Re: long sytem freeze
- From: "Gerry" <gerry@xxxxxxxxxx>
- Date: Sun, 4 Jan 2009 17:58:07 -0000
C:\WINDOWS\system32 is the copy in use
C:\WINDOWS\ServicePackFiles\i386 is a spare copy of the copy in use.
C:\WINDOWS\$NtServicePackUninstall$ is the file to be restored if you
decide to uninstall the current copy.
None are fake/ malicious unless one came as a result of malware
activity. You should not attempt to remove unless you have specific
grounds for knowing that one is an impostor. This seems unlikely.
The problem could still be malware for the reasons I have indicated in
another post. The problem in my opinion is not svchost.exe. It could be
something that is using svchost.exe. This is why if you see excessive
CPU usage involving svchost.exe it is important to identify the Command
Line because you can then identify the Service causing the usage.
Six copies of svchost.exe running in Task Manager / Process Explorer is
normal. In Process Explorer you will see that each has a different
Command Line i.e start up item. Thus one is
C:\WINDOWS\system32\svchost -k DcomLaunch. On my computer this handles
the services DCOM Process Server Launcher and Terminal Services. Another
has the Command Line C:\WINDOWS\System32\svchost.exe -k netsvcs, which
covers a number of services including Automatic updates.
I am not sure what Daave has in mind but the above should help you
understand a little more about the role of svchost.exe. It is an
intermediary or enabler.
--
Hope this helps.
Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
lesiofamily wrote:
ok, I in search I have found 3 svchost.exe with locations as follows:
C:\WINDOWS\$NtServicePackUninstall$
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\system32
does it mean that first 2 are fake/malicious?
if it is malware -
how do I remove them ? - just go to the folder and delete them?
how do I protect my PC in the future ?
I already have NIS (AV, firewall etc)
next interesting thing:
in my task manager I see 6 (six) svchost.exe :))
3 from system
2 from network service
1 from local service
they all using 0% CPU and peak mem usage below 6000K
except for one from system which had 181000K and is using currently
26788K ???
I will reboot my PC now to give you feedback if it still takes time to
reboot
"lesiofamily" <blm333@xxxxxxx> wrote in message
news:e33xQbibJHA.4412@xxxxxxxxxxxxxxxxxxxxxxx
using process explorer
I can see few svchost but they use 0% CPU
the highest is system idle process with 99-100% CPU usage
command line is blank, description blank, company name blank
I checked my other PC
system idle process takes approx 86- 97% CPU - for me it looks high
but it 10% less than my first PC
any comments?
Are we talking about a sporadic problem? That is, perhaps you were
not experiencing the "long system freeze" during the above
timeframe? Does your problem present itself during bootup usually?
If it is sporadic, Process Explorer will give you useful
information, but you need to be looking at it *during* the grinding
of the gears (not afterward). And since in another post you
indicated that one of your instances of svchost was through the roof
memory-wise, the Bleeping Computer tutorial should be helpful.
There have been reports of svchost.exe run amok after a particular
security update was applied. How up-to-date are you with your Windows
Updates? What Service Pack level are you at? Can you recall when you
started experiencing this particular problem as well as anything
significant that occurred at around that time?
Finally, I don't recall whether or not you confidently ruled out
malware. Sometimes an instance of svchost.exe running *is*
malicious. Svchost.exe is a valid file *if* it is in the correct
location, which should be: C:\WINDOWS\system32
If you have another svchost.exe in another loaction, it's surely
malware. Search your entire C: drive for svchost.exe. In "More
advanced
options," be sure to check "Search system folders" and "Search
subfolders." Again, if you see another instance of svchost.exe where
it doesn't belong, you have a malware infection!
Last idea: You stated you had NIS 2008. Norton is well-known for
producing the kind of behavior you are describing. Configure a clean
boot (which means, among other things, you will be temporarily
disabling NIS 2008) and see if your problem goes away. For more info:
http://support.microsoft.com/kb/310353
If your problem does go away, you should be able to use the process
of elimination to determine the cause. It wouldn't surprise me if
it's Norton.
.
- Follow-Ups:
- Re: long sytem freeze
- From: lesiofamily
- Re: long sytem freeze
- References:
- long sytem freeze
- From: lesiofamily
- Re: long sytem freeze
- From: Daave
- Re: long sytem freeze
- From: lesiofamily
- Re: long sytem freeze
- From: Gerry
- Re: long sytem freeze
- From: lesiofamily
- Re: long sytem freeze
- From: Daave
- Re: long sytem freeze
- From: lesiofamily
- long sytem freeze
- Prev by Date: How do you remove Trojan Win32/BOAXXE.I
- Next by Date: Re: How to rename Win system folder?
- Previous by thread: Re: long sytem freeze
- Next by thread: Re: long sytem freeze
- Index(es):
Relevant Pages
|
