program
Files\ASUS\Probe\AsusProb.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program
Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: SketchBook Snapshot.lnk = C:\Program
Files\Alias\Alias SketchBook Pro 1.0\AliasSketchSnap.exe
O4 - Global Startup: RAMASST.lnk =
C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk =
C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec
AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B}
(InstallShield Setup Player 2K2) -
http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/01e0bf557479a6ddb606/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec
RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}
(HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
(ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37954.7944444444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[Wesley Vogel]

stisvc - stisvc.exe - Process Information
Process File: stisvc or stisvc.exe
Process Name: Still Image Service
Description: Still Image Service, which handles scanners and digital cameras
and is installed by Windows if a scanner or camera is connected to the
computer. This is the equivalent of STIMON.exe, but for Windows 2000 and XP.
Company: Microsoft Corp.

 

[Wesley Vogel]

C:\WINDOWS\System32\ctfmon.exe

OFFXP: What Is CTFMON and What Does It Do?
http://support.microsoft.com/default.aspx?scid=kb;en-us;282599

HOW TO: Turn Off the Speech Recognition and Handwriting Recognition Features
in Office 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;823586

HOW TO: Turn Off the Speech Recognition and Handwriting Recognition Features
in Office XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;326526

--
Hope this helps. Let us know.
Wes

In

gee thanks for the help i will try posting the hijackthis
results here and at expert exchange this is my log file...
not sure if this is the best way to post it... seems kinda
messy... but if anyone can figure this stuff out that would
be awsome.


Scan saved at 2:50:55 AM, on 28/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\sfmgr\sfmgr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP
Share-to-Web\hpgs2wnd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alias\Alias SketchBook Pro
1.0\AliasSketchSnap.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\WINDOWS\System32\cmd.exe
C:\Documents and Settings\cody\Desktop\HijackThis.exe
C:\Documents and Settings\cody\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

<SNIP>