svchost.exe hogging my CPU
in [Anti-Virus]
|
Prev: Free AV from AOL
Next: Run virus check from floppy
From: -Nisko- on 29 Aug 2006 19:43 "Duane Arnold" <"Do forget about it"@PleaeDo.BET> wrote in message news:Yt3Jg.3019$bM.2667(a)newsread4.news.pas.earthlink.net... > -Nisko- wrote: >> I'm using PE and have found that svchost.exe is only in my system32 >> folder. Also, all the processes associated with the out of control >> svchost are legitimate. >> > > That may not be so as malware can be made to look legit. However, you may > be right too that everything is legit. > > You can go to the svchost.exe in question and right-click it and go to > Properties and look from there. You can look at the information on the > Thread tab and see what processes within the SVchost.exe is sucking the > CPU within SVChost.exe. You can also look around on some other tabs as > well, like the Service tab and see what services the svchost.exe is > hosting. The service tab told another poster as to what service that made > svchost.exe spin out of control with high CPU usage. > > Duane :) Please explain the thread tab - and how to use it. I'm not familiar with it yet.
From: -Nisko- on 29 Aug 2006 19:45 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:jI1Jg.3083$N84.2137(a)trnddc08... > From: "Duane Arnold" <"Do forget about it"@PleaeDo.BET> > > > | You know, I have mentioned Process Explorer to numerous posters in > | various NG(s). It's only been twice in all that time that someone took > | PE and was able to spot something. Those two were skilled professionals > | that could tack down the culprit. One was a Web admin that used PE to > | find malware, that everything she used couldn't find it. The other one > | was a person who used PE to track down something MS had done to send > | svchost.exe out of control. > | > | Now, I am going back to watching Amreican Chopper. Paul Sr. and Jr. are > | in another heated argument and are ready to kill each other on who has > | control of the shop. ;-) > | > | Duane :) > > I was given as notebook with a nasty non-viral malware infection. > > A DLL was hooked into Winlogon Notify and the key was protected by the > malware. Deleting > the key was useless as the DLL was able to recreate its self with a new > name and the kry was > altered to the new DLL upon reboot. > > ProcessExplorer was able to find the DLL that was running and it allowed > me to kill that DLL > process which then allowed me to delete the Winlogon Notify key and to > clean up the > notebook. > > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > http://www.ik-cs.com/got-a-virus.htm > > It would help me learn a little more about how to use PE if you explained the above process in more detail. Thanks..
From: Duane Arnold "Do forget about on 29 Aug 2006 20:47 -Nisko- wrote: > "Duane Arnold" <"Do forget about it"@PleaeDo.BET> wrote in message > news:Yt3Jg.3019$bM.2667(a)newsread4.news.pas.earthlink.net... > >>-Nisko- wrote: >> >>>I'm using PE and have found that svchost.exe is only in my system32 >>>folder. Also, all the processes associated with the out of control >>>svchost are legitimate. >>> >> >>That may not be so as malware can be made to look legit. However, you may >>be right too that everything is legit. >> >>You can go to the svchost.exe in question and right-click it and go to >>Properties and look from there. You can look at the information on the >>Thread tab and see what processes within the SVchost.exe is sucking the >>CPU within SVChost.exe. You can also look around on some other tabs as >>well, like the Service tab and see what services the svchost.exe is >>hosting. The service tab told another poster as to what service that made >>svchost.exe spin out of control with high CPU usage. >> >>Duane :) > > > Please explain the thread tab - and how to use it. I'm not familiar with it > yet. > > The thread tab shows how much a programs gets of the cpu usage and processing time on the CPU. A program runs on a processing thread a slice of time for program execution on the CPU. An exe program hosts other programs such as DLL(s). In a case of svchost.exe, it's a multi threaded hosting application, which means svchost.exe runs on the main thread. However svchost.exe and other programs exe like Explorer spawns child threads to allow other programs they are hosting to run on their own thread, while it runs. An exe program may or may not host other programs such as DLL(s). An exe program may or may not spawn child threads to allow other programs it is hosting to run. The Thread tab shows what program is getting processing time within svchost.exe, how much cpu usage it's using and how much it's switching between its thread and the thread the host exe is running on. If you see high CPU usage and/or high Context Switching, that may be a clue as to what is sucking up CPU usage within the host exe. That's about as simple as I can explain it. ;-) Duane :)
From: David H. Lipman on 29 Aug 2006 20:53 From: "-Nisko-" <rmo555(a)cox.net> | I'm trying - but I don't understand either of the misdemeanors you just | mentioned. | That's OK.... That's all peter does understand ! { Just kidding Peter } -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: David H. Lipman on 29 Aug 2006 20:55
From: "-Nisko-" <rmo555(a)cox.net> | It would help me learn a little more about how to use PE if you explained | the above process in more detail. Thanks.. | I can't. That was over a year ago. My ability to explain it would fall short of my ability to demonstrate it. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |