If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#31
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
Quaoar's advice is the only way for you to determine whether something being
run at startup is the cause of your problem. You need to follow that advice no matter how long it takes. Rocky "Philip Herlihy" wrote in message ... "Quaoar" wrote in message ... What is being run at startup as indicated in msconfig/startup tab? Can you track the source of this problem by selectively unchecking the startups one at a time? Q I've gazed at the startup list but I haven't tried selectively unchecking them. Part of the problem is that the thing can take an hour to boot, it's so slow! It'll take me several days. I'll ponder whether I can face it... -- #################### ## PH, London #################### |
Ads |
#32
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
Well, that was a lot quicker than I expected. I disabled "Terminal
Services" and it booted (otherwise) normally. But I've already run the System File Checker, and nothing was found to be amiss. Why would TS go bonkers? -- #################### ## PH, London #################### "Rocket J. Squirrel" wrote in message ... Quaoar's advice is the only way for you to determine whether something being run at startup is the cause of your problem. You need to follow that advice no matter how long it takes. Rocky |
#33
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
Well, that was a lot quicker than I expected. I disabled "Terminal
Services" and it booted (otherwise) normally. But I've already run the System File Checker, and nothing was found to be amiss. Why would TS go bonkers? -- #################### ## PH, London #################### "Rocket J. Squirrel" wrote in message ... Quaoar's advice is the only way for you to determine whether something being run at startup is the cause of your problem. You need to follow that advice no matter how long it takes. Rocky |
#34
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
Philip Herlihy wrote:
Thanks, Carey. I'm very grateful for the suggestion, but it didn't work. The machine has XP Home with SP1 (I should have specified this) and the patch is apparently pre-SP1 (an error-message said it could only be applied if no SPs were already there. I'm becoming increasingly resigned to a re-format and install, but my relatively untechnical friend will lose heaps of settings, passwords and so on. :-( Install the following patch: Windows XP Patch: Remote Assistance http://www.microsoft.com/downloads/d...A-9A33857ECEBA -- Carey Frisch Microsoft MVP Windows XP - Shell/User Be Smart! Protect your PC! http://www.microsoft.com/security/protect/\ --------------------------------------------------------------------- ----- ----------------- "Philip Herlihy" wrote in message: ... (Thanks for looking!) I have a friend's machine (running XP Home, fully patched) which is unusably slow. I can see that LSASS.exe together with one instance of SVCHOST.exe are effectively using all CPU resources. I've run updated versions of: # Norton Antivirus # McAfee Stinger # Panda Online scan # Trend Micro Online scan # Adaware # Spybot .. and although a few nasties were removed, the problem remains. I've downloaded the (excellent) Process Explorer from Sysinternals.com. I've found that if I suspend that one SVCHOST instance, the LSASS process goes quiet. Looking inside the SVCHOST I can see that the thread TERMSRV.dll appears to be accounting for the activity, and if I selectively kill that thread, the machine goes back to normal. I've studied the registry keys: # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es # HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost .. but my untutored eye can't spot anything wrong. A typical stack trace of the TERMSRV thread is: ntdll.dll+0x8090304 RPCRT4.dll!I_RpcTransGetThreadEvent+0x9d7 RPCRT4.dll!I_RpcTransGetThreadEvent+0x147b RPCRT4.dll!NdrContextHandleInitialize+0x82e RPCRT4.dll!I_RpcTransGetThreadEvent+0x5d0 RPCRT4.dll!I_RpcTransGetThreadEvent+0x557 RPCRT4.dll!I_RpcTransGetThreadEvent+0x3bc RPCRT4.dll!I_RpcTransGetThreadEvent+0x2f6 RPCRT4.dll!I_RpcTransGetThreadEvent+0x26f RPCRT4.dll!I_RpcSendReceive+0x1f ADVAPI32.dll!LsaRetrievePrivateData+0xdf termsrv.dll+0x201d9 termsrv.dll+0x20428 termsrv.dll+0xd1fc kernel32.dll!RegisterWaitForInputIdle+0x43 I thought I was a smart geezer, but this one has me beaten. Next step is a format and reinstall, unless someone has an idea. -- #################### ## PH, London #################### What is being run at startup as indicated in msconfig/startup tab? Can you track the source of this problem by selectively unchecking the startups one at a time? Q |
#35
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
"Quaoar" wrote in message
... What is being run at startup as indicated in msconfig/startup tab? Can you track the source of this problem by selectively unchecking the startups one at a time? Q I've gazed at the startup list but I haven't tried selectively unchecking them. Part of the problem is that the thing can take an hour to boot, it's so slow! It'll take me several days. I'll ponder whether I can face it... -- #################### ## PH, London #################### |
#36
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
Quaoar's advice is the only way for you to determine whether something being
