Why do I have 13 svchosts.exe running

[Akai]

My computer isn't running as fast as it used to be, my computer is custom built and this thing is beast. Quad core processor, 8GB ram, etc etc. This should not be slow for running Windows Vista x64bit. I've wiped it out once, but yet I'm wondering why I have 13 "svchosts.exe" running in my task manager and how I have 20% cpu usage when I'm running aim and a browser. I would normally have 1 or 2%.

Just trying to figure out why this thing is slowing down. Picture below.

http://img411.imageshack.us/img411/4503/svhostpicih6.jpg

 

[LookinAround]

Funny you should ask... was just discussing.. look here

/************* EDIT *******************/
Suggest you have a look with Process Explorer as well.. and run HijackThis and see if spoolsv.exe listed (out of curiousity now)

 

[Akai]

I ran a HJT log (latest version) and I did find spoolsv.exe in it (just find a find search).

Heres my log, maybe someone can look at it and see whats up.

 

[Akai]

Bump please.

 

[LookinAround]

Hi

I'm not one of the malware removal experts here and will let someone else provide a "definitive" opinion on your hjt log... (tho i can tell you run a 64 bit machine which is why hjt reports so many "missing" files and not to be alarmed by that alone)

but based recent malware found in a scenario similar to yours would like to take a bit more info

Could you

• Can you start a command prompt (Start->Run, cmd. tho may need a liitle more due to UAC in vista) but would like you to get to a comman prompt and enter and post the results of tasklist /svc /fi "imagename eq svchost.exe"
• Suggest you try installing Process Explorer as will give more detail for analysis
• Exactly which version of Vista are you running?
• As a quick test just to see if your symptoms happen to point to the similar problem found, you can try disabling the Print Spooler Service then reboot. (You won't be able to print anything when it's disabled but see how your machine runs then) Here;s a link that should help show how.

I gotta run a short while but will look back on yu when i return. see how ur doin and if anyone has joined the thread)

 

[Akai]

Image Name PID Services
========================= ======== ============================================
svchost.exe 812 DcomLaunch, PlugPlay
svchost.exe 924 RpcSs
svchost.exe 992 WinDefend
svchost.exe 320 AudioSrv, Dhcp, Eventlog, lmhosts, wscsvc
svchost.exe 308 AudioEndpointBuilder, EMDMgmt, IPBusEnum,
Netman, PcaSvc, SysMain,
TabletInputService, TrkWks, UxSms,
WdiSystemHost, WPDBusEnum, wudfsvc
svchost.exe 484 AeLookupSvc, BITS, Browser, CertPropSvc,
gpsvc, IKEEXT, iphlpsvc, LanmanServer,
MMCSS, ProfSvc, RasMan, Schedule, seclogon,
SENS, SessionEnv, ShellHWDetection, Themes,
UxTuneUp, Winmgmt, wuauserv
svchost.exe 1096 EventSystem, fdPHost, FDResPub,
LanmanWorkstation, Mcx2Svc, netprofm, nsi,
SSDPSRV, SstpSvc, upnphost, W32Time,
WebClient
svchost.exe 1252 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv,
TermService
svchost.exe 1608 BFE, DPS, MpsSvc
svchost.exe 2616 PolicyAgent
svchost.exe 2780 stisvc
svchost.exe 2812 WerSvc

That is what I got when I ran the command you gave me. I'm running Windows Vista Home Premium 64bit. And I can disable the printer spool after you or someone looks at what I posted above and see if it's needed.

Thanks for your help so far!

 

[LookinAround]

well..

1. nothing jumps out at me from your HJT (tho you should look at it to confirm what's listed as "your trusted zones"
2. no indication that spooler should be the issue either
3. Is normal to have many svhosts (is one reason malware sometimes hides in them). Windows will run one or more services in a single svchost. You can see which services in which svchost from the tasklist output. But no indication here either of bogus services in your svchosts, that i can see.
4. See if you can get another opinion on your hjt (can be slower around here on weeekends)
5. And in meantime, note that if click the CPU column header in task manager you can order processes numerically so you put the process taking most CPU at the top of the list. Why don't keep an eye on it while system is running and in particular when running slow to see if any process in particular shows high CPU pattern. (Note: Ignore System Idle Process. A big number there is good. just helps add things up to 100%)

 

[tw0rld]

Follow the instructions found here https://www.techspot.com/community/topics/updated-4-step-viruses-spyware-malware-removal-preliminary-instructions.58138/, then return here and post your logs.

