svchost.exe:876 question

[ncSkeet]

I've been having a problem lately when my I first access the internet. I
have to wait approximately 2 minutes before doing anything on the
internet while "svchost.exe" (Generic Host process for Win32 Services)
runs. My computer works OK, although slowly, while this is going on; I
just have to wait to do anything online. I have "Process Explorer"
installed on my system (Windows XP HE SP2, 376 mb RAM, 2.40 GHz Intel
Celeron CPU, Compaq Presario) and it's showing the svchost:876 file
using 97% of CPU, then after a couple of minutes this svchost backs down
to a normal level, at which time I can begin surfing the net normally.
If I come off the internet but do not shut my computer down, the whole
delay process starts again when I next access the internet. I use AVG as
my av program, and ZoneAlarm as a firewall. I do not use the built-in XP
firewall. I have Ad-Aware, Spybot S&D, A², Microsoft Antispyware, and CW
Shredder installed, all updated daily, none of which detect any
spy/ad/malware at all. I've tried shutting ZoneAlarm down briefly while
I access the internet just to see if that was causing the problem, but
it makes no difference whether or not ZA is active. Also, if I kill that
particular svchost.exe process, my computer appears to operate as
normal. I can even exit the internet and then reconnect without the delay.

What is svchost.exe:876, and is it necessary? I Googled
"svchost.exe:876", and found nothing particularly helpful or alarming.

Thanks...ncSkeet

 

[Jon Erlandson]

Enter "Tasklist /FI 876" in the command prompt to see more about the process
(my guess is a virus.)

A description of Svchost.exe in Windows XP
http://support.microsoft.com/?kbid=314056

Use HijackThis to troubleshoot and help in removal.

Trend Micro House Call
http://housecall.trendmicro.com/

McAfee Stinger
http://vil.nai.com/vil/stinger/

HijackThis
http://www.tomcoyote.org/hjt/

SpywareGuard
http://www.javacoolsoftware.com/spywareguard.html

PC PitStop
http://pcpitstop.com/pcpitstop/

 

[ncSkeet]

Enter "Tasklist /FI 876" in the command prompt to see more about the process
(my guess is a virus.)

I tried this, and this is what I got:

"'Tasklist' is not recognized as a Internal or External command,
operable program or batch file."

I also went to the Microsoft site URL below and tried the same thing,
except without the "876" part and got the same "not recognized" response.

A description of Svchost.exe in Windows XP
http://support.microsoft.com/?kbid=314056

Use HijackThis to troubleshoot and help in removal.

Here's the "HiJackThis" logfile:

Logfile of HijackThis v1.99.0
Scan saved at 4:40:48 PM, on 2/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Capio Utility Manager\CapioUtilityMgr.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Thunderbird-Tray v0.4\TBTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Process Explorer\procexp.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\Program Files\Stay Live 2000\StayLive.exe
C:\Program Files\Microsoft Word 2000\Office\WINWORD.EXE
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Capio Utility Manager\Programs\C_Cmdr.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: iFinger plugin / Browser helper object -
{A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download
Manager\fdm.exe -autorun
O4 - Global Startup: Capio Utilities.lnk = C:\Program Files\Capio
Utility Manager\CapioUtilityMgr.exe
O4 - Global Startup: Rainlendar.lnk = C:\Program
Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: TBTray.exe.lnk = C:\Program Files\Thunderbird-Tray
v0.4\TBTray.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Acronym Finder lookup... -
http://www.acronymfinder.com/iesearch/
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &WordWeb... -
res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Ad Hunter - C:\Program
Files\MyIE2\config/blacklist.htm
O8 - Extra context menu item: Download all by Free Download Manager -
file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager -
file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager
- file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager
- file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Encarta &Definition -
http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window -
C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} -
C:\WINDOWS\System32\SHDOCVW.DLL
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -
C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite -
{B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program
Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline
Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl
Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{2213C829-EE23-4242-A1E0-4A9C3DD5E3DB}:
NameServer = 166.82.1.3 166.82.1.8
O17 -
HKLM\System\CS2\Services\Tcpip\..\{2213C829-EE23-4242-A1E0-4A9C3DD5E3DB}:
NameServer = 166.82.1.3 166.82.1.8
O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} -
C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} -
C:\WINDOWS\System32\mshtml.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

See anything funny?

Thanks...ncSkeet

 

[Jon Erlandson]

You can download tasklist here http://windowsxp.mvps.org/svchost.htm .
Your log looks ok though you don't want to double up on your anti-virus or
firewall (you might disable ZoneAlarm just to see if it makes a difference.)

Enter "Tasklist /FI 876" in the command prompt to see more about the
process (my guess is a virus.)

I tried this, and this is what I got:

"'Tasklist' is not recognized as a Internal or External command, operable
program or batch file."

I also went to the Microsoft site URL below and tried the same thing,
except without the "876" part and got the same "not recognized" response.

A description of Svchost.exe in Windows XP
http://support.microsoft.com/?kbid=314056

Use HijackThis to troubleshoot and help in removal.

Here's the "HiJackThis" logfile:

Logfile of HijackThis v1.99.0
Scan saved at 4:40:48 PM, on 2/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Capio Utility Manager\CapioUtilityMgr.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Thunderbird-Tray v0.4\TBTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Process Explorer\procexp.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\Program Files\Stay Live 2000\StayLive.exe
C:\Program Files\Microsoft Word 2000\Office\WINWORD.EXE
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Capio Utility Manager\Programs\C_Cmdr.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://srch-qus8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: iFinger plugin / Browser helper object -
{A114D52B-870C-4F15-8021-B6D7F91A054B} -
C:\PROGRA~1\iFinger\plugins\IE.ifp
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [WinPatrol] "c:\PROGRA~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
/STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download
Manager\fdm.exe -autorun
O4 - Global Startup: Capio Utilities.lnk = C:\Program Files\Capio Utility
Manager\CapioUtilityMgr.exe
O4 - Global Startup: Rainlendar.lnk = C:\Program
Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: TBTray.exe.lnk = C:\Program Files\Thunderbird-Tray
v0.4\TBTray.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Acronym Finder lookup... -
http://www.acronymfinder.com/iesearch/
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &WordWeb... -
res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Ad Hunter - C:\Program
Files\MyIE2\config/blacklist.htm
O8 - Extra context menu item: Download all by Free Download Manager -
file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager -
file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager -
file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager -
file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Encarta &Definition -
http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window -
C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} -
C:\WINDOWS\System32\SHDOCVW.DLL
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -
C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite -
{B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program
Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline
Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl
Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{2213C829-EE23-4242-A1E0-4A9C3DD5E3DB}:
NameServer = 166.82.1.3 166.82.1.8
O17 -
HKLM\System\CS2\Services\Tcpip\..\{2213C829-EE23-4242-A1E0-4A9C3DD5E3DB}:
NameServer = 166.82.1.3 166.82.1.8
O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} -
C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} -
C:\WINDOWS\System32\mshtml.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

See anything funny?

Thanks...ncSkeet

Trend Micro House Call
http://housecall.trendmicro.com/

McAfee Stinger
http://vil.nai.com/vil/stinger/

HijackThis
http://www.tomcoyote.org/hjt/

SpywareGuard
http://www.javacoolsoftware.com/spywareguard.html

PC PitStop
http://pcpitstop.com/pcpitstop/