run at startup is the cause of your problem. You need to follow that advice no matter how long it takes. Rocky "Philip Herlihy" wrote in message ... "Quaoar" wrote in message ... What is being run at startup as indicated in msconfig/startup tab? Can you track the source of this problem by selectively unchecking the startups one at a time? Q I've gazed at the startup list but I haven't tried selectively unchecking them. Part of the problem is that the thing can take an hour to boot, it's so slow! It'll take me several days. I'll ponder whether I can face it... -- #################### ## PH, London #################### |
#37
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
Well, that was a lot quicker than I expected. I disabled "Terminal
Services" and it booted (otherwise) normally. But I've already run the System File Checker, and nothing was found to be amiss. Why would TS go bonkers? -- #################### ## PH, London #################### "Rocket J. Squirrel" wrote in message ... Quaoar's advice is the only way for you to determine whether something being run at startup is the cause of your problem. You need to follow that advice no matter how long it takes. Rocky |
#38
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Wed, 14 Apr 2004 18:46:38 +0100, "Philip Herlihy"
Thanks, Carey. I'm very grateful for the suggestion, but it didn't work. The machine has XP Home with SP1 (I should have specified this) and the patch is apparently pre-SP1 (an error-message said it could only be applied if no SPs were already there. Two things come to mind: 1) There are new (April 2004) patches involving LSASS and DCOM Seek and apply these - in case what is happening is an exploit of the newly-announced holes involving these things. 2) Malware use of SVCHost Malware can either use the "real" SVCHost to shell themselves (so that firewalls set to allow the "real" SVCHost allows the malware too) or can drop thier own "SVCHost" files that are running. CoolWebSearch is a common, frequently-updated commercial malware that exploits a wide range of holes and attack methods, often including SVCHost. There's a web site and utility dedicated to killing CWS; Google for it (merjin) and check it out - they document the variations and evolve the killer tool to manage the matest ones. As usual, I'd start with a formal virus check to exclude traditional malware, then drill down to commercial malware through Windows using AdAware, Spybot, and the dedicated CWS killer. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#39
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
Interesting sig ("Running Windows-based av..."). Could you explain why you
feel that way? Rocky "cquirke (MVP Win9x)" wrote in message ... On Wed, 14 Apr 2004 18:46:38 +0100, "Philip Herlihy" Thanks, Carey. I'm very grateful for the suggestion, but it didn't work. The machine has XP Home with SP1 (I should have specified this) and the patch is apparently pre-SP1 (an error-message said it could only be applied if no SPs were already there. Two things come to mind: snip |
#40
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Wed, 14 Apr 2004 18:46:38 +0100, "Philip Herlihy"
Thanks, Carey. I'm very grateful for the suggestion, but it didn't work. The machine has XP Home with SP1 (I should have specified this) and the patch is apparently pre-SP1 (an error-message said it could only be applied if no SPs were already there. Two things come to mind: 1) There are new (April 2004) patches involving LSASS and DCOM Seek and apply these - in case what is happening is an exploit of the newly-announced holes involving these things. 2) Malware use of SVCHost Malware can either use the "real" SVCHost to shell themselves (so that firewalls set to allow the "real" SVCHost allows the malware too) or can drop thier own "SVCHost" files that are running. CoolWebSearch is a common, frequently-updated commercial malware that exploits a wide range of holes and attack methods, often including SVCHost. There's a web site and utility dedicated to killing CWS; Google for it (merjin) and check it out - they document the variations and evolve the killer tool to manage the matest ones. As usual, I'd start with a formal virus check to exclude traditional malware, then drill down to commercial malware through Windows using AdAware, Spybot, and the dedicated CWS killer. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#41
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Wed, 14 Apr 2004 18:46:38 +0100, "Philip Herlihy"
Thanks, Carey. I'm very grateful for the suggestion, but it didn't work. The machine has XP Home with SP1 (I should have specified this) and the patch is apparently pre-SP1 (an error-message said it could only be applied if no SPs were already there. Two things come to mind: 1) There are new (April 2004) patches involving LSASS and DCOM Seek and apply these - in case what is happening is an exploit of the newly-announced holes involving these things. 2) Malware use of SVCHost Malware can either use the "real" SVCHost to shell themselves (so that firewalls set to allow the "real" SVCHost allows the malware too) or can drop thier own "SVCHost" files that are running. CoolWebSearch is a common, frequently-updated commercial malware that exploits a wide range of holes and attack methods, often including SVCHost. There's a web site and utility dedicated to killing CWS; Google for it (merjin) and check it out - they document the variations and evolve the killer tool to manage the matest ones. As usual, I'd start with a formal virus check to exclude traditional malware, then drill down to commercial malware through Windows using AdAware, Spybot, and the dedicated CWS killer. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#42
