Dear Readers,

This is for my Sisters Computer and for some reason whenever we boot up there are a few problems...

1. Fan makes wierd sound (And I think it is due to the ColdNess as once it is warmed up and you turn off and back on... It doens't make the sound but if you turn it off when the fan makes the sound and turn if on it will continue to make that noise, it is an Intake Fan)

2. DualBoot there are two Windows to choose from on bootup and I only have 1 HD so I was wondering if I can rid one without having to Format...

3. When I boot up it LAGS and takes either around 5-7minutes to settle down or to just ctrl+alt+del and delete the svchost.exe that is taking up 99% of the CPU Usage it is perfect.

So if anyone could be so kind as to help me with any of these problems I would appreciate it, thank you in advance.

1) Don't know about the fan, try dusting it off and make sure it's well attached, maybe?

2) Are there two versions of windows installed, then? What happens when you pick either option?

If one does nothing you can edit it out of the menu for now. System->Advanced->Start-something->edit, but make damned sure you are getting rid of the right one. Be very careful.

Otherwise, if you've got two separate installations, you can get rid of the one that doesn't have the mbr on it without any probs, by deleting or wiping the partition (the other one would be worse), just get rid of the corresponding entry in the bootlist as well (to start with).

3) If you've got XP, start off by trying: start menu->run and type "services.msc", and go through all the processes, use this (http://www.theeldergeek.com/services_guide.htm) as a reference. If that site says a service isn't needed, try setting it to manual first.

Also google any running services you don't recognize, see if there's any unnecessary crap running.

For the OS Selection they are both the same... And there is only 1 harddrive... So I shall go and try that... As for the Services.msc it is Svchost.exe that causes the lag and there are mult. copies of that ><

Edit: Okay the OS was resolved as they were both the same in the method you told me so that is cleared... Now it is up to #3 and I am unclear.

Lots of windows' services will pop up as svchost, tho', that's why I want you to start with turning off any unnecessary stuff, if you get lucky it's something you don't need that's messing with you.

But just as before you ought to be careful so as to not turn off anything you need.

Alrights I shall double check with that.

Edit: Alrights didn't have anything changed haha.. So bleh.. Dunno if a HiJack This log would help.

Anything changed? :unsure:

Some of the recommended settings aren't the standard ones and since it you say the computer runs ok with it turned off, I wonder if it's a necessary service. On the site I gave you, it says what the process name for each service is, so focus on ones call svchost.

Otherwise you could just let it run for a couple of hours, see if it dies down after that or if it comes back after reboot then, I dunno :unsure:


EDit: you can also run msinfo32, check under program environment/running (or maybe active, my os isn't in english), see if it runs from anywhere unusual.

How many svchosts do you have running, btw?

svchost is a Windows process. that manages a group of services. It can be executed multiple times simultaeously to control several different groups of services.
Seeing multiple instances of svchost in Task Manager is not unusual or considered suspicious.

1. Click Start on the Windows taskbar, and then click Run.
2. In the Open box, type CMD, and then press ENTER.
3. Type Tasklist /SVC, and then press ENTER.

This will list the services that each instance of svchost controls.

There are 6 instances of svchost.exe.
2-Network Service
1- Local System
3- System

And yeah still no change.. trying Chewies check.

Edit: Ehh everything seems to be fine.. and yeah as mentioned before after leaving it alone for like a few minutes it just dies down and goes to normal....

again should I post a HiJack This log?

What I meant was for you to check which services running as/under svchost, like this one (note the top right corner of the description) (http://www.theeldergeek.com/hid_input_service.htm) were active, if any of them aren't necessary for you, try turning those off, and see whether the problem is still there.

With any luck, it's one of the unnecessary ones that is giving you issues.


And yes, chewy, multiple instances of svchost isn't strange, a huge amount of them is tho' (I seldom see more than four, altho' 6 is ok, I reckon), and to compound the issue, virii have been known to run services masked as svchost.exe (or at least something like "scvhost.exe"), from odd locations.

That's why I wanted him to count them, and check where they were running from

What I meant was for you to check which services running as/under svchost, like this one (note the top right corner of the description) (http://www.theeldergeek.com/hid_input_service.htm) were active, if any of them aren't necessary for you, try turning those off, and see whether the problem is still there.

With any luck, it's one of the unnecessary ones that is giving you issues.


And yes, chewy, multiple instances of svchost isn't strange, a huge amount of them is tho' (I seldom see more than four, altho' 6 is ok, I reckon), and to compound the issue, viruses have been known to run services masked as svchost.exe (or at least something like "scvhost.exe"), from odd locations.

That's why I wanted him to count them, and check where they were running from
I was clarifying the purpose of svchost for LilAA.
The directions I gave will show which services are controlled by which instance of svchost.
Given the process ID (add the column in Task Manager to see it) from the instance of svchost that runs at 100%, one can narrow it down to only those services it controls


There are 6 instances of svchost.exe.
2-Network Service
1- Local System
3- System

And yeah still no change.. trying Chewies check.

Edit: Ehh everything seems to be fine.. and yeah as mentioned before after leaving it alone for like a few minutes it just dies down and goes to normal....

again should I post a HiJack This log?

Yes, post a log, there may be something one of us has come across before.

I was clarifying the purpose of svchost for LilAA.
The directions I gave will show which services are controlled by which instance of svchost.
Given the process ID (add the column in Task Manager to see it) from the instance of svchost that runs at 100%, one can narrow it down to only those services it controls



thats a pretty useful tip. cheers for that.

Here is the HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:54:16 PM, on 12/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stacey\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WallMaster Pro.lnk = C:\Program Files\WallMaster\wallmast.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

copy and paste your log file here (http://www.hijackthis.de). it comes up all clean apart from that wallmast program.

what did chewies tip turn up.

Please uninstall Spysweeper; you'll notice that logon-time hard drive activity is vastly improved.

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Ask clocker for a second opinion.

Hmm uninstall spysweeper.. wouldn't know what to replace it with as I don't use it actively, as I use only as OnDemand..

@4play: Thanks for that link.

I have Kaspersky Internet Security, XoftSpy, Spybot and AdAware on here for malware protection.
XoftSpy and AdAware are purely 'on demand' tools (although very good) while Spybot also has an Immunize feature and background IE protection.

Spysweeper is renowned for its logon resource unfriendliness.

Happy birthday, by the way.

Haha thank you, and ehhh yeah as sis is on computer at the moment I shall try fixing it later and than report the status update.

Ha!
Found it:

clocker on spysweeper (http://filesharingtalk.com/vb3/p-what-programs-can-get-rid-out-these-post1422232/postcount9)

Hahha well my problem isn't necessarily slow boot-up more or less just the svchost.. and I don't have spysweeper run on startup.. at least it shouldn't..

According to your HJT log, it's starting as a service.

I was clarifying the purpose of svchost for LilAA.
The directions I gave will show which services are controlled by which instance of svchost.
Given the process ID (add the column in Task Manager to see it) from the instance of svchost that runs at 100%, one can narrow it down to only those services it controls.
Yeah, sorry, I thought we were arguing for a sec there, was purty tired.

Good advice, all round.