strange lag after connection + svchost hog(Resolved)

[helpt3hn00b]

So lately, when I start up my computer, a svchost process is eating up a whole lot of memory, as are my antivirus/malware programs.

When I initially connect to the internet, my svchost mem usage goes up, to as much as 90K+, and after a few seconds, my computer freezes up on me. I can move the mouse around, minimize windows, but cannot open anything on the desktop, and all open windows (including the task manager) are not responding. After waiting about 30 seconds, the problem is gone and everything continues/loads back up normally.

I'm wondering what the cause of this might possibly be? SAV, Ad-Aware '07, Spybot S&D, AVG Anti-Rootkit are all coming up clean, as did housecall. But this strange lag is bothering me.

-Might I just have too much running on my system at once?
-Possibly a particularly malicious virus that's been very good at hiding itself?
-Some program trying to update itself constantly, or has been hijacked?

Also tried running netstat -- had 30 connections at one point, 50 at another, right now it's about 10. This is with Pidgin and Firefox running btw, all other programs running in the background are antivirus/firewall/etc.

So all, what's the prognosis?

[cauzomb]

Moved to Spyware Central; Please review the stickies in this section, you may want to post a hijackthis log to get things started.

Here's a link to the sticky http://forum.networktechs.com/showthread.php?t=49

[jholland1964]

Give us an HJT log and let's see if something shows there. We also need a whole lot more information on the computer...operating system ram installed, antivirus program, firewall...how do you connect to the internet..Give us the full rundown please along with the HJT log.
Judy

[helpt3hn00b]

Sorry, didn't want to bump down others here if it wasn't a spyware-related problem.

OS: Win XP SP2
RAM: 512 MB (DDR2 SDRAM)
Antivirus: Symantec Antivirus
Firewall: ZoneAlarm (currently 15-day trial of security suite, but will be downgraded to basic firewall soon)
Internet: Wireless Network Connection

HJT Log below, if you need any more information please let me know. And thanks for such a quick response!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:26:18 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.ex e
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Anthony\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1178502588500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1184742241031
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8306 bytes

[jholland1964]

I am going through your HiJackThis log but wanted to post this immediately. Part of your problem is you are running two anti-virus programs, this is an absolute No-No. Rule is only ONE anti-virus program and ONE firewall on a computer. The Zone Alarm Security Suite contains an anti-virus program and you are all ready running Norton. This Zone Alarm version also contains an anti-spyware portion and the firewall of course. Since it is really the firewall you want I recommend that you immediately uninstall, COMPLETELY, the Zone Alarm Security Suite and then do a file search on the computer by going to Start, Search, Files and Folders and look for everything Zone Alarm. Delete whatever you find. THEN reboot the computer and if you wish to use the Zone Alarm firewall download and install the Zone Alarm Free Firewall
Now you will have to scroll clear to the bottom of the page and click on the "I want only the basic Zone Alarm protection" button.

Another thing you need to do is disable the SpyBot TeaTimer portion of that program. It can cause problems on some computers AND if we do find some malware it can make it very difficult to remove. So disable TeaTimer like this;
To close Tea timer and to disable it from starting with Windows when you restart, open Spybot S & D, open the Tools menu on the right pane and click on Resident and uncheck Resident "Tea timer"(Protection of over-all system settings) active. Exit the program. Restart the Computer.

Another thing running all the time in the background is AdAware Service. This is a new feature of the AdAware 2007 Free. Frankly, I don't like it as it does consume some resources. The supposedly easiest way to stop this is to set the process to manual by running services.msc. BUT then you will find that Adaware will restart the service anyway. Honestly I would consider uninstalling AdAware 2007 and going back to AdAwareSE
I would then only use AdAwareSE and Spybot for weekly scanning and not use their background items. DO use the Immunize feature of SpyBot however, it does make a difference.
I will go through your HJT log and see what else may be causing your resource usage to be so high.
Judy

[jholland1964]

Ok, have gone through your HJT log, I really don't see anything that looks like malware or spyware. You obviously do a good job in trying to protect your computer and that is certainly a plus and as you can see it seems to be working.

We really believe here that "less is more" when it comes to security programs. Use too many and it can slow your surfing, use too much of your resources and, at times, actually lessen your security because having too many security programs running all the time can actually cause them to end up fighting each other and let something through that you don't want on the computer. PhilliePhan has what we feel is the best set up to keep your computer running smoothly and safely in his thread here so read through it. You will see you are doing pretty much what he recommends. I would suggest, in addition to my recommendations in my post above that you also add SpywareBlaster
As you will see it is on his list of "must haves". It is an excellent free program and really offers super protection.

Now to control those Auto-Starting programs I recommend using another little, FREE program, Mike Lin's StartUpControl Panel
Download and install it and from then on your will find it located in your Control Panel with a small computer icon labeled StartUp.
Open the program and just remove the checkmarks from the programs that you do not want to auto start. Then reboot the computer and those items you disabled with the program will not start unless you start them manually.