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Wed, 14 Apr 2004 18:46:38 +0100, "Philip Herlihy"
Thanks, Carey. I'm very grateful for the suggestion, but it didn't work. The machine has XP Home with SP1 (I should have specified this) and the patch is apparently pre-SP1 (an error-message said it could only be applied if no SPs were already there. Two things come to mind: 1) There are new (April 2004) patches involving LSASS and DCOM Seek and apply these - in case what is happening is an exploit of the newly-announced holes involving these things. 2) Malware use of SVCHost Malware can either use the "real" SVCHost to shell themselves (so that firewalls set to allow the "real" SVCHost allows the malware too) or can drop thier own "SVCHost" files that are running. CoolWebSearch is a common, frequently-updated commercial malware that exploits a wide range of holes and attack methods, often including SVCHost. There's a web site and utility dedicated to killing CWS; Google for it (merjin) and check it out - they document the variations and evolve the killer tool to manage the matest ones. As usual, I'd start with a formal virus check to exclude traditional malware, then drill down to commercial malware through Windows using AdAware, Spybot, and the dedicated CWS killer. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#43
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Wed, 14 Apr 2004 18:46:38 +0100, "Philip Herlihy"
Thanks, Carey. I'm very grateful for the suggestion, but it didn't work. The machine has XP Home with SP1 (I should have specified this) and the patch is apparently pre-SP1 (an error-message said it could only be applied if no SPs were already there. Two things come to mind: 1) There are new (April 2004) patches involving LSASS and DCOM Seek and apply these - in case what is happening is an exploit of the newly-announced holes involving these things. 2) Malware use of SVCHost Malware can either use the "real" SVCHost to shell themselves (so that firewalls set to allow the "real" SVCHost allows the malware too) or can drop thier own "SVCHost" files that are running. CoolWebSearch is a common, frequently-updated commercial malware that exploits a wide range of holes and attack methods, often including SVCHost. There's a web site and utility dedicated to killing CWS; Google for it (merjin) and check it out - they document the variations and evolve the killer tool to manage the matest ones. As usual, I'd start with a formal virus check to exclude traditional malware, then drill down to commercial malware through Windows using AdAware, Spybot, and the dedicated CWS killer. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#44
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Wed, 14 Apr 2004 18:46:38 +0100, "Philip Herlihy"
Thanks, Carey. I'm very grateful for the suggestion, but it didn't work. The machine has XP Home with SP1 (I should have specified this) and the patch is apparently pre-SP1 (an error-message said it could only be applied if no SPs were already there. Two things come to mind: 1) There are new (April 2004) patches involving LSASS and DCOM Seek and apply these - in case what is happening is an exploit of the newly-announced holes involving these things. 2) Malware use of SVCHost Malware can either use the "real" SVCHost to shell themselves (so that firewalls set to allow the "real" SVCHost allows the malware too) or can drop thier own "SVCHost" files that are running. CoolWebSearch is a common, frequently-updated commercial malware that exploits a wide range of holes and attack methods, often including SVCHost. There's a web site and utility dedicated to killing CWS; Google for it (merjin) and check it out - they document the variations and evolve the killer tool to manage the matest ones. As usual, I'd start with a formal virus check to exclude traditional malware, then drill down to commercial malware through Windows using AdAware, Spybot, and the dedicated CWS killer. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
#45
|
|||
|
|||
SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)
On Wed, 14 Apr 2004 18:46:38 +0100, "Philip Herlihy"
Thanks, Carey. I'm very grateful for the suggestion, but it didn't work. The machine has XP Home with SP1 (I should have specified this) and the patch is apparently pre-SP1 (an error-message said it could only be applied if no SPs were already there. Two things come to mind: 1) There are new (April 2004) patches involving LSASS and DCOM Seek and apply these - in case what is happening is an exploit of the newly-announced holes involving these things. 2) Malware use of SVCHost Malware can either use the "real" SVCHost to shell themselves (so that firewalls set to allow the "real" SVCHost allows the malware too) or can drop thier own "SVCHost" files that are running. CoolWebSearch is a common, frequently-updated commercial malware that exploits a wide range of holes and attack methods, often including SVCHost. There's a web site and utility dedicated to killing CWS; Google for it (merjin) and check it out - they document the variations and evolve the killer tool to manage the matest ones. As usual, I'd start with a formal virus check to exclude traditional malware, then drill down to commercial malware through Windows using AdAware, Spybot, and the dedicated CWS killer. -------------------- ----- ---- --- -- - - - - Running Windows-based av to kill active malware is like striking a match to see if what you are standing in is water or petrol. -------------------- ----- ---- --- -- - - - - |
Thread Tools | |
Display Modes | |
|
|