K
k9boy
Hi,
I booted up my Win2k SP4 machine yesterday. It has run fairly solid for
the last few months (years?). But this time, it froze. So I rebooted.
Then I powered up my WinXP SP2 machine. Oddly, it froze during the
login. I rebooted this as well. At this point, I'm thoroughly curious.
I managed to get into my XP machine when it restarted, but about a
minute later, it was extremely sluggish. I checked my task manager and
svchost.exe (SYSTEM process) was at close to 100%. When I got into my
Win2k machine, I noticed svchost.exe (SYSTEM process) there was also
eating up large amounts of CPU. It was also eating up memory in 80MB
range.
When it happened again today, I opened up TCPView.exe (from
SysInternals... excellent application). From a fresh boot/login (no
manually started apps yet), see the rogue svchost.exe making HTTP and
HTTPS connections to assorted web addresses, such as:
C:\Windows\System32\svchost.exe -k netsvcs
user104.osisoft.com:http
user102.osisoft.com:http
65.222.92.103:http
207.46.253.157:https
And:
C:\WINNT\system32\svchost.exe -k wugroup
62.55.192.126:https
user111.osisoft.com
After a few minutes (15 minutes, perhaps) of all this activity stops
and svchost.exe behaves again. Here is a TCPView session:
alg.exe:240 TCP polar:1048 polar:0 LISTENING
svchost.exe:804 TCP polar:epmap polar:0 LISTENING
svchost.exe:868 UDP polar:ntp *:*
svchost.exe:868 UDP polar:1038 *:*
svchost.exe:868 UDP polar:1039 *:*
svchost.exe:868 UDP polar:ntp *:*
svchost.exe:868 UDP polar:1053 *:*
svchost.exe:868 UDP polar:1054 *:*
svchost.exe:868 UDP polar:1055 *:*
svchost.exe:868 UDP polar:1061 *:*
svchost.exe:868 UDP polar:1062 *:*
svchost.exe:868 UDP polar:1063 *:*
svchost.exe:868 UDP polar:1064 *:*
svchost.exe:868 UDP polar:1066 *:*
svchost.exe:868 UDP polar:1067 *:*
svchost.exe:868 UDP polar:1068 *:*
svchost.exe:868 UDP polar:1071 *:*
svchost.exe:868 UDP polar:1072 *:*
svchost.exe:912 UDP polar:1025 *:*
svchost.exe:912 UDP polar:1030 *:*
svchost.exe:912 UDP polar:1034 *:*
svchost.exe:960 UDP polar:1900 *:*
svchost.exe:960 UDP polar:1900 *:*
System:4 TCP polar:microsoft-ds polar:0 LISTENING
System:4 TCP polar:netbios-ssn polar:0 LISTENING
System:4 UDP polar:microsoft-ds *:*
System:4 UDP polar:netbios-ns *:*
System:4 UDP polar:netbios-dgm *:*
Here is a snippet from my tasklist:
Image Name PID Services
========================= ======
=============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 456 N/A
csrss.exe 516 N/A
winlogon.exe 540 N/A
services.exe 584 Eventlog, PlugPlay
lsass.exe 596 ProtectedStorage, SamSs
svchost.exe 748 DcomLaunch, TermService
svchost.exe 804 RpcSs
svchost.exe 868 AudioSrv, BITS, Browser, CryptSvc,
Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibility,
helpsvc,
lanmanserver, lanmanworkstation,
Netman,
Nla, Schedule, seclogon, SENS,
SharedAccess,
ShellHWDetection, Themes, TrkWks,
W32Time,
winmgmt, wscsvc, wuauserv, WZCSVC
svchost.exe 912 Dnscache
svchost.exe 960 LmHosts, RemoteRegistry, SSDPSRV,
WebClient
vsmon.exe 996 vsmon
spoolsv.exe 1316 Spooler
DefWatch.exe 1492 DefWatch
Rtvscan.exe 1552 Norton AntiVirus Server
wdfmgr.exe 1604 UMWdf
I'm not sure what's going on. I'm more than willing to reformat my
machines, but if this is normal, then there wouldn't be much point.
I've also updated and run Symantec AV, Adaware and Spybot with no
improvement.
Well, if anyone can help, I'd greatly appreciate it.
