User Panel
Posted: 9/9/2005 9:16:23 AM EDT
I have run AVG anti-virus, and it removed 3 downloaders.
The system is windows XP, 128 megs of ram, and it is staying at 100% CPU usage. 23 process runnning, none of them look suspicious, I have googled most of them and id not find anyting out of the ordinary. TRG |
|
Look at the Task Manager, click the CPU column until the process with the most utilization is listed on top, and tell me what is is.
|
|
SVCHost.exe, about 14,000 k usage TRG |
|
|
128mb ram is the first problem, add another stick 128 is the minimum req amount. Get a good spyware sweeper like ad-aware and run it after updating it. |
|
|
Adaware and Spybot have both been run on it. TRG |
||
|
well without knowing much about that windows file, i would say try to run a scandisk and a defrag as well...but you do need more ram anyway.
|
|
Cool. 1. Note the process ID (PID) in Task Manager. 2. From a command prompt, type 'tasklist /svc'. 3. Paste the services that match up with the svchost.exe instance who's PID patches the one you noted in step 1. |
|
|
Well, I agree that more ram would be helpful, but this is CPU usage that is being eaten up. I have a desktop station next to it that has identical processing and memory, and it is running fine...? TRG |
|
|
This could be caused by spyware or other programs that are loading up and taking control of you CPU. What version of windows are you using?
EDIT: XP....I saw that above... Try cliking on start -> Run and type in MSCONFIG This is a utility that will show you what programs are being run at startup. I usually disable the software that I dont recognize and restart and see if that will help you. |
|
Oops! I forgot to add something to my previous post. To see the process ID column in Task Manager, you'll need to click View->Select Columns... and check "PID".
|
|
Will do. Thanks for taking the time to help out. Will paste the list in a few minutes. TRG |
||
|
Update:
Just on a hunch, I installed a new version of Adaware. 38 objects found so far. This computer had been sent out for 'cleaning' several months ago. It was 'supposed' to be free of spyware, after adawre finishes, I will get the SVChost list. TRG |
|
BTW - I also forget that not everybody runs XP Pro. Tasklist.exe isn't available in XP home, but it can be downloaded if need be.
Also: If you find copying and pasting from a cmd prompt to be a pain in the ass, you could always type something like: tasklist /svc > C:\TheRedGoat.txt and post the contents of the text file you just created in the root of drive C. |
|
Will Do. The processor is so overloaded that I am having trouble opening the start menu to get to the cmd window. Ugh. TRG PS. I should mention that I hate computers. |
|
|
Image Name PID Services ========================= ====== ============================================= System Idle Process 0 N/A System 4 N/A smss.exe 788 N/A CSRSS.EXE 836 N/A winlogon.exe 860 N/A SERVICES.EXE 904 Eventlog, PlugPlay lsass.exe 916 ProtectedStorage, SamSs, NtLmSsp SVCHOST.EXE 1088 RpcSs SVCHOST.EXE 1104 AudioSrv, Browser, CryptSvc, Dhcp, dmserver, ERSvc, EventSystem, FastUserSwitchingCompatibility, helpsvc, Iprip, Irmon, lanmanserver, lanmanworkstation, Messenger, Netman, Nla, RasMan, seclogon, SENS, ShellHWDetection, TapiSrv, TermService, Themes, TrkWks, uploadmgr, W32Time, winmgmt, WmdmPmSp, wuauserv, WZCSVC SVCHOST.EXE 1264 Dnscache SVCHOST.EXE 1276 LmHosts, RemoteRegistry, WebClient LexBceS.exe 1784 LexBceS Lexpps.exe 1844 N/A SPOOLSV.EXE 1852 Spooler ati2evxx.exe 816 Ati HotKey Poller avgamsvr.exe 1396 Avg7Alrt avgupsvc.exe 1708 Avg7UpdSvc SAgent2.exe 1740 EPSONStatusAgent2 inetinfo.exe 308 IISADMIN MSDTC.EXE 532 MSDTC explorer.exe 2904 N/A SynTPLpr.exe 3444 N/A SynTPEnh.exe 3404 N/A DadApp.exe 3412 N/A avgcc.exe 3924 N/A avgemc.exe 1720 N/A TeaTimer.exe 2280 N/A taskmgr.exe 3544 N/A CMD.EXE 3852 N/A TASKLIST.EXE 1180 N/A wmiprvse.exe 3676 N/A |
|
Which instance of svchost is the one that's hogging your processor? I need the PID (from Task Manager) of the problem instance of svchost.exe
|
|
I rebooted in to Safe Mode, because the system is almost unusable in regular mode.
