Thanks again. I am at present running all the anti malware programs as
recommended by Major Geeks. I will be submitting the reports to them for
analysis. There was no malware detected on my machine, just a few tracking
cookies. I have also run AVG free which detected nothing untoward.
Still MS Update pretty much kills the machine and system restore fails to
restore as well; even to a point deliberately set last night.
As I said before, the processor goes up to 97 - 99% on the update task. This
can last several mins.
Here is a log of last couple of attempts of update. The latest one shows a 2
min gap between 09:50:30 and 09:52:44 at which time the processor was flat
out on the svc task.
2008-08-18 08:57:40:546 1344 31c AU ########### AU: Uninitializing
Automatic Updates ###########
2008-08-18 08:57:41:968 1344 31c Service *********
2008-08-18 08:57:41:968 1344 31c Service ** END ** Service: Service exit
[Exit code = 0x240001]
2008-08-18 08:57:41:968 1344 31c Service *************
2008-08-18 08:59:18:375 1300 5b8 Misc =========== Logging initialized
(build: 7.0.6000.381, tz: +0100) ===========
2008-08-18 08:59:18:437 1300 5b8 Misc = Process:
C:\WINDOWS\System32\svchost.exe
2008-08-18 08:59:18:468 1300 5b8 Misc = Module:
C:\WINDOWS\system32\wuaueng.dll
2008-08-18 08:59:18:375 1300 5b8 Service *************
2008-08-18 08:59:18:468 1300 5b8 Service ** START ** Service: Service startup
2008-08-18 08:59:18:468 1300 5b8 Service *********
2008-08-18 08:59:18:562 1300 5b8 Agent * WU client version 7.0.6000.381
2008-08-18 08:59:18:562 1300 5b8 Agent * Base directory:
C:\WINDOWS\SoftwareDistribution
2008-08-18 08:59:18:562 1300 5b8 Agent * Access type: No proxy
2008-08-18 08:59:18:609 1300 5b8 Agent * Network state: Connected
2008-08-18 09:00:03:906 1300 5b8 Agent *********** Agent: Initializing
Windows Update Agent ***********
2008-08-18 09:00:03:906 1300 5b8 Agent *********** Agent: Initializing
global settings cache ***********
2008-08-18 09:00:03:906 1300 5b8 Agent * WSUS server: <NULL>
2008-08-18 09:00:03:906 1300 5b8 Agent * WSUS status server: <NULL>
2008-08-18 09:00:03:906 1300 5b8 Agent * Target group: (Unassigned
Computers)
2008-08-18 09:00:03:906 1300 5b8 Agent * Windows Update access disabled: No
2008-08-18 09:00:04:921 1300 5b8 DnldMgr Download manager restoring 0
downloads
2008-08-18 09:00:04:968 1300 5b8 AU ########### AU: Initializing Automatic
Updates ###########
2008-08-18 09:00:04:984 1300 5b8 AU # Approval type: Pre-install notify
(User preference)
2008-08-18 09:00:04:984 1300 5b8 AU # Auto-install minor updates: No (User
preference)
2008-08-18 09:00:04:984 1300 5b8 AU AU finished delayed initialization
2008-08-18 09:00:05:546 1300 5b8 Report *********** Report: Initializing
static reporting data ***********
2008-08-18 09:00:05:546 1300 5b8 Report * OS Version = 5.1.2600.3.0.65792
2008-08-18 09:00:05:578 1300 5b8 Report * Computer Brand = K7NF2
2008-08-18 09:00:05:578 1300 5b8 Report * Computer Model = K7NF2-RAID
2008-08-18 09:00:05:578 1300 5b8 Report * Bios Revision = P1.00
2008-08-18 09:00:05:578 1300 5b8 Report * Bios Name = Default System BIOS
2008-08-18 09:00:05:578 1300 5b8 Report * Bios Release Date =
2005-04-01T00:00:00
2008-08-18 09:00:05:578 1300 5b8 Report * Locale ID = 2057
2008-08-18 09:22:46:328 1300 5b8 AU ########### AU: Uninitializing
Automatic Updates ###########
2008-08-18 09:22:48:515 1300 5b8 Service *********
2008-08-18 09:22:48:515 1300 5b8 Service ** END ** Service: Service exit
[Exit code = 0x240001]
2008-08-18 09:22:48:515 1300 5b8 Service *************
2008-08-18 09:27:39:062 1344 1a8 Misc =========== Logging initialized
(build: 7.0.6000.381, tz: +0100) ===========
2008-08-18 09:27:39:421 1344 1a8 Misc = Process:
C:\WINDOWS\System32\svchost.exe
2008-08-18 09:27:39:421 1344 1a8 Misc = Module:
