那些遇到过的问题

SvcHost 占用了 100% 的 CPU。它似乎是 DcomLaunch 或 TermService - 病毒?

Cor*_*ton 5 virus cpu-usage svchost windows-xp

所以我的SvcHost突然占用了我的 CPU 的 100%,我想弄清楚哪个服务对此负责。有什么方法可以区分在单个 SvcHost 中运行的多个服务生成的负载吗?

我运行了病毒扫描,结果很干净,我的工具又旧又过时,所以什么也没找到。

我尝试单步执行这些服务,一个一个地停止它们,但我找不到罪魁祸首(请注意,某些服务也会自动重新启动,我不想禁用它们)。

更新:我昨晚使用了Process Explorer,但在违规的 SvcHost 中有很多服务,其中一些服务无法停止。今天,我再次检查了 Heavyd 的建议并很幸运,因为今天只有两个服务在有问题的 SvcHost 中。

DcomLaunch - DCOM 服务器进程启动器

TermService - 终端服务

两者都不可阻挡。我是最新的 Windows 更新。尽管昨晚没有任何结果,但仍要运行另一次病毒扫描来检查它。也许是时候重新开始了(这个安装是从 2004 年的某个时候开始的)。

更新:绝对是病毒。在上次重新启动后,CPU 使用率下降了,但我在启动时收到了一些奇怪的“安装了安全软件”的消息,奇怪的名称正在运行的进程(例如,555573478785.exe),以及HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run昨晚没有添加的可疑密钥。

Symantec AntiVirus Corporate 8.1.0.825 提出了一些警告,但似乎并没有捕捉到所有内容:-(

Malwarebytes 的反恶意软件结果:

Malwarebytes' Anti-Malware 1.44
Database version: 3763
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/19/2010 12:12:58 PM
mbam-log-2010-02-19 (12-12-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 290960
Time elapsed: 1 hour(s), 23 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 25
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\kbabjtm.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: kbabjtm.dll  -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\55533526 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\kbabjtm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\Temp\~TM17.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\~TM466.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\mach\Local Settings\Temporary Internet Files\Content.IE5\2WE7TOVW\load[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\mach\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\mach\Start Menu\Programs\Startup\monnid32.exe (Trojan.Bredolab) -> Delete on reboot.
Run Code Online (Sandbox Code Playgroud)

第二次扫描结果:

Malwarebytes' Anti-Malware 1.44
Database version: 3763
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/19/2010 1:54:07 PM
mbam-log-2010-02-19 (13-54-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 290753
Time elapsed: 1 hour(s), 18 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{0D9A148D-2E7E-411F-8807-407114206A75}\RP2138\A0129104.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D9A148D-2E7E-411F-8807-407114206A75}\RP2138\A0129105.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
Run Code Online (Sandbox Code Playgroud)

更新:经过几次扫描后,我的 PC 似乎不再有病毒。

谢谢大家!

hea*_*vyd 7

我建议抓住Microsoft/SysInternals Process Explorer。使用进程浏览器,您可以打开特定的 svchost 进程并查看正在从该进程运行哪些服务。然后,您可以使用流程详细信息中的“服务”选项卡来停止个别服务以找到罪魁祸首。

Pet*_*sen 7

只要多个服务在单个 svchost.exe 中运行,您就无法区分负载。但是有一种简单而安全的方法可以将它们拆分到单独的 svchost.exe 中:

SC Config Servicename Type= own
Run Code Online (Sandbox Code Playgroud)

在命令行窗口中执行此操作或将其放入 BAT/CMD 脚本中。使其工作的要求是:

  • SC执行命令时的管理权限。
  • 重新启动计算机。之前不会生效。
  • “=”后的空格。

可以通过以下方式恢复原始状态:

SC Config Servicename Type= share
Run Code Online (Sandbox Code Playgroud)

示例:使Windows Management Instrumentation在单独的 SVCHOST.EXE 中运行:

SC Config winmgmt Type= own
Run Code Online (Sandbox Code Playgroud)

我在 Windows XP 系统上使用了以下序列。它可以直接粘贴到命令行窗口中。

rem  1. "Automatic Updates"
SC Config wuauserv Type= own

rem  2. "COM+ Event System"
SC Config EventSystem Type= own

rem  3. "Computer Browser"
SC Config Browser Type= own

rem  4. "Cryptographic Services"
SC Config CryptSvc Type= own

rem  5. "Distributed Link Tracking"
SC Config TrkWks Type= own

rem  6. "Help and Support"
SC Config helpsvc Type= own

rem  7. "Logical Disk Manager"
SC Config dmserver Type= own

rem  8. "Network Connections"
SC Config Netman Type= own

rem  9. "Network Location Awareness"
SC Config NLA Type= own

rem 10. "Remote Access Connection Manager"
SC Config RasMan Type= own

rem 11. "Secondary Logon"
SC Config seclogon Type= own

rem 12. "Server"
SC Config lanmanserver Type= own

rem 13. "Shell Hardware Detection"
SC Config ShellHWDetection Type= own

rem 14. "System Event Notification"
SC Config SENS Type= own

rem 15. "System Restore Service"
SC Config srservice Type= own

rem 16. "Task Scheduler"
SC Config Schedule Type= own

rem 17. "Telephony"
SC Config TapiSrv Type= own

rem 18. "Terminal Services"
SC Config TermService Type= own

rem 19. "Themes"
SC Config Themes Type= own

rem 20. "Windows Audio"
SC Config AudioSrv Type= own

rem 21. "Windows Firewall/Internet Connection Sharing (ICS)"
SC Config SharedAccess Type= own

rem 22. "Windows Management Instrumentation"
SC Config winmgmt Type= own

rem 23. "Wireless Configuration"
SC Config WZCSVC Type= own

rem 24. "Workstation"
SC Config lanmanworkstation Type= own

rem End.
Run Code Online (Sandbox Code Playgroud)

归档时间:

查看次数:

23769 次

最近记录:

12 年,1 月 前
相关归档
我可以长时间以 100% 的使用率运行我的 CPU 吗? 61
在 RDP 之前检查用户是否在远程计算机上处​​于活动状态的方法 33
How can I uninstall a keyboard that Microsoft Keyboard Layout Creator created? 14
如何在 Windows 中更新/刷新/重置我的 DNS 记录? 9
虚拟机的假 USB 连接? 8
Windows XP 中内存地址到物理模块的映射 5
Windows Vista 的轻量级非侵入式病毒/恶意软件保护? 1
双显示器Windows XP,显示器“识别错误” 0
如何停止每个批处理文件作为名为 cmd.exe 的进程打开,如任务管理器中所示 -2
我们可以在磁盘中存储无限数据吗 -6
难疑归档
在 Visual Studio Code 中选择列 346
如何从 Linux 命令行获取有关图像(图片)的信息? 294
如何在 Linux 下将 .ppk 密钥转换为 OpenSSH 密钥? 226
如何让 Notepad++ 将文件类型与语言相关联? 166
我的键盘没有“媒体”键;我可以在没有它们的情况下控制媒体吗? 152
我可以禁用“Alt+Shift”快捷方式来更改 Windows 8.1(或 Windows 10)中的语言吗? 138
更改 ConEmu 的默认启动目录 117
主机名和域名的区别 107
如何将 Python 添加到 Windows PATH? 105
如何禁用 Google One Tap 注册提示? 103