Tom
I booted up my Win2k SP4 machine yesterday. It has run fairly solid for
the last few months (years?). But this time, it froze. So I rebooted.
Then I powered up my WinXP SP2 machine. Oddly, it froze during the
login. I rebooted this as well. At this point, I'm thoroughly curious.
I managed to get into my XP machine when it restarted, but about a
minute later, it was extremely sluggish. I checked my task manager and
svchost.exe (SYSTEM process) was at close to 100%. When I got into my
Win2k machine, I noticed svchost.exe (SYSTEM process) there was also
eating up large amounts of CPU. It was also eating up memory in 80MB
range.
When it happened again today, I opened up TCPView.exe (from
SysInternals... excellent application). From a fresh boot/login (no
manually started apps yet), see the rogue svchost.exe making HTTP and
HTTPS connections to assorted web addresses, such as:
C:\Windows\System32\svchost.exe -k netsvcs
user104.osisoft.com:http
user102.osisoft.com:http
65.222.92.103:http
207.46.253.157:https
And:
C:\WINNT\system32\svchost.exe -k wugroup
62.55.192.126:https
user111.osisoft.com
After a few minutes (15 minutes, perhaps) of all this activity stops
and svchost.exe behaves again. Here is a TCPView session:
alg.exe:240 TCP polar:1048 polar:0 LISTENING
svchost.exe:804 TCP polar:epmap polar:0 LISTENING
svchost.exe:868 UDP polar:ntp *:*
svchost.exe:868 UDP polar:1038 *:*
svchost.exe:868 UDP polar:1039 *:*
svchost.exe:868 UDP polar:ntp *:*
svchost.exe:868 UDP polar:1053 *:*
svchost.exe:868 UDP polar:1054 *:*
svchost.exe:868 UDP polar:1055 *:*
svchost.exe:868 UDP polar:1061 *:*
svchost.exe:868 UDP polar:1062 *:*
svchost.exe:868 UDP polar:1063 *:*
svchost.exe:868 UDP polar:1064 *:*
svchost.exe:868 UDP polar:1066 *:*
svchost.exe:868 UDP polar:1067 *:*
svchost.exe:868 UDP polar:1068 *:*
svchost.exe:868 UDP polar:1071 *:*
svchost.exe:868 UDP polar:1072 *:*
svchost.exe:912 UDP polar:1025 *:*
svchost.exe:912 UDP polar:1030 *:*
svchost.exe:912 UDP polar:1034 *:*
svchost.exe:960 UDP polar:1900 *:*
svchost.exe:960 UDP polar:1900 *:*
System:4 TCP polar:microsoft-ds polar:0 LISTENING
System:4 TCP polar:netbios-ssn polar:0 LISTENING
System:4 UDP polar:microsoft-ds *:*
System:4 UDP polar:netbios-ns *:*
System:4 UDP polar:netbios-dgm *:*
Here is a snippet from my tasklist:
Image Name PID Services
========================= ======
=============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 456 N/A
csrss.exe 516 N/A
winlogon.exe 540 N/A
services.exe 584 Eventlog, PlugPlay
lsass.exe 596 ProtectedStorage, SamSs
svchost.exe 748 DcomLaunch, TermService
svchost.exe 804 RpcSs
svchost.exe 868 AudioSrv, BITS, Browser, CryptSvc,
Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibility,
helpsvc,
lanmanserver, lanmanworkstation,
Netman,
Nla, Schedule, seclogon, SENS,
SharedAccess,
ShellHWDetection, Themes, TrkWks,
W32Time,
winmgmt, wscsvc, wuauserv, WZCSVC
svchost.exe 912 Dnscache
svchost.exe 960 LmHosts, RemoteRegistry, SSDPSRV,
WebClient
vsmon.exe 996 vsmon
spoolsv.exe 1316 Spooler
DefWatch.exe 1492 DefWatch
Rtvscan.exe 1552 Norton AntiVirus Server
wdfmgr.exe 1604 UMWdf
I'm not sure what's going on. I'm more than willing to reformat my
machines, but if this is normal, then there wouldn't be much point.
I've also updated and run Symantec AV, Adaware and Spybot with no
improvement.
Well, if anyone can help, I'd greatly appreciate it.
Tom