svchosts.exe's cpu is 100% :(

Discussion in 'other software & services' started by helen321, Nov 27, 2004.

Thread Status:
Not open for further replies.
  1. helen321

    helen321 Guest

    hello wilders :). every time i boot up my computer it is very, very slow :( . i looked in task manager and svchost.exe was up to 95-100%. i have run AVG. and will run spybot, adaware and ewido, as well as acouple of online scanners and maybe standalones.

    to get here i had to kill the process, otherwise i just couldnt get an internet connexion to work, it was just too slow. my friend iceni60 is here for an hour or so, so it would be great if someone could help while he is here :) .

    last time he was here he used either process explorer or faber toys to find the process and was going to go through the modules loaded by svchosts.exe to try and find which .dll was causing the problem, are these the right tools to use?. ive already killed the process so i cant check right now.

    the PID for the process is 1096 and the user name is NETWORK SERVICE.

    any help is greatly appreciated :) .

    thanks, iceni and helen.
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi iceni and helen,

    The first thing I would do is to see what services are running under the svchost.exe processes. If you have XP Pro, go Start/Run, type cmd, and hit Enter. At the command prompt, type tasklist /svc /fi "imagename eq svchost.exe". If you have XP Home, you can download tasklist.exe here: Tasklist. Just drop it in your *\System32 folder. The output you will show you what services are running under each svchost PID, including the one that is causing the problem. From there, you can troubleshoot the services involved by using the services control panel.

    Nick
     

    Attached Files:

  3. thank you nick. its great to be able to get your help. to get tasklist to work, we'll have to reboot so the process is running, and im getting thrown out now :eek: . i'll be back in a few days, so we'll work it out then. again thanks for helping me the last few days (i hope these <img> tags work) o_O[​IMG]
     
  4. H & I

    H & I Guest

    sorry, but its xp home we are using. is tasklist a dos program? if so my dos skills are novice level. what is the cmd to run it, if its in the system32 folder.

    C:\windows\system32\tasklist\svc\fi "imagename eq svchost.exe"
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    If you put tasklist.exe in the system32 folder, all you have to do is highlight and copy this:

    tasklist /svc /fi "imagename eq svchost.exe"

    and paste it into the CMD window. Then press Enter.

    Nick
     

    Attached Files:

  6. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, nick. i'll try it next time im there :cool:
     
  7. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    question: wouldn't you also like to know what is the path of the offending process?
    If it has a path other than default... it could be a worm.
    to do this, you'd need IARSN Taskinfo, or get Advanced Process Terminator (freeware) from www.diamondcs.com.au and find the path of the process from its console.
     
  8. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks, no13 :) . i'll come back to this thread next time im there. i _think_ i did find the path with faber toys. either way i'll use this thread :cool:
     
  9. PeteK

    PeteK Guest

    This has been interesting and I learning a lot reading all this.

    I did two things that got rid of this on a customer's Windows 2000 workstation. First I searched the disk for all svchost files. There were two svchost files that were 8K in size and one that was 5K in size. I renamed the 5K file, also because it wasn't in the system32 directory, to svchost.exepak. (The pak being my initialls) I don't delete anything until I prove I don't need it.

    That stopped the problem right now and it didn't come back on the reboot.

    Next, I went into the registry and deleted the pointer to the bad svchost file, in this case it was located at c:\winnt\svchosts.exe.

    Customer now has a great performing computer.
     
  10. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    You could also try running an Anti-Trojan, an Anti-Virus and an anti-spyware program, one-by-one, because this is symptomatic of a virus/trojan/spyware...
    Have phun.
    Recommemnded:
    AV: KAV, McAfee
    AT: ewido, a2
    AS: Lavasoft AdAware, Spybot - Search & Destroy.
    your errant trojan may be too old for NOD to detect, so in spite of NOD being a great AV... I can't recommend it in your case. and as I've never seen TDS in action, I won't say anything about it. A2 or Ewido on demand (free versions) work just fine (catching stuff that NAV doesn't know about)
     
  11. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    is there another place where i can get tasklist? i can't get to the site, i wanted to see if i could trace PIDs to listening ports then try it out on Helen's computer.
    ive got this far - netstat -ano :eek: but i havent got tasklist on my computer to try anything out :mad:
     
  12. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi iceni60,

    Here you go: Tasklist.exe.

    Nick
     
  13. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks Nick :D
     
Loading...
Similar Threads
  1. Infected
    Replies:
    8
    Views:
    579
Thread Status:
Not open for further replies.