Sign in to follow this  
Followers 0

winxp Svchost.exe -k netsvcs

17 posts in this topic

Posted

hello people, i have come here looking for help with a small problem that has been bugging me for a few days now... every so often (random times) something has been reading something from my drive..... i have used process monitor to try and track it down and it seems to be something with SVCHOST.EXE.. have looked into it further and it seems that it is PID 1076 which is svchost.exe -k netsvcs.. this does not worry me as i have checked it out and it is a system file and not some sneaky trojan :)

PID 1076 is currently managing the following services

svchost.exe 1076 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,

EventSystem, helpsvc, LanmanServer,

lanmanworkstation, Netman, Nla, RasMan,

Schedule, seclogon, SENS, ShellHWDetection,

TapiSrv, Themes, W32Time, winmgmt

what is worrying me though is its reading some rather odd files such as c:\boot.ini

i have uploaded a CSV file to this http://homepage.ntlw...er4/Logfile.CSV

system is virus/trojan/malware/spyware/rootkit free ... have also checked network traffic with a deep packet scanner and nothing is going in or out that should'nt be..

any help to point me in the right direction would be appreciated :D

Thanks in advance

Share this post


Link to post
Share on other sites

Posted

You're right svchost.exe is a legit process but malware can inject itself into the process. Can you go into process explorer, then 'View' -> 'Select Columns'. Then expand the PID 1076 svchost.exe and make sure the patch colum shows the complete pathnames of the attached processes and take a SS of this for us to see.

Also run HijackThis and attach a log file: http://downloads.sou.../HijackThis.exe

Share this post


Link to post
Share on other sites

Posted

try opening a command prompt then running the following command:

tasklist /svc /fi "imagename eq svchost.exe"

That will tell you what services are being controlled by the service host. You can find out the process id of the one causing the problem from the task manager and that will help you narrow things down.

Share this post


Link to post
Share on other sites

Posted

JJ: all the info you require is in that CSV file open it in excel

here is a hijackthis log for you.. trust me this will probably the most clean system you will ever see :p

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 01:29:57, on 10/04/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\DAEMON Tools Lite\DTLite.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

F:\FireFox Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301844339515

O17 - HKLM\System\CCS\Services\Tcpip\..\{5038D304-587F-46FF-B261-B7D2A18BFB23}: NameServer = 194.168.4.100,194.168.8.100

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe

O23 - Service: Creative Dolby Digital Live Pack Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\DDLLicensing.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--

End of file - 5413 bytes

Joker999: did you even read my post ? ... i already gave a list of services running under the suspected SVCHOST.EXE process

Share this post


Link to post
Share on other sites

Posted

if it were not for certain tasks like punkbuster / wcesscom / rapimgr (wcess and rap are for my htc tytn II) loading my total processes would be 24... take off crappy ati's CCC / daemon tools lite and it would be 22 processes :p even less without the antivirus :p

Share this post


Link to post
Share on other sites

Posted

Yes i read your post, but wasnt sure if same thing as you found that. But yeah. :)

/me half sleep

Share this post


Link to post
Share on other sites

Posted

It could be the search indexer, or reliability monitor running their task scheduler jobs. Google on how to disable.

Share this post


Link to post
Share on other sites

Posted

The HJT log run through http://www.hijackthis.de looks ok, don't know why you have your network adapter set up with your ISP DNS servers because your router should already have these set.

Other than that what sort of memory/cpu usage is this svchost.exe process using?

Share this post


Link to post
Share on other sites

Posted

It's normal. I just checked it on my system.

ProcessMonitorsvchost.png

Share this post


Link to post
Share on other sites

Posted

As xendrome suggested, disable useless services & scheduled tasks. Defragging & disabling/clearing prefetch will also speed up things.

Share this post


Link to post
Share on other sites

Posted

Not :rolleyes:

Share this post


Link to post
Share on other sites

Posted

Not you silly :rolleyes:

Share this post


Link to post
Share on other sites

Posted

I know it wasn't directed at me.

Clearing prefetch?

Share this post


Link to post
Share on other sites

Posted

%systemroot%\prefetch

Ctrl+A then delete

Share this post


Link to post
Share on other sites

Posted

I understand what you are suggesting, I'm saying there is no performance benefit from doing so. Quite the opposite actually (however negligible).

Share this post


Link to post
Share on other sites

Posted

Perhaps 'speed up things' wasn't quite the word to use but in context to the original post, the OP was bugged about background usage of their drive. It depends on each individual scenario and prefetch has both its ups and downs but disabling it is not as detrimental on the running of Windows as you make it sound :)

Share this post


Link to post
Share on other sites

Posted

talking about the prefetch folder, i had just visited another post on here regarding that last night, because i had noticed that layout.ini was 500K in size and referencing things that shouldnt be there lol like E:\documents and settings... which has never been on E: drive .. i had a backup on there but as soon as my OS was reinstalled last year all i did was copy the contents from there to C: and then it was removed when windows was working correctly... so deleted entire contents of prefetch including the layout.ini and rebuilt it. now svchost is still doing file operations but its making nowhere near as much noise, before the only way to describe it was that it it sounded like like the drive had errors and was reading bad sectors. which is better than it was.

so i shall see how things go... svchost is not using up any CPU time at all according to task manager.. which is a lie as it will be using some.. just not enough to show up

services have always been trimmed down on here as i like a lean operating system, even upnp and ssdp are switched off :)

as per the forced dns, i have manually assigned IP address and not one dolled out by the routers dhcp as i have this pc an HTPC and 2 mobiles that hook into the router and i like to know where my machines are, especially for the HTPC for xfering files around the network.

also i must say thanks to all the people who replied, sorry if i came across as snappy at first but after trying to ask the same things on "The Tech Guys" forum, read this http://forums.techguy.org/windows-xp/1047834-svchost-k-netsvcs-drive-thrashing.html and you will understand why :)

i've just watched those guys give me a ban for telling somebody that doesnt ever rememeber setting a password for his xp's windows admin account, to try ultimate bood cd's NT password tool, just gave him basic links to trying to boot with a linux live cd and now its ended up with him formatting his drive and losing everything he had.

i also got into an arguement with the mods about telling somebody to download an iso of windows xp as he never had an original, i never gave him links

all i said was use google lol, told him he needs to format and reinstall... how can he do that if he has no install cd :p they just seem that every answer to every problem involves hijack this and a format :D

plz again sorry if i came across as snappy but thanks for decent replies they are greatly appreciated and seems like you atleast have knowledgeable people around here :D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.