Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is something wrong with my svchost?


  • Please log in to reply
10 replies to this topic

#1 Razeblaze

Razeblaze

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 30 August 2009 - 01:46 AM

Ok, I have a a 64bit version of Windows Vista and everything was running great, until recently, my computer has started to get really slow and it takes awhile to load anything from the moment I turn on my computer to when I turn it off. So I looked at my Task manager processor and one of my twelve svchosts is over 200,000K and I don't think that is right, I looked around and I tried to turn off automatic updates and it didn't work, so I don't know what to do now. I think that it may be a virus but I am not exactly positive.
Thanks.

Edited by Razeblaze, 30 August 2009 - 01:48 AM.


BC AdBot (Login to Remove)

 


#2 Razeblaze

Razeblaze
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 30 August 2009 - 08:40 PM

Bump? Sorry if this is bad but I kinda have this problem and it wont go away and I don't know what to do. I ran my antivirus and during the time the svchost went back to a normal number and the scan said nothing was wrong, but afterwards it went right back up into the 200,000Ks. Sorry if what I am doing is wrong, but I would really appreciate some help. Thanks

#3 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 30 August 2009 - 09:12 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#4 Razeblaze

Razeblaze
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 30 August 2009 - 10:33 PM

Malwarebytes' Anti-Malware 1.40
Database version: 2720
Windows 6.0.6001 Service Pack 1

8/30/2009 8:19:02 PM
mbam-log-2009-08-30 (20-19-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 233608
Time elapsed: 40 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


When I restarted my computer, I checked my processes and the svchost is still taking 120,00K. I dont know if that is supposed to be right.

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 01 September 2009 - 05:39 PM

Before the problem started happening, did you make any software or hardware changes to your computer?
Computer Pro

#6 Razeblaze

Razeblaze
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 01 September 2009 - 11:35 PM

Not that I can remember, but is svchost running that high normal?

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 02 September 2009 - 06:40 PM

Please download and run Process Explorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Computer Pro

#8 Razeblaze

Razeblaze
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 02 September 2009 - 07:19 PM

Process PID CPU Description Company Name
System Idle Process 0 94.64
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 1.03
smss.exe 424
csrss.exe 492
wininit.exe 548
services.exe 604
svchost.exe 780
WmiPrvSE.exe 3648
svchost.exe 908
cmdagent.exe 976
svchost.exe 200
svchost.exe 264
atiesrxx.exe 440
atieclxx.exe 1380
svchost.exe 480
audiodg.exe 1080
svchost.exe 704 0.51
dwm.exe 2696 0.51 Desktop Window Manager Microsoft Corporation
svchost.exe 952
taskeng.exe 2420
taskeng.exe 2680 Task Scheduler Engine Microsoft Corporation
svchost.exe 1108
SLsvc.exe 1128
svchost.exe 1156
spoolsv.exe 1656
sched.exe 1680
svchost.exe 1696
avguard.exe 1936
AppleMobileDeviceService.exe 1980
mDNSResponder.exe 1996
svchost.exe 300
RalinkRegistryWriter.exe 1840
svchost.exe 2060
svchost.exe 2096
SearchIndexer.exe 2124
iPodService.exe 3780
wmpnetwk.exe 4012
TrustedInstaller.exe 2672
lsass.exe 616
lsm.exe 624
csrss.exe 568 0.51
winlogon.exe 804
explorer.exe 2768 Windows Explorer Microsoft Corporation
MSASCui.exe 3056 Windows Defender User Interface Microsoft Corporation
cfp.exe 3064 COMODO Internet Security COMODO
RaUI.exe 684 Edimax Wireless Utility Edimax Technology Co., Ltd.
wmpnscfg.exe 3972 Windows Media Player Network Sharing Service Configuration Application Microsoft Corporation
chrome.exe 3692 Google Chrome Google Inc.
chrome.exe 4024 0.51 Google Chrome Google Inc.
chrome.exe 3748 Google Chrome Google Inc.
chrome.exe 3968 0.51 Google Chrome Google Inc.
chrome.exe 1780 Google Chrome Google Inc.
chrome.exe 2448 Google Chrome Google Inc.
chrome.exe 1904 Google Chrome Google Inc.
procexp.exe 3096 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
procexp64.exe 3252 1.54 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
avgnt.exe 460 Antivirus System Tray Tool Avira GmbH
MOM.exe 2596 Catalyst Control Center: Monitoring program Advanced Micro Devices Inc.
CCC.exe 3624 Catalyst Control Centre: Host application ATI Technologies Inc.
iTunesHelper.exe 1388 iTunesHelper Module Apple Inc.
jusched.exe 3156 Java™ Platform SE binary Sun Microsystems, Inc.
digsby-app.exe 2624 0.51 Digsby IM dotSyntax, LLC
aspell.exe 3328
ielowutil.exe 2548 Internet Explorer Microsoft Corporation

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 02 September 2009 - 08:19 PM

Ok, lets try SAS.

Please run ATF and SAS:
Credits to Boopme

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note 2: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#10 Razeblaze

Razeblaze
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 05 September 2009 - 09:41 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/05/2009 at 06:59 PM

Application Version : 4.27.1002

Core Rules Database Version : 4086
Trace Rules Database Version: 2026

Scan type : Complete Scan
Total Scan Time : 01:01:24

Memory items scanned : 136
Memory threats detected : 0
Registry items scanned : 6083
Registry threats detected : 0
File items scanned : 158989
File threats detected : 9

Adware.Tracking Cookie
C:\Users\Taylor\AppData\Roaming\Microsoft\Windows\Cookies\Low\taylor@ads.bleepingcomputer[1].txt
C:\Users\Taylor\AppData\Roaming\Microsoft\Windows\Cookies\Low\taylor@apmebf[1].txt
C:\Users\Taylor\AppData\Roaming\Microsoft\Windows\Cookies\Low\taylor@atdmt[1].txt
C:\Users\Taylor\AppData\Roaming\Microsoft\Windows\Cookies\Low\taylor@casalemedia[2].txt
C:\Users\Taylor\AppData\Roaming\Microsoft\Windows\Cookies\Low\taylor@collective-media[1].txt
C:\Users\Taylor\AppData\Roaming\Microsoft\Windows\Cookies\Low\taylor@doubleclick[1].txt
C:\Users\Taylor\AppData\Roaming\Microsoft\Windows\Cookies\Low\taylor@msnportal.112.2o7[1].txt
C:\Users\Taylor\AppData\Roaming\Microsoft\Windows\Cookies\Low\taylor@revenue[2].txt
C:\Users\Taylor\AppData\Roaming\Microsoft\Windows\Cookies\Low\taylor@revsci[2].txt

Wow it really worked, it got rid of the svchost that was over 100,000K. Thanks!

#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 07 September 2009 - 05:23 PM

Hmm, I guess something just clicked to make it work, haha : ). Well glad I could help!
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users