 

[Akai]

Okay I followed all the steps and here are the logs.

 

[Akai]

Bump please.

I have posted the logs as you requested.

 

[tw0rld]

I did not see any threats in your HJT log. SVCHOST.EXE is used to run .dll files, that are associated with various programs or services.

Suggest that you go along with Looking arounds suggestion about running process explore to determine what is using SVCHOST. My guess is that these are legitimate processes, therefore nothing to worry about.

 

[Bobbye]

You have an extraordinary number of Services running and they aren't configured correctly. Many of them display as 'svchost.exe' when running. Please go through Parts 1,2, and 3 of the Vista Services Guide here: http://www.tweakvista.com/articles/38662/vista-service-guide-part-1/

Make a list of the Services to reset to one of the three Start-up types, but don't do it yet.

The following entries should be removed and each Service reconfigured correctly according to the information for each. Remember, many Services can be set to Manual so that they only start when needed. Only a few need to be on Automatic, and some can be Disabled. Be sure to check the Dependency tab when re-setting the Service startups.

Reopen HijackThis and scan. CHECK the following:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O13 - Gopher Prefix:
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - Unknown owner - C:\Windows\System32\TuneUpDefragService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis*and*reboot into Safe Mode
Start> Run> type in 'msconfig' without the quotes> Enter> Selective Startup> Startup menu> UNCHECK ALL processes EXCEPT the antivirus & firewall> Apply> OK.

Remove all of these sites from the Trusted Zone- your use of the wild card * gives too much permission to these domains:

O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O15 - Trusted Zone: .shoutcast.com[/url]
O15 - Trusted Zone: .winamp.com[/url]

Start> Run. type in services msc> look for each of the Services that we removed. Right click on the Service>Properties> Reconfigure them according to the information of their use. You do not need to Start the Service. Those neede will start when you boot.

Reboot into Normal Mode. You will get a nag message that you can close after checking 'don't show this message again'. You must stay in Selective Staartup.

Download and install the current Java> v6u7:
http://java.com/en/download/manual.jsp

Rescan with HijackThis and attach the log.

A NOTE per a previous reply: The Print Spooler Service needs to be set to Automatic. Makee sure the RPC Service is also started.

 

[Akai]

Okay I did these:

1.) When through that guide and disabled:

Certificate Propagation
Desktop Window Manager Session Manager
Function Discovery Provider Host
Messenger Sharing Folders USN Journal Reader service
ReadyBoost
Tablet PC Input Service
Windows Defender
Windows Error Reporting Service
Windows Firewall

2.) Removed/Fixed those HJT entries.

3.) Rebooted into safe mode

4.) When into msconfig>startup and disabled all except firewall anti-virus

5.) Removed those sites from trusted site.

6.) Rebooted into normal mode

7.) Installed Java

Here is my HJT log. I still have all those svchost.exe running and ridiculous CPU usage.

 

[LookinAround]

Don't change anything till you get a new HJT opinion but in parallel you can monitor your CPU usage (good to do anytime)

• Install Process Explorer
• Click Options and set Hide when Minimized, Allow Only One Instance, Confirm Kill, CPU History in Tray Icon
• Whenever PE is open, you can click CPU column header to see processes sorted by CPU usage. When usage high, check top of the list, OR
• Minimize PE. Note the red and green waves through its system tray icon
  • Green indicates total CPU usage
  • Red indicates the process using most the most the CPU time
  Hover cursor over the icon to get the info

Whenever total CPU usage seems high check which process(es) are using up most it.

Also..install Autoruns and then autoruns.exe Notice its status in lower left corner of window

• Hit ESC key (your upper left on keyboard) to stop scanning
• Click Options Check Verify Code Signatures. Other options should be unchecked
• Click File->Refresh to start scanning
• Wait for status in lower left says Done.Then click File->Save As, save to a text file and attach back here

 

[Bobbye]

Okay, believe it or not, HiJackThis should only be run if you suspect you have been 'hijacked' by
malware. Re: Missing Files? Look in your Windows\System32 folder. Do you see the 'missing files' there? If you do, they are not missing.

