winxp Svchost.exe -k netsvcs

[JadeFalcon]

hello people, i have come here looking for help with a small problem that has been bugging me for a few days now... every so often (random times) something has been reading something from my drive..... i have used process monitor to try and track it down and it seems to be something with SVCHOST.EXE.. have looked into it further and it seems that it is PID 1076 which is svchost.exe -k netsvcs.. this does not worry me as i have checked it out and it is a system file and not some sneaky trojan :)

PID 1076 is currently managing the following services

svchost.exe 1076 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,

EventSystem, helpsvc, LanmanServer,

lanmanworkstation, Netman, Nla, RasMan,

Schedule, seclogon, SENS, ShellHWDetection,

TapiSrv, Themes, W32Time, winmgmt

what is worrying me though is its reading some rather odd files such as c:\boot.ini

i have uploaded a CSV file to this http://homepage.ntlw...er4/Logfile.CSV

system is virus/trojan/malware/spyware/rootkit free ... have also checked network traffic with a deep packet scanner and nothing is going in or out that should'nt be..

any help to point me in the right direction would be appreciated :D

Thanks in advance

[JJ_]

You're right svchost.exe is a legit process but malware can inject itself into the process. Can you go into process explorer, then 'View' -> 'Select Columns'. Then expand the PID 1076 svchost.exe and make sure the patch colum shows the complete pathnames of the attached processes and take a SS of this for us to see.

Also run HijackThis and attach a log file: http://downloads.sou.../HijackThis.exe

[joker999]

try opening a command prompt then running the following command:

tasklist /svc /fi "imagename eq svchost.exe"

That will tell you what services are being controlled by the service host. You can find out the process id of the one causing the problem from the task manager and that will help you narrow things down.

[JadeFalcon]

JJ: all the info you require is in that CSV file open it in excel

here is a hijackthis log for you.. trust me this will probably the most clean system you will ever see :p

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 01:29:57, on 10/04/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\AVAST Software\Avast\avastUI.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\DAEMON Tools Lite\DTLite.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

F:\FireFox Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301844339515

O17 - HKLM\System\CCS\Services\Tcpip\..\{5038D304-587F-46FF-B261-B7D2A18BFB23}: NameServer = 194.168.4.100,194.168.8.100

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe

O23 - Service: Creative Dolby Digital Live Pack Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\DDLLicensing.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--

End of file - 5413 bytes

Joker999: did you even read my post ? ... i already gave a list of services running under the suspected SVCHOST.EXE process

[JadeFalcon]

if it were not for certain tasks like punkbuster / wcesscom / rapimgr (wcess and rap are for my htc tytn II) loading my total processes would be 24... take off crappy ati's CCC / daemon tools lite and it would be 22 processes :p even less without the antivirus :p

[joker999]

Yes i read your post, but wasnt sure if same thing as you found that. But yeah. :)

/me half sleep

[xendrome]

It could be the search indexer, or reliability monitor running their task scheduler jobs. Google on how to disable.

[JJ_]

The HJT log run through http://www.hijackthis.de looks ok, don't know why you have your network adapter set up with your ISP DNS servers because your router should already have these set.

Other than that what sort of memory/cpu usage is this svchost.exe process using?

[xdot.tk]

It's normal. I just checked it on my system.

[JJ_]

As xendrome suggested, disable useless services & scheduled tasks. Defragging & disabling/clearing prefetch will also speed up things.

[xdot.tk]

Not :rolleyes:

[JJ_]

Not you silly :rolleyes:

[xdot.tk]

I know it wasn't directed at me.

Clearing prefetch?

[JJ_]

%systemroot%\prefetch

Ctrl+A then delete

[xdot.tk]

I understand what you are suggesting, I'm saying there is no performance benefit from doing so. Quite the opposite actually (however negligible).

[JJ_]

Perhaps 'speed up things' wasn't quite the word to use but in context to the original post, the OP was bugged about background usage of their drive. It depends on each individual scenario and prefetch has both its ups and downs but disabling it is not as detrimental on the running of Windows as you make it sound :)

[JadeFalcon]

talking about the prefetch folder, i had just visited another post on here regarding that last night, because i had noticed that layout.ini was 500K in size and referencing things that shouldnt be there lol like E:\documents and settings... which has never been on E: drive .. i had a backup on there but as soon as my OS was reinstalled last year all i did was copy the contents from there to C: and then it was removed when windows was working correctly... so deleted entire contents of prefetch including the layout.ini and rebuilt it. now svchost is still doing file operations but its making nowhere near as much noise, before the only way to describe it was that it it sounded like like the drive had errors and was reading bad sectors. which is better than it was.

so i shall see how things go... svchost is not using up any CPU time at all according to task manager.. which is a lie as it will be using some.. just not enough to show up

services have always been trimmed down on here as i like a lean operating system, even upnp and ssdp are switched off :)

as per the forced dns, i have manually assigned IP address and not one dolled out by the routers dhcp as i have this pc an HTPC and 2 mobiles that hook into the router and i like to know where my machines are, especially for the HTPC for xfering files around the network.

also i must say thanks to all the people who replied, sorry if i came across as snappy at first but after trying to ask the same things on "The Tech Guys" forum, read this http://forums.techguy.org/windows-xp/1047834-svchost-k-netsvcs-drive-thrashing.html and you will understand why :)

i've just watched those guys give me a ban for telling somebody that doesnt ever rememeber setting a password for his xp's windows admin account, to try ultimate bood cd's NT password tool, just gave him basic links to trying to boot with a linux live cd and now its ended up with him formatting his drive and losing everything he had.

i also got into an arguement with the mods about telling somebody to download an iso of windows xp as he never had an original, i never gave him links

all i said was use google lol, told him he needs to format and reinstall... how can he do that if he has no install cd :p they just seem that every answer to every problem involves hijack this and a format :D

plz again sorry if i came across as snappy but thanks for decent replies they are greatly appreciated and seems like you atleast have knowledgeable people around here :D