C:\WINDOWS\system32\wuaueng.dll
2008-08-18 09:27:39:062 1344 1a8 Service *************
2008-08-18 09:27:39:421 1344 1a8 Service ** START ** Service: Service startup
2008-08-18 09:27:39:421 1344 1a8 Service *********
2008-08-18 09:27:39:546 1344 1a8 Agent * WU client version 7.0.6000.381
2008-08-18 09:27:39:546 1344 1a8 Agent * Base directory:
C:\WINDOWS\SoftwareDistribution
2008-08-18 09:27:39:546 1344 1a8 Agent * Access type: No proxy
2008-08-18 09:27:39:562 1344 1a8 Agent * Network state: Connected
2008-08-18 09:28:24:765 1344 1a8 Agent *********** Agent: Initializing
Windows Update Agent ***********
2008-08-18 09:28:24:765 1344 1a8 Agent *********** Agent: Initializing
global settings cache ***********
2008-08-18 09:28:24:765 1344 1a8 Agent * WSUS server: <NULL>
2008-08-18 09:28:24:765 1344 1a8 Agent * WSUS status server: <NULL>
2008-08-18 09:28:24:765 1344 1a8 Agent * Target group: (Unassigned
Computers)
2008-08-18 09:28:24:765 1344 1a8 Agent * Windows Update access disabled: No
2008-08-18 09:28:25:515 1344 1a8 DnldMgr Download manager restoring 0
downloads
2008-08-18 09:28:25:546 1344 1a8 AU ########### AU: Initializing Automatic
Updates ###########
2008-08-18 09:28:25:546 1344 1a8 AU # Approval type: Pre-install notify
(User preference)
2008-08-18 09:28:25:546 1344 1a8 AU # Auto-install minor updates: No (User
preference)
2008-08-18 09:28:25:546 1344 1a8 AU AU finished delayed initialization
2008-08-18 09:28:25:953 1344 1a8 Report *********** Report: Initializing
static reporting data ***********
2008-08-18 09:28:25:953 1344 1a8 Report * OS Version = 5.1.2600.3.0.65792
2008-08-18 09:28:25:984 1344 1a8 Report * Computer Brand = K7NF2
2008-08-18 09:28:25:984 1344 1a8 Report * Computer Model = K7NF2-RAID
2008-08-18 09:28:25:984 1344 1a8 Report * Bios Revision = P1.00
2008-08-18 09:28:25:984 1344 1a8 Report * Bios Name = Default System BIOS
2008-08-18 09:28:25:984 1344 1a8 Report * Bios Release Date =
2005-04-01T00:00:00
2008-08-18 09:28:25:984 1344 1a8 Report * Locale ID = 2057
2008-08-18 09:30:03:703 1344 1a8 AU ########### AU: Uninitializing
Automatic Updates ###########
2008-08-18 09:30:03:937 1344 1a8 Service *********
2008-08-18 09:30:03:937 1344 1a8 Service ** END ** Service: Service exit
[Exit code = 0x240001]
2008-08-18 09:30:03:937 1344 1a8 Service *************
2008-08-18 09:34:38:750 1344 10c Misc =========== Logging initialized
(build: 7.0.6000.381, tz: +0100) ===========
2008-08-18 09:34:39:015 1344 10c Misc = Process:
C:\WINDOWS\System32\svchost.exe
2008-08-18 09:34:39:015 1344 10c Misc = Module:
C:\WINDOWS\system32\wuaueng.dll
2008-08-18 09:34:38:750 1344 10c Service *************
2008-08-18 09:34:39:015 1344 10c Service ** START ** Service: Service startup
2008-08-18 09:34:39:015 1344 10c Service *********
2008-08-18 09:34:39:140 1344 10c Agent * WU client version 7.0.6000.381
2008-08-18 09:34:39:140 1344 10c Agent * Base directory:
C:\WINDOWS\SoftwareDistribution
2008-08-18 09:34:39:140 1344 10c Agent * Access type: No proxy
2008-08-18 09:34:39:140 1344 10c Agent * Network state: Connected
2008-08-18 09:35:24:281 1344 10c Agent *********** Agent: Initializing
Windows Update Agent ***********
2008-08-18 09:35:24:281 1344 10c Agent *********** Agent: Initializing
global settings cache ***********
2008-08-18 09:35:24:281 1344 10c Agent * WSUS server: <NULL>
2008-08-18 09:35:24:281 1344 10c Agent * WSUS status server: <NULL>
2008-08-18 09:35:24:281 1344 10c Agent * Target group: (Unassigned
Computers)
2008-08-18 09:35:24:281 1344 10c Agent * Windows Update access disabled: No
2008-08-18 09:35:25:781 1344 10c DnldMgr Download manager restoring 0
downloads
2008-08-18 09:35:25:890 1344 10c AU ########### AU: Initializing Automatic
Updates ###########
