What should svchost tasklist look like?

[Guest]

I am having some problems on Windows start up including the svchost process
locking the cpu with nearly 100% usage.

I explored the svchost info sections and found that the following was the
tasklist that my svchost performed:

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 636 N/A
csrss.exe 724 N/A
winlogon.exe 752 N/A
services.exe 800 Eventlog, PlugPlay
lsass.exe 812 PolicyAgent, ProtectedStorage, SamSs
ati2evxx.exe 956 Ati HotKey Poller
svchost.exe 972 DcomLaunch, TermService
svchost.exe 1044 RpcSs
svchost.exe 1100 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
TapiSrv, Themes, TrkWks, W32Time, winmgmt,
wscsvc, wuauserv, WZCSVC
svchost.exe 1208 Dnscache
svchost.exe 1276 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe 1476 Spooler
ati2evxx.exe 1504 N/A
explorer.exe 1600 N/A
iexplore.exe 1800 N/A
FrameworkService.exe 1824 McAfeeFramework
Mcshield.exe 1900 McShield
naPrdMgr.exe 1916 N/A
VsTskMgr.exe 2016 McTaskManager
mdm.exe 272 MDM
StarWindService.exe 360 StarWindService
svchost.exe 372 stisvc
Tablet.exe 424 TabletService
wdfmgr.exe 548 UMWdf
vsmon.exe 596 vsmon
atiptaxx.exe 1128 N/A
zlclient.exe 1216 N/A
ctfmon.exe 1416 N/A
wmiprvse.exe 2356 N/A
alg.exe 2856 ALG
wuauclt.exe 3084 N/A
iexplore.exe 3316 N/A
wuauclt.exe 3432 N/A
cmd.exe 4044 N/A
tasklist.exe 4060 N/A
wmiprvse.exe 172 N/A

NOTE svchost is executed 5 times and the list is very big compared with the
sample presented in the info section.

Is this a pretty usual tasklist or has something got out of hand, and how do
I correct it?

 

[David H. Lipman]

From: "WMMuser" <[email protected]>

| I am having some problems on Windows start up including the svchost process
| locking the cpu with nearly 100% usage.
|
| I explored the svchost info sections and found that the following was the
| tasklist that my svchost performed:
|
| Image Name PID Services
| ========================= ====== =============================================
| System Idle Process 0 N/A
| System 4 N/A
| smss.exe 636 N/A
| csrss.exe 724 N/A
| winlogon.exe 752 N/A
| services.exe 800 Eventlog, PlugPlay
| lsass.exe 812 PolicyAgent, ProtectedStorage, SamSs
| ati2evxx.exe 956 Ati HotKey Poller
| svchost.exe 972 DcomLaunch, TermService
| svchost.exe 1044 RpcSs
| svchost.exe 1100 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
| ERSvc, EventSystem,
| FastUserSwitchingCompatibility, helpsvc,
| lanmanserver, lanmanworkstation, Netman,
| Nla, RasMan, Schedule, seclogon, SENS,
| SharedAccess, ShellHWDetection, srservice,
| TapiSrv, Themes, TrkWks, W32Time, winmgmt,
| wscsvc, wuauserv, WZCSVC
| svchost.exe 1208 Dnscache
| svchost.exe 1276 LmHosts, RemoteRegistry, SSDPSRV, WebClient
| spoolsv.exe 1476 Spooler
| ati2evxx.exe 1504 N/A
| explorer.exe 1600 N/A
| iexplore.exe 1800 N/A
| FrameworkService.exe 1824 McAfeeFramework
| Mcshield.exe 1900 McShield
| naPrdMgr.exe 1916 N/A
| VsTskMgr.exe 2016 McTaskManager
| mdm.exe 272 MDM
| StarWindService.exe 360 StarWindService
| svchost.exe 372 stisvc
| Tablet.exe 424 TabletService
| wdfmgr.exe 548 UMWdf
| vsmon.exe 596 vsmon
| atiptaxx.exe 1128 N/A
| zlclient.exe 1216 N/A
| ctfmon.exe 1416 N/A
| wmiprvse.exe 2356 N/A
| alg.exe 2856 ALG
| wuauclt.exe 3084 N/A
| iexplore.exe 3316 N/A
| wuauclt.exe 3432 N/A
| cmd.exe 4044 N/A
| tasklist.exe 4060 N/A
| wmiprvse.exe 172 N/A
|
| NOTE svchost is executed 5 times and the list is very big compared with the
| sample presented in the info section.
|
| Is this a pretty usual tasklist or has something got out of hand, and how do
| I correct it?

wscsvc may related to a RootKit type Trojan or a couple of other type of Trojans.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *