svchost.exe slowing everything down, high CPU usage

[Mr.Hopeless]

Hi.

My computer has been slowing to a grind the last few days.  The Task Manager is showing that one of the svchost.exe items is using up a very considerable portion of the CPU.  I am able to End the Process, but then it starts up again within a few minutes.  The other odd thing that has been happening is that a few times when I opened Firefox, I get a message saying that Firefox is not my default web browser and would I like to make it my default (even though it already should have been the default).   I have run a virus check with AVG, which has come up empty, and I have also tried rkill and ComboFix to see if they could find anything, which they haven't.  (I have also tried whacking the side of my monitor, which also has not worked... )  At the moment, the computer is running fine, but I don't know what triggers the problem.  I am not sure what to do next to check for the source of the problem.  Any ideas?

[geek hoodlum]

Hi, I found this link that may help you: How to Fix svchost.exe using 100% CPU / Memory Leak

But before you do that, can you run again some virus scan? This time, use Malwarebytes or SUPERAntiSpyware.

[Mr.Hopeless]

Malwarebytes didn't turn anything up.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 912031407

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/14/2012 9:25:35 PM
mbam-log-2012-03-14 (21-25-30).txt

Scan type: Full scan (C:\|)
Objects scanned: 290193
Time elapsed: 59 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Looking at the link, it looks a bit old.  Are you sure that's the way to go?

[Linux711]

If this did not solve your problem, here is what I would do. Download http://technet.microsoft.com/en-us/sysinternals/bb896653

Open up the program and hover your mouse cursor over the svchost that shows the CPU usage. A little pop-up message will appear under your mouse. It will list the services that are running under that process. List those services here and I might be able to tell you the problem.

[Mr.Hopeless]

Here is Process Explorer list before the svchost.exe starts going nuts (not that I'm running a GoToMeeting webinar  and Firefox at this time):

http://imageshack.us/photo/my-images/600/processexplorercapture1.jpg/

And here's what happens after the problem kicks in (I've ended the webinar but Firefox is still running):

http://imageshack.us/photo/my-images/545/processexplorercapture2.jpg/

[Mr.Hopeless]

For what it's worth, here's the latest ComboFix log:

ComboFix 12-03-10.02 - Brett 03/18/2012  11:28:50.15.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.522 [GMT -4:00]
Running from: c:\documents and settings\Brett\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
 * Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-18 to 2012-03-18  )))))))))))))))))))))))))))))))
.
.
2012-03-16 16:34 . 2012-03-16 16:34   0   ----a-w-   c:\documents and settings\Brett\g2mdlhlpx.exe
2012-03-15 00:23 . 2012-03-15 00:23   --------   d-----w-   c:\documents and settings\Brett\Application Data\Malwarebytes
2012-03-15 00:23 . 2012-03-15 00:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-15 00:23 . 2010-12-20 22:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-15 00:23 . 2012-03-15 01:25   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-03-15 00:23 . 2010-12-20 22:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-03-11 18:05 . 2012-03-11 18:05   4734   ----a-w-   c:\windows\system32\PerfStringBackup.TMP
2012-03-11 18:00 . 2012-03-11 18:00   --------   d-----w-   c:\windows\system32\wbem\Repository
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-01 01:03 . 2011-05-19 17:07   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2004-08-04 10:00   1859968   ----a-w-   c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-17 13:17   3072   ------w-   c:\windows\system32\iacenc.dll
2012-01-09 00:08 . 2012-01-09 00:08   107888   ----a-w-   c:\windows\system32\CmdLineExt.dll
2011-03-10 15:47 . 2011-04-03 19:48   238960   ----a-w-   c:\program files\UpdateMgr.exe
2011-03-10 15:47 . 2011-04-03 19:48   152064   ----a-w-   c:\program files\Unwise32.exe
2011-03-10 15:47 . 2011-04-03 19:48   285096   ----a-w-   c:\program files\Unta10.exe
2011-03-10 15:47 . 2011-04-03 19:48   1455616   ----a-w-   c:\program files\HTMLCapture.dll
2011-03-10 15:47 . 2011-04-03 19:48   1802752   ----a-w-   c:\program files\PDFText.dll
2011-03-10 15:47 . 2011-04-03 19:48   1404928   ----a-w-   c:\program files\Dynapdf.dll
2011-03-10 15:47 . 2011-04-03 19:48   126976   ----a-w-   c:\program files\Taxpdf.dll
2011-03-10 15:47 . 2011-04-03 19:48   9016688   ----a-w-   c:\program files\TaxACT10.exe
2011-03-10 15:47 . 2011-04-03 19:48   1200128   ----a-w-   c:\program files\1040_Fedprint.dll
2011-03-10 15:47 . 2011-04-03 19:48   16580608   ----a-w-   c:\program files\1040_FedCalc.dll
2011-03-02 18:21 . 2011-04-03 20:12   4866048   ----a-w-   c:\program files\1040_NYcalc.dll
2011-03-02 18:21 . 2011-04-03 20:12   270248   ----a-w-   c:\program files\UnStTax.exe
2011-03-02 18:21 . 2011-04-03 20:12   152064   ----a-w-   c:\program files\Unstate.exe
2004-07-06 19:38 . 2011-04-03 19:48   20208   ----a-w-   c:\program files\sssocra.fon
2012-02-17 20:13 . 2011-05-02 02:50   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((   SnapShot_2012-03-11_18.27.11   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-18 15:17 . 2012-03-18 15:17   16384              c:\windows\temp\Perflib_Perfdata_314.dat
+ 2011-04-13 03:38 . 2012-03-11 18:47   373840              c:\windows\system32\Restore\rstrlog.dat
+ 2010-11-25 01:36 . 2012-03-15 04:22   54215544              c:\windows\system32\MRT.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-14 339968]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 4:48 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/9/2010 11:20 PM 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/31/2012 4:02 PM 7391072]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 27216]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [8/2/2010 5:19 PM 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [8/2/2010 5:19 PM 20864]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [8/2/2010 5:19 PM 19968]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [8/2/2010 5:19 PM 24960]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-03-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1417001333-602609370-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2012-03-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1417001333-602609370-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2012-03-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1417001333-602609370-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2012-02-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1417001333-602609370-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Brett\Application Data\Mozilla\Firefox\Profiles\vs37yj2j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59495
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-18 11:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6Y080M0 rev.YAR51HW0 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
.
device: opened successfully
user: MBR read successfully
error: Read  A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86BA82C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(904)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3604)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-03-18  11:39:59
ComboFix-quarantined-files.txt  2012-03-18 15:39
ComboFix2.txt  2012-03-11 19:29
ComboFix3.txt  2012-03-11 18:32
ComboFix4.txt  2012-03-11 17:32
ComboFix5.txt  2012-03-18 15:27
.
Pre-Run: 31,789,019,136 bytes free
Post-Run: 32,429,740,032 bytes free
.
- - End Of File - - CC7711F7838F94F986F20CCC8929507E

[Mr.Hopeless]

I just had an AVG Alert pop up that might help shed light on what's going on:

Threat was blocked!

File name: 91.200.176.29/google.php?gmpid65c4e41c0122683
Threat name: Exploit Blackhole Exploit Kit (type 2143)