svchost.exe running high cpu

  1. 01-02-2009  #1
    soundsev3n
    soundsev3n is offline Full Member

    svchost.exe running high cpu

    I've started using an old Dell that was laying around and have a problem with the task SVCHOST.exe (Local Service) constantly running the cpu at least 45-50%.

    Why would this run so high?

    Running XP Home Edition Version 2002
    (computer has seen sporadic use over the last 5 years and currently cannot connect to the internet)

  3. 01-02-2009  #2
    jephree
    jephree is offline ¨*·.¸ «.·°·..·°·.» ¸.·*¨
    SVCHOST is a marker for a generic service.

    As long as it is not listed as SYSTEM there should be no harm in ending it.

    If you want to identify it go through your open programs and see what isn't working.

    If it is automatically starting you can experiment with the disable function in ccleaner:

    CCleaner - Home

    Tools > Startup
  4. 01-02-2009  #3
    soundsev3n
    soundsev3n is offline Full Member
    Quote Originally Posted by jephree View Post
    SVCHOST is a marker for a generic service.

    As long as it is not listed as SYSTEM there should be no harm in ending it.

    If you want to identify it go through your open programs and see what isn't working.
    -When I ended scvhost.exe (Local Service)... the task "system" in the task manager went nuts. (jumped to 45-65% and would not go down)
    -I restarted in safe mode.

    Quote Originally Posted by jephree View Post
    If it is automatically starting you can experiment with the disable function in ccleaner:

    CCleaner - Home

    Tools > Startup
    -In normal running mode the only start-up process listed was cftmon.exe.
    -However, in safe mode it listed msmsg.exe. I removed it from the starup list. Since I was already using CCleaner I scanned and cleaned the computer.
    -I restarted in regular running mode
    -CPU now running 99% free in normal running mode.
    -Unexpected but satisfying none the less.





    I'm now in the process of stripping all unnecessary software and files from the computer. Can anyone assist e with this by viewing logs from hijackthis or other software? Should I start a different thread in a different area?
  5. 01-02-2009  #4
    jephree
    jephree is offline ¨*·.¸ «.·°·..·°·.» ¸.·*¨
    As long as you are not battling a critical infection then go ahead and post a hijack this here.

    Just BTW CFTMON is about all Windows needs to start.

    MSMSG is windows messenger which I always recommend turning off unless you are an active user of it.
  6. 01-02-2009  #5
    soundsev3n
    soundsev3n is offline Full Member
    I'm not sure of an critical infection... let me know if I need to visit the malware/etc section.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:38:43 AM, on 2/1/2009
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://microsoft.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
    O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet5_20.dll' missing
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall....eInstaller.exe
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
    O16 - DPF: {A28DAC07-0D34-4A90-A0E6-CEE27208C86D} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.cab
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe (file missing)
    O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 3982 bytes
  7. 01-02-2009  #6
    jephree
    jephree is offline ¨*·.¸ «.·°·..·°·.» ¸.·*¨
    If you want a security analysis then repost your login the hijack this section.

    To me it looks pretty clean but you still have windows messenger as well as narrator running at startup.

    Narrator is an accessibility tool for speech commands.

    You can check start Run... msconfig startup and see if that will end these from starting.

    Messenger has two options within it. One is to open the messenger and Preferences and remove auto start and remove run in background.

    There is also a setting in Outlook Express > Tools: start messenger with windows.

    As to the narrator I am not familiar. Look under start > All Programs > Accessories > Accessibility > Narrator
+ Reply to Thread
« Windows XP Crashing/Freezing | win32 services fault »