svchost-wbemcore-kernal32 CPU maxed -1

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mjgator8104, Jul 29, 2008.

  1. mjgator8104

    mjgator8104 Private E-2

    I've read endless Internet posts to help with this problem. svchost ties up processor and Process Explorer indicates that wbemcore mainly and sometimes kernel32 are most of the problem. I've tried ideas to turn off windows update, firewall, virus protect (McAfee) and running Spybot and Adaware. I'm sure I've also tried other things I've forgotten. I then found this site and followed the Read & Run Me First instructions, so here are my posts from the various operations directed.

    The problem is less consistent now, since it only maxes CPU every 30 seconds or so, like it is on a cycle. At the moment, strangely, I have a pretty consistent usage of about 38% with no spikes which is different, but still seems pretty high, althoug I have a number of windows open at the moment. Anyway, here are my posts in this and a follow-up thread, since the instructions indicate I can only attach 3 per post. Also, we noticed the computer slowing down around a month or so ago. We are running XP with SP-2.

    Thanks for any help anyone can provide.
     

    Attached Files:

    mjgator8104, Jul 29, 2008
    #1
  2. mjgator8104

    mjgator8104 Private E-2

    svchost-wbemcore-kernal32 CPU maxed -2

    Here's the last file from the instructions.

    Again, thanks.

    If needed I can provide more info on my system, but I assume it is contained in the various logs.
     

    Attached Files:

    mjgator8104, Jul 29, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I'm not expecting that your problems are related to malware; however I need to see a log from MGtools that uses the version of the program given in the READ & RUN ME. I'm not sure where you got your copy from but it was not from here. At least not recently. You are 7 months out of date. So please download the correct version and use it to get a new MGlogs.zip file to attach.

    Also run this Running GMER to detect rootkits and attach the requested log.

    Did you or someone else attempt to put Vista files on this PC? I see things ComboFix removed that may be from Vista.
     
    chaslang, Jul 30, 2008
    #3
  4. mjgator8104

    mjgator8104 Private E-2

    Sorry about the old file. I had trouble accessing one of them and got a copy from the Internet. I think it may have been before I registered for the site so I couldn't get to it. I'll take care of it tonight when I get home from work and re-post the log.

    No, I have never tried Vista. This is a Windows XP machine only with no other operating systems installed. The newest major MS product I have is MS-Office 2002 that I bought with my company's discount agreement.

    I'll get that post up this evening.

    Thanks for the help.
     
    mjgator8104, Jul 30, 2008
    #4
  5. mjgator8104

    mjgator8104 Private E-2

    OK, I downloaded the current version of MGtools and ran it. The log is attached.

    I also ran Gmer and attached that log.

    Again thanks and also thanks for the welcome. I'm glad to have found this site and expect to spend plenty more time checking things out.
     

    Attached Files:

    mjgator8104, Jul 30, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As I expected, you do not have any malware issues. I going to give you a couple things to do that are just general cleanup and cleanup from running the READ & RUN ME. Your next steps may require you to be posting in the Software Forum to work your problem if you cannot figure out what it is from the suggestions I give.

    If you did not purchase PC PitStop Optimize (which it looks like you did not), then uninstall it now.
    Also uninstall SUPERAntiSpyware since we are finished with it.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

    After clicking Fix, exit HJT.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    Now since you are not having malware problems, it is time to do our final steps:
    1. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combo-fix" /u
        • Notes: The space between the combo-fix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combo-fix folder from combofix.
    3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    Now here is what I suggest that you do in an attempt to possibly find the cause of your problem. Check the below link from Microsoft out:

    http://support.microsoft.com/kb/838884

    If you need help with this, I suggest that you post in the Software Forum.



    After doing the above and after you get your problem resolved, you should work thru the below link.

    How to Protect yourself from malware!
     
    chaslang, Jul 31, 2008
    #6
  7. mjgator8104

    mjgator8104 Private E-2

    Ok, it took a while but I've gone through everything and some more. Unfortunately, no improvement. Here's the status of changes.

    I did purchase PC Pitstop Optimize a while back, but my license key doesn't work anymore since it appears they've changed to an annual subscription program.

    I uninstalled SuperAntiSpyware.

    I completed the MGTools scan, checked the noted boxes, and fixed them.

    I copied and ran the registry changes and I did get a success message.

    I completed items 1, 2, 3, 5, and 6 in the next list and skipped # 4 since I'm not running Vista.

    I had already obtained and installed the hotfix before posting on this board, but I did try installing it again. Of course I was already running SP2 which was supposed to supersede the hotfix anyway.

    I went ahead and updated to SP3 since it had not automatically installed on my computer yet.

    Finally today, I used msconfig to do a large number of selective startups to narrow down the specific service that seems to cause the problem. I confirmed that is is the Windows Management Instrumentation (WMI) service so that when I disable that service the problem goes away. This seems to confirm the memory leak issue reported in the MS-knowledge base article, but unfortunately, none of the potential solutions in that article (hotfix, SP2, SP3) have worked for me.

    From other posts I've read on the web, it seems that some other program is using or polling the WMI service every 30 to 35 seconds when it is active, but I can't seem to figure out which one it is. If I could, I might be able to uninstall that program, or obtain an update from the manufacturer if available.

    At this point, I have no other ideas on what to look into. If you have any further suggestions, that would be great. I appreciate all the help so far. Since this appears to not be Malware and is some type of conflict between softwares, should I carry my question to another forum?

    Again, thanks.
     
    mjgator8104, Aug 2, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I suggest that you post in the Software Forum and you could reference this thread for them to look at.
     
    chaslang, Aug 3, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds