svchost.exe hogging my CPU
in [Anti-Virus]
|
Prev: Free AV from AOL
Next: Run virus check from floppy
From: Duane Arnold "Do forget about on 28 Aug 2006 22:52 David H. Lipman wrote: > From: "-Nisko-" <rmo555(a)cox.net> > > | I used Process Explorer - and svchost is only in the system32 folder. BTW, > | what does %windir% mean? In other words, how do I interpret something > | inside % marks? Thanks..... > | > > > Text inside the %% are names of environmental variables. > > For example; > %windir% > will point to c:\windows or c:\winnt (or other location) as the base Win32 folder > depending upon thye OS and what was chosen > > %tmp% and %TEMP% > Point to the TEMPorary folder > > Open a Command Prompt and type; set and then hist the enter key. > You will see a list of commonly displayed environmental variables. > > They can be used within a Command Prompt, at; Start --> Run , within BAT and CMD files, > within LNK files, etc. > > The important concept is that SVCHOST.EXE was the legitimate OS version and thus it in > itself is not malware and if SVCHOST.EXE is bringing the CPU utilization up aroun 99% then > one of the services it is serving up has a problem. > > Using ProcessExplorer you will see what each running version of SVCHOST.EXE is serving up. > You know, I have mentioned Process Explorer to numerous posters in various NG(s). It's only been twice in all that time that someone took PE and was able to spot something. Those two were skilled professionals that could tack down the culprit. One was a Web admin that used PE to find malware, that everything she used couldn't find it. The other one was a person who used PE to track down something MS had done to send svchost.exe out of control. Now, I am going back to watching Amreican Chopper. Paul Sr. and Jr. are in another heated argument and are ready to kill each other on who has control of the shop. ;-) Duane :)
From: Duane Arnold "Do forget about on 28 Aug 2006 23:00 Vanguard wrote: > "Duane Arnold" <"Do forget about it"@PleaeDo.BET> wrote in message > news:wCNIg.2662$xQ1.1119(a)newsread3.news.pas.earthlink.net... > >> Vanguard wrote: >> >>> "Duane Arnold" <"Do forget about it"@PleaeDo.BET> wrote in message >>> news:wILIg.14914$xp2.9285(a)newsread1.news.pas.earthlink.net... >>> >>> For Process Explorer and other system tools, tis probably best to go >>> to http://www.sysinternals.com to get them directly from SysInternals >>> instead of some 3rd party site. >> >> > <snip> > >> Besides, MS brought out sysinternals so I don't know how long >> systintranls is going to be around. > > > Oh oh. Better download all the SysInternal tools before Microsoft > vaporizes them. Microsoft bought WinInternals who sponsors SysInternals > so, yeah, the SysInternals stuff could just disappear since Microsoft > only needs to comply with existing contracts with paying *customers* of > WinInternals. It was something about MS putting one or two guys that developed the tools on MS's payroll. I am sure they are getting paid very well with nice benefits and other things in the pot. They would have been fools not to take the offer. You know the old saying. $$$$ talk and BS walks. ;-) Duane :)
From: -Nisko- on 29 Aug 2006 10:10 Hi and thanks. However, which is the site you are referring to? "Duane Arnold" <"Do forget about it"@PleaeDo.BET> wrote in message news:wCNIg.2662$xQ1.1119(a)newsread3.news.pas.earthlink.net... > Vanguard wrote: >> "Duane Arnold" <"Do forget about it"@PleaeDo.BET> wrote in message >> news:wILIg.14914$xp2.9285(a)newsread1.news.pas.earthlink.net... >> >>> -Nisko- wrote: >>> >>>> For the past week or so, one instance of svchost has been hogging 70% >>>> to 90% of my CPU. I have tried many ways to find the culprit to no >>>> avail. Once in a while, when I boot, it doesn't happen - but, most of >>>> the time, it does happen. The result is that my PC becomes extremely >>>> sluggish - so slow that it's unusable. I use McAfee anti-virus and a >>>> variety of spyware finders - and the Microsoft Windows Malicious >>>> Software Removal Tool. None of these has found anything unusual going >>>> on. All my signatures are up to date. Can anyone help me rid my PC of >>>> this issue? Thanks....... >>> >>> >>> You can use Process Explorer and look at the SVchost.exe and see what's >>> running with it, a hidden process. Svchost.exe is the host process, >>> whether that by malware or a legit process. You can use PE to see what >>> processes SVChost.exe is hosting. >>> >>> http://www.vernalex.com/guides/malware/tools.shtml >>> >>> If svchost.exe is not running out of the Winnt/system32 directory, then >>> it's a Trojan. >>> >>> Go to the area about Process Explorer and learn how to use it to look at >>> running processes. It may not even be malware that's causing the problem >>> too and you can see all processes running with a host process such as an >>> (exe). >>> >>> Duane :) >> >> >> >> For Process Explorer and other system tools, tis probably best to go to >> http://www.sysinternals.com to get them directly from SysInternals >> instead of some 3rd party site. > > For the most part I would agree, but for a novice with such software, one > doesn't know how to use it and sysinternals doesn't explain it at all. > This site shows very well how to use the solution, which I have gotten > tired of showing the how to use it. So, I'll continue to use this site. > Besides, MS brought out sysinternals so I don't know how long systintranls > is going to be around. > > Duane :)
From: -Nisko- on 29 Aug 2006 10:13 I don't know what you mean by default mode - or missing the startup icons. Please explain. I'm learning something from your help. Thanks....... "thecreator" <thecreator(a)comcast.net> wrote in message news:aMydnUWK-uMvAW7ZnZ2dnUVZ_sGdnZ2d(a)comcast.com... If you are using Windows XP in default mode, where XP hides the Startup Icons, this will restore the missing icons. -- thecreator "-Nisko-" <rmo555(a)cox.net> wrote in message news:XlMIg.3513$Zm1.1560(a)dukeread02... > Also, by changing the settings as you suggest, what does that do? What > should I look out for? > > > "thecreator" <thecreator(a)comcast.net> wrote in message > news:RuednWHyuMp_Gm7ZnZ2dnUVZ_tidnZ2d(a)comcast.com... > Hi Nisko, > > Plug and Play Set to Manual > SSDP Discovery Service Set to Manual > Universal Plug and Play Device Host Set to Automatic > > Go into Services and changes the above Services. Reboot. > > > -- > thecreator > > > "-Nisko-" <rmo555(a)cox.net> wrote in message > news:LZKIg.3499$Zm1.1472(a)dukeread02... >> For the past week or so, one instance of svchost has been hogging 70% to >> 90% >> of my CPU. I have tried many ways to find the culprit to no avail. Once >> in >> a while, when I boot, it doesn't happen - but, most of the time, it does >> happen. The result is that my PC becomes extremely sluggish - so slow >> that >> it's unusable. I use McAfee anti-virus and a variety of spyware >> finders - >> and the Microsoft Windows Malicious Software Removal Tool. None of these >> has found anything unusual going on. All my signatures are up to date. >> Can >> anyone help me rid my PC of this issue? Thanks....... >> >> > >
From: -Nisko- on 29 Aug 2006 10:15
I'm using PE and have found that svchost.exe is only in my system32 folder. Also, all the processes associated with the out of control svchost are legitimate. "Duane Arnold" <"Do forget about it"@PleaeDo.BET> wrote in message news:AZNIg.11420$Qf.7770(a)newsread2.news.pas.earthlink.net... > David H. Lipman wrote: >> From: "-Nisko-" <rmo555(a)cox.net> >> >> | I used Process Explorer - and svchost is only in the system32 folder. >> BTW, >> | what does %windir% mean? In other words, how do I interpret something >> | inside % marks? Thanks..... >> | >> >> >> Text inside the %% are names of environmental variables. >> >> For example; >> %windir% >> will point to c:\windows or c:\winnt (or other location) as the base >> Win32 folder >> depending upon thye OS and what was chosen >> >> %tmp% and %TEMP% >> Point to the TEMPorary folder >> >> Open a Command Prompt and type; set and then hist the enter key. >> You will see a list of commonly displayed environmental variables. >> >> They can be used within a Command Prompt, at; Start --> Run , within BAT >> and CMD files, >> within LNK files, etc. >> >> The important concept is that SVCHOST.EXE was the legitimate OS version >> and thus it in >> itself is not malware and if SVCHOST.EXE is bringing the CPU utilization >> up aroun 99% then >> one of the services it is serving up has a problem. >> >> Using ProcessExplorer you will see what each running version of >> SVCHOST.EXE is serving up. >> > > You know, I have mentioned Process Explorer to numerous posters in various > NG(s). It's only been twice in all that time that someone took PE and was > able to spot something. Those two were skilled professionals that could > tack down the culprit. One was a Web admin that used PE to find malware, > that everything she used couldn't find it. The other one was a person who > used PE to track down something MS had done to send svchost.exe out of > control. > > Now, I am going back to watching Amreican Chopper. Paul Sr. and Jr. are in > another heated argument and are ready to kill each other on who has > control of the shop. ;-) > > Duane :) |