- Posts: 1302
- Thank you received: 0
100% PROCESSER UTILISATION
18 years 9 months ago #12927
by jhun
Replied by jhun on topic Re: 100% PROCESSER UTILISATION
hi,
just mu 2cents,
each time i encounter some weird things happening on my box and that neither my AV or my anti-spyware program detects nothing i usually give it a manual approach, as i believe that a compromised box would have already a compromised AV and anti-spyware.
the first thing i would check is the task manager. checking all running processes and noting each one that is suspicious and should not be running. secondly, i would check the registry for startup programs and also msconfig for any processes that would be initiated during startup and disable those. third, i would try and narrow down the problem by finding the processes that are running within my system and searching their names and what they do using old google. when i see that they are malicious apps i delete them. then i usually do a reboot, and check again if it is already functioning the way it is suppose to. if not, then redo the things mentioned above after which have the harddrive slave in a working and non-compromised machine with AV scanners and anti-spyware programs to have and take a look. usually something shows up in this type of scans. then after this, check again if that solved the problem. if the problem is still there i usually do a reformat.
since the box is obviously been compromised and nothing is more secure than starting out with a fresh new box.
PS
you said that the process svchost.exe takes up all of the resources which is quite hard to narrow down since as dead-neurons pointed out it involves some other processes underlying within it. dalight's suggestion is excellent.
also might i suggest you run netstat on your machine using command prompt with both -a and -b switches. this would show you what are the processes involve in svchost.exe.
[code:1]
C:\netstat -a -b
[/code:1]
just mu 2cents,
each time i encounter some weird things happening on my box and that neither my AV or my anti-spyware program detects nothing i usually give it a manual approach, as i believe that a compromised box would have already a compromised AV and anti-spyware.
the first thing i would check is the task manager. checking all running processes and noting each one that is suspicious and should not be running. secondly, i would check the registry for startup programs and also msconfig for any processes that would be initiated during startup and disable those. third, i would try and narrow down the problem by finding the processes that are running within my system and searching their names and what they do using old google. when i see that they are malicious apps i delete them. then i usually do a reboot, and check again if it is already functioning the way it is suppose to. if not, then redo the things mentioned above after which have the harddrive slave in a working and non-compromised machine with AV scanners and anti-spyware programs to have and take a look. usually something shows up in this type of scans. then after this, check again if that solved the problem. if the problem is still there i usually do a reformat.
since the box is obviously been compromised and nothing is more secure than starting out with a fresh new box.PS
you said that the process svchost.exe takes up all of the resources which is quite hard to narrow down since as dead-neurons pointed out it involves some other processes underlying within it. dalight's suggestion is excellent.
also might i suggest you run netstat on your machine using command prompt with both -a and -b switches. this would show you what are the processes involve in svchost.exe.
[code:1]
C:\netstat -a -b
[/code:1]
18 years 9 months ago #12966
by gainil
Replied by gainil on topic Re: 100% PROCESSER UTILISATION
Hi Guys!!
Thankyou all for your replies.
I just logged on to c if there s any reply for my post and was more than happy to c so many replies for it.
Till now I was running AV Scans, Spyware Scans, Startup entries in the registery but coud not find anything and nothing happend, today i was surprised to c no cmd.exe instances but the svchost.exe was still taking 100% resources. I downloaded Handle :- www.sysinternals.com/Utilities/Handle.html
it gives me output of over 100 lines some lines which referred to svchost.exe r here:
svchost.exe pid: 432 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
1CC: Section \BaseNamedObjects\RotHintTable
1D0: File \Dfs
26C: Section \BaseNamedObjects\__R_0000000001df_SMem__
svchost.exe pid: 620 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
120: Section \BaseNamedObjects\__R_0000000001df_SMem__
17C: Section \BaseNamedObjects\SENS Information Cache
svchost.exe pid: 1628 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
168: Section \BaseNamedObjects\__R_0000000001df_SMem__
1EC: File C:\WINNT\system32\sens.dll
I am not able to figure out anything from this.
Later i downloaded ProcessExplorer from the same site www.sysinternals.com/Utilities/ProcessExplorer.html , from its GUI i killed one of the svchost.exe process which was taking 95%-99% CPU. Till now my Server is fine even after restarting and no complaints from clients.
if any one can figure out the output given by handle that wuld be nice.
I am happy that the problem is solved but worried that it would repeat agin.
for the time being i will refer to points mentioned by you guys hoping that i catch the culprit process
Thankyou Everyone for your kind Help
Nilesh
Thankyou all for your replies.
I just logged on to c if there s any reply for my post and was more than happy to c so many replies for it.
Till now I was running AV Scans, Spyware Scans, Startup entries in the registery but coud not find anything and nothing happend, today i was surprised to c no cmd.exe instances but the svchost.exe was still taking 100% resources. I downloaded Handle :- www.sysinternals.com/Utilities/Handle.html
it gives me output of over 100 lines some lines which referred to svchost.exe r here:
svchost.exe pid: 432 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
1CC: Section \BaseNamedObjects\RotHintTable
1D0: File \Dfs
26C: Section \BaseNamedObjects\__R_0000000001df_SMem__
svchost.exe pid: 620 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
120: Section \BaseNamedObjects\__R_0000000001df_SMem__
17C: Section \BaseNamedObjects\SENS Information Cache
svchost.exe pid: 1628 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
168: Section \BaseNamedObjects\__R_0000000001df_SMem__
1EC: File C:\WINNT\system32\sens.dll
I am not able to figure out anything from this.
Later i downloaded ProcessExplorer from the same site www.sysinternals.com/Utilities/ProcessExplorer.html , from its GUI i killed one of the svchost.exe process which was taking 95%-99% CPU. Till now my Server is fine even after restarting and no complaints from clients.
if any one can figure out the output given by handle that wuld be nice.
I am happy that the problem is solved but worried that it would repeat agin.
for the time being i will refer to points mentioned by you guys hoping that i catch the culprit process
Thankyou Everyone for your kind Help
Nilesh
Time to create page: 0.147 seconds