Here is a list of programs auto-starting from your HJT log that you can turn off using Mike Lin's program, now these are all your choice, if you wish to have them continue to start automatically that is fine but none of these are required to run the computer OR run that particular program, all can be started manually if needed;

ehTray>>>Enables the user to access Windows Messenger from within Windows Media Center Edition
igfxtray>>>Part of Intels Common User Interface for chipsets with integrated graphics controllers - which allows user to change different driver properties through Windows User Interface. Quick access to the control panel via a System Tray icon. EASILY Available via Start -> Settings -> Control Panel
SigmatelSysTrayApp>>>Related to Sigmatel_Audio_sound_card This program is not required to start automatically as you can run it when you need to
DMXLauncher>>>Part of Dell's Media Experience, a multimedia suite which offers the user functionality to organise and play music and digital video files
Dell QuickSet>>>Dell taskbar icon allowing you to quickly change settings
CTSVolFE.exe>>>Related to Volume_Control from Creative Technology Ltd. Note: Located in C:\Program Files\Creative\Mixer\
ISUSPM Startup>>>InstallShield Update Service related; Automatically searches for and performs any updates to the software. Not required.
ISUSScheduler>>>InstallShield Update Service Scheduler; automatically searches for and performs any updates to the software so you’re always working with the most current version. Not required.
******************
(These five programs below all are used to ease the input of Asian characters in MS Office, IE, Outlook and Word. If you use these often then I would leave them. If you DON'T use them often then I would disable them from auto-start.)
IMJPMIG8.1
IMEKRMIG6.1
MSPY2002
PHIME2002ASync
PHIME2002A
******************
SunJavaUpdateSched>>>Checks with Sun's Java updates site to see if newer Java versions are available. Visit http://java.sun.com or just run the Java Plug-In Control Panel. You can do this manually, and obviously this is NOT doing it's job because there has been a java update recently and you are one update behind.
iTunesHelper>>>Installed with Apple's iTunes for Windows. Uses ~3-4MB of memory. Now if disabled it WILL put itself back into auto start when you use it, so you will have to be sure to remove from auto start after using with Mike Lin's program or it will start with your next reboot.

I also suggest you read How to configure Windows Services in XP
posted by our own Turcoloco. Turning off a lot of unnecessary things that run automatically in XP can also really speed things up.

Try these suggestions and see how things go. If you feel things have improved OR are still having problems please check back here and we will see what else we can do to speed things up a bit.
Judy

[helpt3hn00b]

Thanks so much Judy! I followed your instructions re: ZoneAlarm and Spybot's Tea Timer, and the computer no longer freezes up after connecting to the internet! Have been considering switching back to AAW SE for some time, but recently heard that Lavasoft is going to stop offering support for it sometime soon. Have you heard anything about this?

Also downloaded SpywareBlaster and Startup Control Panel (disabling quite a few of those listed), as well as updating Java. Thanks

Would you recommend that I add any other anti-spyware or other programs from PhilliePhan's list?

[pheonix73]

I am in the process of reinstalling SE myself.I had the files or system corrupt itself and no longer connect to the download server.In my case I uninstalled all the components.As for the no longer offering updates,I have not seen anything myself to this note.Keep up with Judy and all will run smoothly.

[helpt3hn00b]

Huh, strange. It's been difficult to find sources to verify my claim, and all I was able to find was this, from 2005 no less!

http://discussions.virtualdr.com/arc.../t-187484.html

Can anyone shed some light on this?

Pheonix, mind letting us know if you're still receiving updates for AAW SE Personal?

[jholland1964]

Thanks so much Judy! I followed your instructions re: ZoneAlarm and Spybot's Tea Timer, and the computer no longer freezes up after connecting to the internet! Have been considering switching back to AAW SE for some time, but recently heard that Lavasoft is going to stop offering support for it sometime soon. Have you heard anything about this?

Also downloaded SpywareBlaster and Startup Control Panel (disabling quite a few of those listed), as well as updating Java. Thanks

Would you recommend that I add any other anti-spyware or other programs from PhilliePhan's list?

So pleased all worked out so well.
I myself still use AdAwareSE Free version and am able to receive updates without trouble. By stopping support I believe they mean they will not offer support...i.e. if you are having problems with it but for now at least I am certainly able to update the program with new definitions. They also still have support questions and answers for AdAwareSE Free on their website here
I would imagine that sooner or later the newer version will be required but as of yet it is not. I will personally stay with AdAwareSE until they no longer offer definition updates for it, for now they do.
As far as additional anti-spyware programs from PP's list I also use AVG Anti-Spyware version 7.5 for scanning, not background protection and I also use the ATF-Cleaner. Other than that I myself don't use anything else other than those all ready noted. I also keep my browser cache set at no higher than 10 to 50mb. I also use Firefox as my default browser, it is more secure, I only use Internet Explorer for Windows updates, which I do manually not automatically.
Be sure to take a look at ~TL's link on configuring services in Windows XP. There are lots of great tips there for speeding up XP.
Just watch where you surf, use pop up blockers, don't open mail from somebody you don't know and you should continue to have good luck.
Judy