- Posts: 1302
- Thank you received: 0
100% PROCESSER UTILISATION
18 years 9 months ago #12916
by DaLight
Replied by DaLight on topic Re: 100% PROCESSER UTILISATION
... hence the recommendation to run HijackThis! and Autoruns, which don't just run scans, but enumerate the processes running on your PC for use in further analysis.Isn't this the proper approach to tackle an issue instead of just running scans on a machine and not really knowing what one is trying to accomplish?
18 years 9 months ago #12921
by Kn1ght
Thanks
Replied by Kn1ght on topic probably problem DLL files
HijackThis is the winner in this case,you probably have some rogue DLL files happening, post what hijacktis files on here so we can view it.
Thanks
18 years 9 months ago #12927
by jhun
Replied by jhun on topic Re: 100% PROCESSER UTILISATION
hi,
just mu 2cents,
each time i encounter some weird things happening on my box and that neither my AV or my anti-spyware program detects nothing i usually give it a manual approach, as i believe that a compromised box would have already a compromised AV and anti-spyware.
the first thing i would check is the task manager. checking all running processes and noting each one that is suspicious and should not be running. secondly, i would check the registry for startup programs and also msconfig for any processes that would be initiated during startup and disable those. third, i would try and narrow down the problem by finding the processes that are running within my system and searching their names and what they do using old google. when i see that they are malicious apps i delete them. then i usually do a reboot, and check again if it is already functioning the way it is suppose to. if not, then redo the things mentioned above after which have the harddrive slave in a working and non-compromised machine with AV scanners and anti-spyware programs to have and take a look. usually something shows up in this type of scans. then after this, check again if that solved the problem. if the problem is still there i usually do a reformat. since the box is obviously been compromised and nothing is more secure than starting out with a fresh new box.
PS
you said that the process svchost.exe takes up all of the resources which is quite hard to narrow down since as dead-neurons pointed out it involves some other processes underlying within it. dalight's suggestion is excellent.
also might i suggest you run netstat on your machine using command prompt with both -a and -b switches. this would show you what are the processes involve in svchost.exe.
[code:1]
C:\netstat -a -b
[/code:1]
just mu 2cents,
each time i encounter some weird things happening on my box and that neither my AV or my anti-spyware program detects nothing i usually give it a manual approach, as i believe that a compromised box would have already a compromised AV and anti-spyware.
the first thing i would check is the task manager. checking all running processes and noting each one that is suspicious and should not be running. secondly, i would check the registry for startup programs and also msconfig for any processes that would be initiated during startup and disable those. third, i would try and narrow down the problem by finding the processes that are running within my system and searching their names and what they do using old google. when i see that they are malicious apps i delete them. then i usually do a reboot, and check again if it is already functioning the way it is suppose to. if not, then redo the things mentioned above after which have the harddrive slave in a working and non-compromised machine with AV scanners and anti-spyware programs to have and take a look. usually something shows up in this type of scans. then after this, check again if that solved the problem. if the problem is still there i usually do a reformat. since the box is obviously been compromised and nothing is more secure than starting out with a fresh new box.
PS
you said that the process svchost.exe takes up all of the resources which is quite hard to narrow down since as dead-neurons pointed out it involves some other processes underlying within it. dalight's suggestion is excellent.
also might i suggest you run netstat on your machine using command prompt with both -a and -b switches. this would show you what are the processes involve in svchost.exe.
[code:1]
C:\netstat -a -b
[/code:1]
18 years 9 months ago #12966
by gainil
Replied by gainil on topic Re: 100% PROCESSER UTILISATION
Hi Guys!!
Thankyou all for your replies.
I just logged on to c if there s any reply for my post and was more than happy to c so many replies for it.
Till now I was running AV Scans, Spyware Scans, Startup entries in the registery but coud not find anything and nothing happend, today i was surprised to c no cmd.exe instances but the svchost.exe was still taking 100% resources. I downloaded Handle :- www.sysinternals.com/Utilities/Handle.html
it gives me output of over 100 lines some lines which referred to svchost.exe r here:
svchost.exe pid: 432 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
1CC: Section \BaseNamedObjects\RotHintTable
1D0: File \Dfs
26C: Section \BaseNamedObjects\__R_0000000001df_SMem__
svchost.exe pid: 620 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
120: Section \BaseNamedObjects\__R_0000000001df_SMem__
17C: Section \BaseNamedObjects\SENS Information Cache
svchost.exe pid: 1628 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
168: Section \BaseNamedObjects\__R_0000000001df_SMem__
1EC: File C:\WINNT\system32\sens.dll
I am not able to figure out anything from this.
Later i downloaded ProcessExplorer from the same site www.sysinternals.com/Utilities/ProcessExplorer.html , from its GUI i killed one of the svchost.exe process which was taking 95%-99% CPU. Till now my Server is fine even after restarting and no complaints from clients.
if any one can figure out the output given by handle that wuld be nice.
I am happy that the problem is solved but worried that it would repeat agin.
for the time being i will refer to points mentioned by you guys hoping that i catch the culprit process
Thankyou Everyone for your kind Help
Nilesh
Thankyou all for your replies.
I just logged on to c if there s any reply for my post and was more than happy to c so many replies for it.
Till now I was running AV Scans, Spyware Scans, Startup entries in the registery but coud not find anything and nothing happend, today i was surprised to c no cmd.exe instances but the svchost.exe was still taking 100% resources. I downloaded Handle :- www.sysinternals.com/Utilities/Handle.html
it gives me output of over 100 lines some lines which referred to svchost.exe r here:
svchost.exe pid: 432 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
1CC: Section \BaseNamedObjects\RotHintTable
1D0: File \Dfs
26C: Section \BaseNamedObjects\__R_0000000001df_SMem__
svchost.exe pid: 620 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
120: Section \BaseNamedObjects\__R_0000000001df_SMem__
17C: Section \BaseNamedObjects\SENS Information Cache
svchost.exe pid: 1628 NT AUTHORITY\SYSTEM
18: File C:\WINNT\system32
168: Section \BaseNamedObjects\__R_0000000001df_SMem__
1EC: File C:\WINNT\system32\sens.dll
I am not able to figure out anything from this.
Later i downloaded ProcessExplorer from the same site www.sysinternals.com/Utilities/ProcessExplorer.html , from its GUI i killed one of the svchost.exe process which was taking 95%-99% CPU. Till now my Server is fine even after restarting and no complaints from clients.
if any one can figure out the output given by handle that wuld be nice.
I am happy that the problem is solved but worried that it would repeat agin.
for the time being i will refer to points mentioned by you guys hoping that i catch the culprit process
Thankyou Everyone for your kind Help
Nilesh
18 years 9 months ago #12967
by DaLight
Replied by DaLight on topic Re: 100% PROCESSER UTILISATION
Can you post the logs from
HijackThis!
and
Autoruns
.
Time to create page: 0.134 seconds