Lack of permissions on the system folder is the most likely explanation. As the user account would be denied access to the system folder, the HJT tool cannot confirm that the file mentioned by the run entries exists, so therefore lists it as missing.

Reopen HijackThis and scan. Put a CHECK by these processes:

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis*and*reboot.

Regarding this:
(WindowsWelcomeCenter is not necessary for startup. It is usually run infrequently and can be started manually if needed.Shows the Welcome Center every time you boot into Windows Vista)
These are still showing in the Trusted Zone. Suggest they be moved out:

O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw

Regarding the number of svchost.exe processes. I have 11 running, but I don't have any with a memory consumption of the one you have with 133,365K. That is one to be concerned about. The others are within normal limits. See if turning off the Welcome Center stops this one. If it does not, go into the Task Manager> View> set Columns> check the PID column. Give me the PID for THIS svchost.exe only.

 

[Akai]

Okay, so I looked at HJT and found all the "(file missing)" entries, and checked my System32 folder, and they were all there. I only didn't find one. Here they all are:

dfsr.exe
alg.exe
lsass.exe
msdtc.exe
nvvsvc.exe
locator.exe
SLsvc.exe
snmptrap.exe
spoolsv.exe
TuneDefragService.exe
UI0Detect.exe
vds.exe
Vssvc.exe

WmiApSrv.exe was the only one I couldn't find in the folder. But if all those above showed up missing, but are in the folder, then why does it say file missing in HJT?

I fixed those two entries you told me to do, so I'm assuming that turned off Windows Welcome Center? If not, then not sure how to do it. I tried removing those three links from my trusted sites, but every time I do it, I go back and check and they are still there.

The PID number for the svchost.exe is: 284
It's still showing 139k usage.

Oh and LookAround, I'm going to install that program and I'll post the log.

 

[etchhh]

i'll reply to this as i've asked this question before to a friend ,,,,
he answered me saying - svchost.exe stands for service host , this executable runs when u use many files.dll in ur operating system , as long as u using many xxx.dll this svchost.exe gets bigger and bigger , by default it openes in several sessions , thats why u see this svchost.exe is opened in many sessions in ur task manager ...

but if u r not using any media files or not dealing with .dll yet (like if u just opened ur PC and u see this svchost.exe has many sessions already ...) - u may think there r other programs dealing with ur dlls and making this svchost.exe bigger ?

yes - u may have some trojans or viruses use ur resources , thats why u have this svchost making nasty sizes and may prevent u from dealing with ur programs - like "not enough memory to run program" message , and if u tried to remove it from the task manager processes , u may not be able to run media files or u may find tough time dealing with ur PC drivers -u wont be able to start a game u sure it was running before- ...

now , what u have to do ?
is a full scan for these viruses and search for the nasty trojans that affect ur PC and steal ur PC resources ...

thats just for u to understand what's going on no more - so , have a nice day )

 

[LookinAround]

Hi etchhh :wave:. Thanks for joining in the thread and offering some info.

Yes, svchost even when not-malware infected and behaving well can still look suspicious or at least confusing to many users.

But it really is not so related to your media files as it is related "Windows Services". Windows services are special "helper" type programs that run in the background while your programs run.

And there are many, many different types of Windows services that can handle error reporting, many help in network communication or Plug-and-Play and device discovery, and many more. And since there are sooooo many, they have been divided into functional groups so services in the same group have some similarities among them.The group of services are combined to allow them to all run within a single process. And that single process is svchost

An svchost may have one service in it. It may have 10. Is just the Windows programmer decision. But given the nature of svchost - a single process name which occurs multiple times and each contain a different number of things - it's quite a popular target for malware.

But lukily there are very good tools available to help us recognize

• if it's innocent, if
• if it's being used to hide malware
• it it has no malware... is just behaving badly on its own!

And then get it all fixed!