2008-08-18 09:35:25:937 1344 10c AU # Approval type: Pre-install notify
(User preference)
2008-08-18 09:35:25:937 1344 10c AU # Auto-install minor updates: No (User
preference)
2008-08-18 09:35:25:968 1344 10c AU AU finished delayed initialization
2008-08-18 09:35:26:593 1344 10c Report *********** Report: Initializing
static reporting data ***********
2008-08-18 09:35:26:593 1344 10c Report * OS Version = 5.1.2600.3.0.65792
2008-08-18 09:35:26:640 1344 10c Report * Computer Brand = K7NF2
2008-08-18 09:35:26:640 1344 10c Report * Computer Model = K7NF2-RAID
2008-08-18 09:35:26:640 1344 10c Report * Bios Revision = P1.00
2008-08-18 09:35:26:640 1344 10c Report * Bios Name = Default System BIOS
2008-08-18 09:35:26:640 1344 10c Report * Bios Release Date =
2005-04-01T00:00:00
2008-08-18 09:35:26:640 1344 10c Report * Locale ID = 2057
2008-08-18 09:50:29:109 1344 10c AU ########### AU: Uninitializing
Automatic Updates ###########
2008-08-18 09:50:30:671 1344 10c Service *********
2008-08-18 09:50:30:671 1344 10c Service ** END ** Service: Service exit
[Exit code = 0x240001]
2008-08-18 09:50:30:671 1344 10c Service *************
2008-08-18 09:52:44:015 1344 6d0 Misc =========== Logging initialized
(build: 7.0.6000.381, tz: +0100) ===========
2008-08-18 09:52:44:265 1344 6d0 Misc = Process:
C:\WINDOWS\System32\svchost.exe
2008-08-18 09:52:44:265 1344 6d0 Misc = Module:
C:\WINDOWS\system32\wuaueng.dll
2008-08-18 09:52:44:015 1344 6d0 Service *************
2008-08-18 09:52:44:281 1344 6d0 Service ** START ** Service: Service startup
2008-08-18 09:52:44:281 1344 6d0 Service *********
2008-08-18 09:52:44:375 1344 6d0 Agent * WU client version 7.0.6000.381
2008-08-18 09:52:44:390 1344 6d0 Agent * Base directory:
C:\WINDOWS\SoftwareDistribution
2008-08-18 09:52:44:390 1344 6d0 Agent * Access type: No proxy
2008-08-18 09:52:44:406 1344 6d0 Agent * Network state: Connected
2008-08-18 09:53:30:000 1344 6d0 Agent *********** Agent: Initializing
Windows Update Agent ***********
2008-08-18 09:53:30:000 1344 6d0 Agent *********** Agent: Initializing
global settings cache ***********
2008-08-18 09:53:30:000 1344 6d0 Agent * WSUS server: <NULL>
2008-08-18 09:53:30:000 1344 6d0 Agent * WSUS status server: <NULL>
2008-08-18 09:53:30:000 1344 6d0 Agent * Target group: (Unassigned
Computers)
2008-08-18 09:53:30:000 1344 6d0 Agent * Windows Update access disabled: No
2008-08-18 09:53:32:062 1344 6d0 DnldMgr Download manager restoring 0
downloads
2008-08-18 09:53:32:390 1344 6d0 AU ########### AU: Initializing Automatic
Updates ###########
2008-08-18 09:53:32:406 1344 6d0 AU # Approval type: Pre-install notify
(User preference)
2008-08-18 09:53:32:406 1344 6d0 AU # Auto-install minor updates: No (User
preference)
2008-08-18 09:53:32:531 1344 6d0 AU AU finished delayed initialization
2008-08-18 09:53:34:296 1344 6d0 Report *********** Report: Initializing
static reporting data ***********
2008-08-18 09:53:34:296 1344 6d0 Report * OS Version = 5.1.2600.3.0.65792
2008-08-18 09:53:35:234 1344 6d0 Report * Computer Brand = K7NF2
2008-08-18 09:53:35:234 1344 6d0 Report * Computer Model = K7NF2-RAID
2008-08-18 09:53:35:296 1344 6d0 Report * Bios Revision = P1.00
2008-08-18 09:53:35:296 1344 6d0 Report * Bios Name = Default System BIOS
2008-08-18 09:53:35:296 1344 6d0 Report * Bios Release Date =
2005-04-01T00:00:00
2008-08-18 09:53:35:296 1344 6d0 Report * Locale ID = 2057
:
Repost:
When all else fails, HijackThis v2.0.2
(
http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use
(in conjuction with some other utilities). HijackThis will NOT fix
anything on its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for
review
by an expert in such matters, not here.**
Thanks again. I have now done a few checks and it gets worse. I can now no
