Jump to content



Photo

Svchost.exe -k netsvcs

winxp

  • Please log in to reply
16 replies to this topic

#1 JadeFalcon

JadeFalcon

    Neowinian

  • Joined: 09-April 12

Posted 09 April 2012 - 23:22

hello people, i have come here looking for help with a small problem that has been bugging me for a few days now... every so often (random times) something has been reading something from my drive..... i have used process monitor to try and track it down and it seems to be something with SVCHOST.EXE.. have looked into it further and it seems that it is PID 1076 which is svchost.exe -k netsvcs.. this does not worry me as i have checked it out and it is a system file and not some sneaky trojan :)

PID 1076 is currently managing the following services

svchost.exe 1076 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
EventSystem, helpsvc, LanmanServer,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, ShellHWDetection,
TapiSrv, Themes, W32Time, winmgmt

what is worrying me though is its reading some rather odd files such as c:\boot.ini

i have uploaded a CSV file to this http://homepage.ntlw...er4/Logfile.CSV

system is virus/trojan/malware/spyware/rootkit free ... have also checked network traffic with a deep packet scanner and nothing is going in or out that should'nt be..

any help to point me in the right direction would be appreciated :D

Thanks in advance


#2 JJ_

JJ_

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 31-July 05

Posted 09 April 2012 - 23:41

You're right svchost.exe is a legit process but malware can inject itself into the process. Can you go into process explorer, then 'View' -> 'Select Columns'. Then expand the PID 1076 svchost.exe and make sure the patch colum shows the complete pathnames of the attached processes and take a SS of this for us to see.

Also run HijackThis and attach a log file: http://downloads.sou.../HijackThis.exe

#3 joker999

joker999

    GorillaZ

  • Joined: 23-October 03

Posted 09 April 2012 - 23:51

try opening a command prompt then running the following command:
tasklist /svc /fi "imagename eq svchost.exe"


That will tell you what services are being controlled by the service host. You can find out the process id of the one causing the problem from the task manager and that will help you narrow things down.



#4 OP JadeFalcon

JadeFalcon

    Neowinian

  • Joined: 09-April 12

Posted 10 April 2012 - 00:35

JJ: all the info you require is in that CSV file open it in excel

here is a hijackthis log for you.. trust me this will probably the most clean system you will ever see :p

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:29:57, on 10/04/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
F:\FireFox Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1301844339515
O17 - HKLM\System\CCS\Services\Tcpip\..\{5038D304-587F-46FF-B261-B7D2A18BFB23}: NameServer = 194.168.4.100,194.168.8.100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Creative Dolby Digital Live Pack Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\DDLLicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 5413 bytes

Joker999: did you even read my post ? ... i already gave a list of services running under the suspected SVCHOST.EXE process

#5 OP JadeFalcon

JadeFalcon

    Neowinian

  • Joined: 09-April 12

Posted 10 April 2012 - 00:38

if it were not for certain tasks like punkbuster / wcesscom / rapimgr (wcess and rap are for my htc tytn II) loading my total processes would be 24... take off crappy ati's CCC / daemon tools lite and it would be 22 processes :p even less without the antivirus :p

#6 joker999

joker999

    GorillaZ

  • Joined: 23-October 03

Posted 10 April 2012 - 00:52

Yes i read your post, but wasnt sure if same thing as you found that. But yeah. :)

/me half sleep

#7 xendrome

xendrome

    In God We Trust; All Others We Monitor

  • Tech Issues Solved: 13
  • Joined: 05-December 01
  • OS: Windows 8.1 Pro x64

Posted 10 April 2012 - 00:55

It could be the search indexer, or reliability monitor running their task scheduler jobs. Google on how to disable.

#8 JJ_

JJ_

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 31-July 05

Posted 10 April 2012 - 01:15

The HJT log run through http://www.hijackthis.de looks ok, don't know why you have your network adapter set up with your ISP DNS servers because your router should already have these set.

Other than that what sort of memory/cpu usage is this svchost.exe process using?

#9 xdot.tk

xdot.tk

  • Joined: 29-May 09

Posted 10 April 2012 - 01:27

It's normal. I just checked it on my system.

Posted Image

#10 JJ_

JJ_

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 31-July 05

Posted 10 April 2012 - 01:36

As xendrome suggested, disable useless services & scheduled tasks. Defragging & disabling/clearing prefetch will also speed up things.

#11 xdot.tk

xdot.tk

  • Joined: 29-May 09

Posted 10 April 2012 - 01:39

Not :rolleyes:

#12 JJ_

JJ_

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 31-July 05

Posted 10 April 2012 - 01:42

Not you silly :rolleyes:



#13 xdot.tk

xdot.tk

  • Joined: 29-May 09

Posted 10 April 2012 - 01:45

I know it wasn't directed at me.

Clearing prefetch?

#14 JJ_

JJ_

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 31-July 05

Posted 10 April 2012 - 02:02

%systemroot%\prefetch

Ctrl+A then delete

#15 xdot.tk

xdot.tk

  • Joined: 29-May 09

Posted 10 April 2012 - 02:50

I understand what you are suggesting, I'm saying there is no performance benefit from doing so. Quite the opposite actually (however negligible).