Vista: high svchost disk usage, sluggishness, strange behavior

Discussion in 'malware problems & news' started by Gullible Jones, Apr 24, 2011.

Thread Status:
Not open for further replies.
  1. Vista: high svchost disk usage, sluggishness, strange behavior (unsolved)

    My grandmother's Vista laptop is extremely sluggish. Internet access is slow (~60 Kbps) even though this is on a cable line, and my Linux netbook is getting good (~300 Kbps) speed on the same network. Also, svchost.exe is using an incredible amount of disk I/O, something like 500 MB in the past few minutes. I disabled indexing and prefetch and that sped the computer up a bit, but the hard drive will not stop grinding. So I'm beginning to suspect infection.

    So far:

    - Kaspersky Rescue Disk detected a couple of apparent false positives, something about finding a mailer trojan in some of the games that HP preinstalled on the computer.

    - Norton Antivirus (she has a subscription for it) found nothing at all, though it did give a warning about svchost's huge I/O use.

    - Rootkit Revealer failed to run (couldn't start the necessary service even as admin), and Gmer caused a BSOD.

    I'm starting to get more than a bit perplexed. There should be a reason for the sluggishness and disk usage by svchost, but nothing seems to give. Am I looking at some kind of trojan or rootkit, or am I chasing phantoms here?
     
    Last edited by a moderator: Apr 24, 2011
  2. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
  3. I did that already. As I said, it sped up the machine a little bit, but did not put a dent in the overall disk I/O usage.
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    svchost is used for tons of things, so, no advice until you find out what is actually running and uses svchost. Event Viewer, Process Explorer or whatever...

    (One guess would be .NET "optimization" which runs after some security updates and recompiles tons of crap.)
     
  5. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Try doing a scan with Dr.Web Cureit in Safe Mode. After that do a scan with SuperAntiSpyware Portable in Safe Mode.
     
  6. Thanks. And weird, there's a lot less disk thrashing in safe mode... I wonder if some third-party thing is acting up.

    Edit: okay, according to Process Explorer TrustedInstaller.exe is eating up rather a lot of disk I/O time. Judging from the rate at which it's reading/writing, I think it may be the culprit.

    Edit 2: Aaaand solved. In a fit of exasperation, I ran PC Decrapifier and removed several hundred megabytes of preinstalled HP garbage, including stuff that was apparently running some background services... Voila, no more thrashing. Incredible, I had no idea that the preinstalled rubbish situation was that bad with HP.

    Edit 3: Oops, not solved. Hard drive started thrashing again after a reboot and hasn't stopped yet.
     
    Last edited by a moderator: Apr 24, 2011
  7. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    By constantly rebooting, you are not exactly improving the situation. Unless you let the task (whatever it is) finish, you will never get rid of this.

    TrustedInstaller.exe is used for checking for new updates, also may be related to searching Problem Reports and Solutions (clear that stuff in actions center) etc.
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Gullible Jones

    Hi you could use this :thumb:

    This application requires the .NET 2.0 framework and should work on XP (SP2), Vista and Windows 7!

    I don't have NET & it works just fine on my XP/SP2 :) Don't know why, but it does :D

    Hope you track it down.
     
  9. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Is Windows Defender enabled?
     
  10. Yeah, Windows Defender is enabled. Can that cause thrashing? I didn't want to disable it because I don't know how strong Norton 2011 is against spyware

    doctornotor: point taken. Though the thrashing lasted longer after boot than is normal for Linux or XP, or what I've seen of Vista for that matter.
     
  11. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    If you have scheduled scans, then yes...

    (On a side note, I managed to create the same under Linux by scheduling full S.M.A.R.T. diagnostics of disks with smartd and completely forgetting about it. Do not thing that Windows does such checks though.)
     
  12. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Just as a test I would try to disable it and reboot. Then after the reboot check and see if the svchost usage is down and if the sluggishness went away. You would not notice the svchost disk usage going down or any sluggishness gone till a reboot.
     
Loading...
Thread Status:
Not open for further replies.