Wifes system - Strange - Not sure if malware, 50-60% CPU when idle

[DaveLembke]

My wife complained that her computer was running slow yesterday, and I saw that at idle the dual-core CPU showed that it was running around 50-60% on both cores.

I went to task manager and looked at Processes and sorted the CPU column so that the most active processes show at the top, but there was only 3 processes that showed like 05%, 03%, and 02% and rest of them 00%. And that adds up to just 10%, so what is going on to make the CPU run both of its cores at 50-60% and making the system slightly slower than normal.

Hard Drive Activity LED was only showing an occasional flicker.

Microsoft Security Essentials I ran a Full Scan as well as Malwarebytes ran a full scan and they both came up clean.

* I am about to wipe the hard drive and install a clean Windows 7 build to it since its been running for almost 2 years without rebuild and programs have been installed and removed through this time and its probably time to clean it up... but what really gets me is why the CPU a Core 2 Duo E6600 2.4Ghz is running at 50-60% when it use to idle between 10-20%

Her system also takes automatic microsoft updates and runs 24/7 most of the time because she is too lazy to shut it down and turn it back on like I do to my system. She thinks that the system started running slower since Tuesday. *Tuesday also just happens to be Patch Tuesday for this month. So not sure if its related or not. I am just stumped as to how a process or processes can hide and use CPU and cant find the culrpit in Task Manager to target the problem directly. Also I am not sure if I am dealing with a malware or something else, so I figured I'd ask here for suggestions to find the processes that are making the CPU busy. Is there a better tool than task manager for windows to see all processes including what I believe is a hidden process that is running causing the CPU activity?
Here are her system specs:

Core 2 Duo E6600 (2.4Ghz)
2GB DDR2 667Mhz
160GB IDE HDD ( OS + Software + Personal Data )
40 GB SSD SATA II ( Games Only )
Windows 7 Home Premium 32-bit

**If I rebuild her system I am going to make the SSD the boot drive with Windows 7 on it and I have an 80GB SATA II drive that I can upgrade her away from the slower IDE HDD that is limited to ATA100. Also at some point I should probably upgrade her to 3GB RAM although when she games she still has 25% free memory at the 2GB ( @500MB free RAM ).

[SuperDave]

Restarting the computer is sometimes the best thing you can do the computer. Is it slow in Safe Mode.

[BC_Programmer]

I went to task manager and looked at Processes and sorted the CPU column so that the most active processes show at the top, but there was only 3 processes that showed like 05%, 03%, and 02% and rest of them 00%. And that adds up to just 10%, so what is going on to make the CPU run both of its cores at 50-60%

Run task Manager as administrator by clicking the "Show Processes from All Users" button.

[DaveLembke]

Thanks for responses, also forgot about the fact that my wife is a user and not an admin of her system and so BC's suggestion to check the show process from all users I forgot about.

Oddly the issue was gone when I went to check on her computer last night. It was back to 6 to 15% CPU usage on both cores. She thanked me for fixing the problem and I didnt do anything to fix it, it fixed itself and yet it wasnt powered down or rebooted since the odd behavior the other night. But if I see the problem again, I will remember this time to check on show for all users since she is just a user and I did not give her admin rights to keep the computer from getting installed with junk like she did in the past with coupon programs etc that have spyware etc with them. For her to install anything, or anything wanting to install, it pops up requiring admin password and she doesnt know that password yet so odds of her getting infected are slim unless there is some sort of exploit that can infect a computer with just user privileges.

I guess we can close this ticket for assistance as for the problem is gone for now. *Also maybe I will set up a scheduled task to reboot her computer at 4am etc every day so that it can be refreshed on a daily basis.

[DaveLembke]

Problem came back and I found the process that is wasting CPU at 50-60%. Its Spoolsv.exe that is wasting the CPU. When I showed process for all users it showed that the SYSTEM had this service running at 50 to 60%.

Did a search on Google and came up with this hit that looks like an exact match even down to the Core 2 Duo CPU that this other guy had.

http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/spoolsvexe-process-is-running-all-the-time-and/8268f671-51b8-42a3-9ce8-708e9686052d

Going to try this fix and see what happens:

Hey

Yeah Spoolsv.exe is a service that Uses a lot of cache even when its not required.

Here is a fix for that :->

   1 - Go to Start, Settings and click Control Panel
   2 - In the Control Panel window, first double-click on Administrative Tools and then on Services.
   3 - In the right pane of the Services window locate and right-click on Print Spooler and then select Stop.
   4 - After you have stopped this process, leave the Service window open. Now open My Computer and navigate to the following folder.
    c:\windows\system32\spool\PRINTERS - in Windows Vista, XP, 98/95/ME
    or
    c:\winnt\system32\spool\PRINTERS - in Windows NT\2000
   5 - Delete all the files in the Printers folder. After deleting the files in this folder, go back to Services window, right-click on Print Spooler, and then select start to re-enable the service.

Here is what the initial user posted for a problem:

spoolsv.exe process is running all the time and wasting 50% CPU's power (one of two cores).
I've found that spoolsv.exe is accorded to printing. When this process is killed or service "Printing cache/buffor" is stopped, printing is impossible. I tried to switch automatic initialization to manual (in services.msc), but this process doesn't start even I ask any application to print.
spoolsv.exe takes all power of one core from mu CPU (core 2 duo). I've got Windows 7 Professional x86 Polish. I attached some screenshoots that could be helpful. Sorry for my poor english.

* Only difference between this persons post and my wifes system is that they claimed only a single core of the 2 cores running at 50%, and they are running Windows 7 Pro x86 with polish language set and my wife is running Windows 7 Home Premium 32-bit ( x86 ) English US language set. Also oddly this issue was reported back in 2009, so strange that she all of a sudden got hit with it now, but it looks like a problem is in the printer folder at this location that causes this behavior a corruption etc. Hopefully this is the solution. Time will tell.

[DaveLembke]

Attached screenshot of what I found at C:\windows\system32\spool\printers  ..... wasnt expecting to find shockwave files in there... very odd. Also even though I told spoolsv.exe to stop in task manager including all process trees related to it, it mysteriously started itself back up locking these shockwave files from deletion because they were in use. With the window open to their location i once again told task manager to kill the spoolsv.exe process and all related tree processes and then quickly went to this location and deleted the files successfully.

Going to monitor the systems behavior today and ask for help if it mysteriously kicks back on again and starts eating 50% CPU again. Right now after 5 minutes it hasnt started back up yet like before.

Did an additional search and came up with this:

http://support.microsoft.com/kb/264662

SYMPTOMS
After all print jobs are completed, you have several SPL, SHD, and TMP files left over in the C:\Winnt\System32\Spool\Printers directory.

WORKAROUND
You can safely delete leftover files that have an .spl, .shd, or .tmp extension from the C:\Winnt\System32\Spool\Printers directory. These files should have been automatically deleted when the print job was printed.

Malwarebytes and MSSE are still happy reporting system clean





[recovering disk space, attachment deleted by admin]