I compared the Safe Mode version of the tasklist /svc. I have found a few files that are the same in SVCHost, and the system is fine right now... so, it must be one of the others causing the issue. The following are the files running in SVC when the system is bogged down: AudioSrv ERSvc EventSystem FastUserSwitchingCompatibilty Iprip Irmon Nla RasMan seclogon SENS ShellWDetection Tapisrv themes Trkwks Wmdmpmsp wuauserv How can I disable these, and prevent them from loading? Or load them manually and see which is the issue? TRG |
|
Iprip is a virus entry.
Editting the registry and removing it's dmage. TRG |
|
Bingo!
Processor usage just dropped to 10%. Here are the instructions I follwed after identifying the virus entry. securityresponse.symantec.com/avcenter/venc/data/backdoor.ripgof.html Had to edit the entries from Safe Mode. Could NOT have done it without your help SubNetMask. I really appreciate your tips n listing the SVCHOST information. TRG |
|
Well, the computer is still not completely fixed. The start menu will not work. Not all apps are loading that need to at startup. I've got to keep working on it to make it 100% again, but... Using the dump of the tasklist, and comparing it to the Safe Mode dump was VERY helpful. With the dump I could google the items that I needed to focus upon, and it narrowed down my search. Running SUPER fast in Safe Mode was the biggest clue that it had to be software, and the 99% usage of the SVCHOST file pointed out the area affected. TRG |
|
|
|
I'll give them all a try. I am still NOT able to use my start menu. I get an hourglass cursor when I point to it. Suggestions? regsvr32 /i shell32.dll did not help. TRG |
|
|
get your windows xp cd and put it in the drive.
(if you can't go to start then run) then using windows explorer open to c:\windows\system32\ double click the cmd icon. it will be a black icon with a c:\ picture. you'll have the command prompt then type sfc /scannow otherwise click start then run type sfc /scannow and it will scan for altered files. it doubt it will fix the problem but its worth a try. you will either have to go back to a previous restore point or do a fresh install |
|
I am running the sfc /scannow right now. FWIW, you can use Windows Task Manager's menus... File --> Run to get a run dialog box. That is about the only thing that works on the machine at present. LOL TRG |
|
|
Looks like I am dead in the water without a Windows XP Service Pack 1 CD, right now.
TRG |
|
thanks I forgot about that one. I usualy remember you can do that when i am working in safe mode with command prompt only. good luck |
||
|
You're welcome. BTW - I lost my internet access until about 10 minutes ago (wireless provider) What I wanted to write earlier, was that one of the services controlled by svchost (PID 1104) was the culprit, but that it's difficult to pin down which one it is. There is no way to see how much processor time each is taking individually. Your technique of booting in safe mode and comparing the differences was a very good idea. Hell, I didn't even think of that. I was going to start googling each one of those services and seeing if any didn't belong. |
|
|
No problem on you not getting back to me right away. Just the steps, and advice given by you and others was enough to get me pointed in the right direction. The Text file with each of the items from SVCHOST helped tremendously. Did not know that I could breakdown the svchost list. TRG |
||
|
On a similar vane, what would cause a systems clock speed to slow down? When I first boot my laptop and left click on My computer it says its running at 1.8 after an hour or so it says its running at 540. Does it mean there is something wrong with the chip?
|
|
Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!
You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.