Windows 7 suspicious svchost.exe

Audience: Fellow techs, power users

 

A couple weeks ago while performing computer repair service in Snohomish,  the system I was troubleshooting was responding rather slowly. When I fired up process explorer from Sysinternals I found that a svchost.exe process was consuming up to 50% of the CPU’s resources. In Windows Svchost.exe is simply a host process for windows services. Should you bring up Task Manager (Ctrl+Shift+Esc) you will find many svchost.exes listed, but no detailed information as to which services is running within each process (please also note the description column):

svchost.exe in Windows Task Manager

With process explorer you can get much more detailed information about all processes running on your system. In this case, by simply mousing over a svchost.exe process you will see which services it is hosting:

svchost.exe in Process Explorer

 

This can be particularly helpful when trying to find a service that is hogging resources. On the particular system I was working on, however, something was amiss. Firstly the description said “winrscmde” instead of Host Process For Windows Services, and secondly mousing over the entry simply listed “svchost.exe.” Clearly, this process could not be hosting itself. At this point I suspected an imposter. By right clicking any process in Process Explorer you can launch a properties dialog to learn more about the process. The first Tab of this window is “Image.” In this tab you can find, among other items, the file path. Svchost.exe should look like this:

Valid svchost.exe location

The location for svchost.exe should be: C:\Windows\system32\svchost.exe. Again, the afflicted system had an inconsistency here, as the location was C:\Windows\svchost.exe. I navigated to this location and attempted to delete the file, but found that it was locked. Fortunately, Process Explorer has a way to deal with this as well. Two of the other right-click menu items are “Kill Process” or “Suspend.”

Kill Process or Suspend

The thing about Malware (which at this point it should be clear that is what I was dealing with) it that if you kill one part of it, another component might re-launch it. So, by clicking “Suspend” I was able to delete the fake svchost.exe file. I then followed up with an off-line virus scan to remove all traces of infection.

 

In conclusion, Process Explorer in a great tool for trouble shooting malware, and bugs. If you haven’t tried it yet, or the other Sysinteral tools, head on over to http://technet.microsoft.com/en-us/sysinternals/default and check them out.

 

-Nomad 

be safe out there

Advertisements

Windows Cannot Find HELPCTR.EXE

Audience: Fellow Techs, Power Users
HELPCTR.EXE ERROR

Recently, I received a call for computer repair in Marysville. The client was getting an error in Windows XP that Windows cannot find HELPCTR.exe. Upon further discussion with the client, I found out that he had recently uninstalled a trial of AVG 2012 anti-virus. A little searching with Google showed that the problem was most likely caused by a missing registry key. Since I was providing tech support over the phone I didn’t want to have the client running regedit.exe himself, so I did a little more searching for easy solutions (yes, I could have started a remote session at this point). My diligence paid off when I found this:

This page contains a registry file to correct the observed error. After verifying the file I directed the client to the fix. He ran it, and upon seeing that the Help and Support link now worked, declared me a genius. (Truth be told I ride on the shoulders of giants.) Special thanks to the author of http://windowsxp.mvps.org/startmenuhelp.htm for his great resource.

Now, in regard to AVG 2012 I can not say for certain that it caused the problem, but it would not be the first time I have seen an uninstalled program break registry links before.

Stay safe out there,
~Nomad~

Free Norton Anti-virus from Comcast

target audience: home users

Lately, I have had an increase in clients complaining about slow computers. Oddly enough, these most recent customers have all had one program in common. Sure there were some useless toolbars, and unnecessary start-up items, but the biggest culprit lately has been the Norton Security Suite that Comcast is offering its subscribers for free. Now before you go bashing a certain product’s name, or uninstalling your Anti-virus altogether, I’d like to remind you that running a quality anti-virus program is very important.

photo used under creative commons from: http://www.flickr.com/photos/baldiri/4343864282

Slooooooow

It is, however, also very important to qualify the customer. What Comcast is offering is a full security suite (a group of many programs wrapped together) which can be a real burden on older computer systems. This is why you should contact your friendly, local, computer technician to get a solution that is right for you. (If that’s not an option check out Kaspersky AV (not the whole suite) and Super Anti-Spyware.

Want a second opinion? Read this blog:

http://www.callthatgirl.biz/comcast-users-should-avoid-installing-nortonsymantec/

.