longer access Task Manager and cannot restore to an earlier date. I
think
it's time I reinstated the Acronis image I made a few months ago before it
all went wrong. OK, so I'll have to reapply SP3 and all the other patches,
but at least I'll feel more confident that I havn't caught anything nasty.
BTW, I am now using my laptop, and my 'dodgy' computer is disconnected
from
the net.
Thanks again.
Trev
:
Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315
Run a /thorough/ check for hijackware, including posting your hijackthis
log to an appropriate forum.
Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware
When all else fails, HijackThis v2.0.2
(
http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use
(in conjuction with some other utilities). HijackThis will NOT fix
anything on its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for
review
by an expert in such matters, not here.**
If the procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair
shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin
http://aumha.net
DTS-L
http://dts-l.net/
TrevorJ wrote:
Thanks again for your input.
Just done all you suggest (but I don't know what you mean by 'Background
Intellegent Transfer'), but svchost still takes up to 99% processor
time.
A
manual check on Windows update sticks on 'Checking your system for
latest
updates' (or something like that) It did not do this the first time I
tried
it this morning after switching off ZA and AVG.
I have to end the scvhost process to do anything with the computer.
All AV and antiSpyware and ZA off.
Please clkarify how to get the log, you seem to have missed the critical
bit
about what to paste into the Run dialog. Please repeat.
Trevor
:
Just done The RealTruth's svhosts patch, switched off AVGa and ZA,
Update
site responds OK without a 98% cpu useage. There were no updates, so I
will
try again later, and see if the comp locks up on a restart.
I will close the loop here once I think have fixed the prob.
Thanks again for the pointers
:
Thanks for your answer. I'm using AVG free and ZoneAlarm pro (Have
tried
switching ZA off to no avail. I'll try the other suggestions
latertoday
when I have time. PS my Vista Lappie does not have this problem.
Thanks for now, will report back later
:
This issue should *not* be occurring after the application of SP3 and
had been addressed in prior KB articles.
What is the installed antivirus\security software and is a 3rd party
firewall being used ?
Is/are they configured to scan this location ? -
WINDOWS\SoftwareDistribution\DataStore
If it/they are, then please exclude that location from any real-time
monitoring or scanning.
Then do a manual visit to Windows Update with the AU service set to
Automatic and the Background Intelligent Transfer service set to
Manual.
What happened when you did that ?
Next, go to Start > Run > type in or copy&paste the below into the
Open:
line and then click OK or press Enter.
The WindowsUpdate.log will open.
Scroll all the way to the bottom for the most recent entries.
Copy and paste the last 50 or so lines into your reply, Trevor.
MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
TrevorJ wrote:
I have XP SP3 installed and when (I think it's) Windows update
accesses
the internet just after startup, the rest of the computer almost
comes
to a standstill. If I start Task manager > Processes one of the
several
svchost.exe is taking 98-99% CPU time for about anything up to 4
mins
after startup. I have 'Download updates and let me choose..' set.
If I select 'Turn off Automatic Updates' my computer starts
normally.
This has developed lately, but I cannot deffinitely associate it
with
the installation of SP3.
System is Athlon 3200, 1GB ram big HD and a 6Meg broadband
connection.
Any suggestions would be more than welcome.
]