 

[etchhh]

excellent ^^

really excellent reply lookingaround , u made it easy even for me to understand how does Windows Services work )

thanks again u really helped me

 

[LookinAround]

glad to help

Feel free to ask questions (relevant to a thread, that is)

Or start your own if need be.

 

[Bobbye]

Two points to clarify:

Control Panel> Administrative Tools> Services> do a right click> Properties on each Service> look in the 'path to executable' box and you will see those that will show as svchost.exe. This will give you an idea of how many display that way.

When you try to identify a process, most sites will tell you where that process "should be" and go on to tell you that malware will sometimes disguise the file as a legitimate entry. Checking the location can verify the file. And because so many svchost run, that is a 'favorite' disguise for malware.

 

[LookinAround]

Excellent point.

And knowing things about a process and the the physical source of it run-time image is very important. So let me briefly show just a few features of a great tool that quickly puts a wealth of info in front of you and all available from the tool.

• Install Process Explorer
• Click Options and set Hide when Minimized, Allow Only One Instance, Confirm Kill, CPU History in Tray Icon

Now we can do a little, uh, Process Exploring!

• When it's open, hit the Process Name column header sorts it alpha A-Z, click again it sorts alpha Z-A, or the 3rd time is "hierarchical" view.. gives some idea of who called who and when
• Also note the little + and - boxes to left of process name. + means it's compacted. Hit it to expand it. Hit all +'s to expand everything
• Now, alpha sort and hover the cursor over any svchost.exe process you see and you get a small pop up telling you services inside.
• Now rt click on svchost , select Properties

Now note the various tabs in Properties

• Image Tab
  • Version info
  • Path the physical source loaded from disk
  • Command line.. this is the command used to start it up and the parameters (also good to know when catching malware)
  • Parent: also important catching some malware. This is the process which STARTED svchost. If the parent doesn't look right.. is a bad sign
• Performance Tab
  Will only say you can see quite abit of detail on how CPU, memory and IO used for this process
• Services - an even better view of services within the procvess
• TCP/IP - lets you know if the process has any TCP/IP communications open

One more thing for now. In main process explorer display click View->Show Lower Display then View->Lower Pane View -> DLL
= .Now when you click svchost.exe you see all the DLLs the process is using. Also, can be helpful in catching malware

OK. enough typing for now. if u feel like it, play around with Process Explorer. Is way cool tool.

 

[Akai]

Sorry for the very delayed response.

So I downloaded and installed Process Explorer, and I checked the svchost.exe that is using the most usage( 139k ) and heres what it showed:


IMAGE

Path: C:\Windows\System32\svchost.exe

Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

SERVICES

AudioEndpointBuilder - Windows Audio Endpoint Builder (C:\Windows\System32\Audiosrv.dll)
IPBusEnum - PnP-X IP Bus Enumerator (C:\Windows\system32\ipbusenum.dll)
Netman - Network connections (C:\Windows\System32\netman.dll)
PcaSvc - Program Compatibility Assistant Service (C:\Windows\System32\pcasvc.dll)
SysMain - Superfetch (C:\Windows\system32\sysmain.dll)
TrkWks - Distributed Link Tracking Client (C:\Windows\System32\trkwks.dll)
UxSms - Desktop Window manager Session Manager (C:\Windows\System32\uxsms.dll)
WdiSystemHost - Diagnostic System Host (C:\Windows\system32\wdi.dll)
WPDBusEnum - Portable Device Enumerator Service (C:\Windows\system32\wpdbusenum.dll)
wudfsvc - Windows Driver Foundation - User-mode Driver Framework (C:\Windows\System32\WUDFSvc.dll)

 

[Bobbye]

Have a look here and see if you can use the Command:
http://www.neowin.net/forum/lofiversion/index.php/t544659.html

 

[Akai]

Okay, I read it. Did the command.

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Akai>tasklist /svc /FI "PID eq 292"

Image Name PID Services
========================= ======== ============================================
svchost.exe 292 AudioEndpointBuilder, IPBusEnum, Netman,
PcaSvc, SysMain, TrkWks, UxSms,
WdiSystemHost, WPDBusEnum, wudfsvc

C:\Users\Akai>