?
Solved

svchost.exe cmd window appears spontaneously

Posted on 2006-06-15
9
Medium Priority
?
492 Views
Last Modified: 2013-11-18
My XP machine (fully up to date with patches and service packs etc) has suddenly started - for no reason that I can see - popping up on the monitor a command prompt window headed c:\windows\system 32\ svchost.exe. The window is waiting for command line input and its current directory is C:\windows \system 32, but otherwise it doesn't seem to do anything. This behaviour doesn't happen often - maybe once a day - but it kind of worries me that there is something nasty loose in the machine - can anyone enlighten me as what might be happening.
0
Comment
Question by:SteveHodge
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 59

Expert Comment

by:LeeTutor
ID: 16911670
Follow the advice in this MSKB article to find out more about the processes that are running under svchost.exe:

http://support.microsoft.com/?kbid=314056
A description of Svchost.exe in Windows XP Pro

First, do this:

1. Click Start on the Windows taskbar, and then click Run.
2. In the Open box, type CMD, and then press ENTER.
3. Type Tasklist /SVC, and then press ENTER.


Then communicate back the list of processes running under svhost.exe.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 16911686
Just to be safe, I would do a full virus/trojan/spyware scan:  Some free online virus scanners:

http://housecall.antivirus.com 

http://www.pcpitstop.com/antivirus/default.asp 

http://www.pandasoftware.com/activescan/com/activescan_principal.htm 

Also try these free programs to rid your system of spyware, trojans, and other malware:

http://download.com.com/3000-2144-10194058.html?tag=lst-0-1
Spybot - Search & Destroy

http://download.com.com/3000-2094-10045910.html?legacy=cnet
LavaSoft Ad-aware  

I use BOTH of the above programs on my 3 Windows systems; what one program misses, the other catches.  Also make sure to download the most up-to-date data before you run the programs.
0
 
LVL 9

Expert Comment

by:AndreDekolta
ID: 16911696
Also, check again that you have all updates....What other software have you installed?  Any .NET stuff?  Programming stuff?

Andre...
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 14

Expert Comment

by:FriarTuk
ID: 16917889
see here for info on svchost
http://windowsxp.mvps.org/svchost.htm

you quoted "c:\windows\system 32\ svchost.exe" - there should not be a space between "system 32", search for all svchost.exe files on your pc, if found anywhere besides system32 or i386 or an $ntservicepack folder - then it is suspect
0
 

Author Comment

by:SteveHodge
ID: 16921390
Thanks experts

FriarTuk - thanks I checked all the svchost.exe files, none of them look wrong
System 32 was a mistype by me
Lee Tutor - ran spybot, adaware and McAfee. Got one trojan, and the usual crop of traclker cookies but nothing else nasty
When I run tasklist (with what ever switch, except the help one) I get "Error: Class not registered". What can i do about this???
AndreDeKolta - I sure I am up todate - everything is on auto-update, and the machine runs almost all the time

Steve
0
 
LVL 14

Expert Comment

by:FriarTuk
ID: 16925993
boot into safe mode & do full virus & spyw scans, scanning all folders & files, including compressed
reboot & check
then boot safe mode command prompt & run "sfc /scannow"
reboot & check
boot from xp cd into recovery console & run Repair option
0
 

Author Comment

by:SteveHodge
ID: 16967395
FriarTuk

"boot into safe mode & do full virus & spyw scans, scanning all folders & files, including compressed
reboot & check"

Did this - all clean, no change to problem, tasklist /sfc still says 'Error -class not registered'

"then boot safe mode command prompt & run "sfc /scannow"
reboot & check"

sfc would not run in safe mode. Ran it in normal mode, all clean. Tasklist still the same

Also ran rootkit revealer - nothing odd execpt some mysterious registry strings containing nulls, deleted them
No change, task list still the same. Otherwise OK

"boot from xp cd into recovery console & run Repair option"

Did this. completed OK, but windows explorer wouldn't run properly anymore (TKU Microsoft). Long, long delays before it did anything at all. But tasklist /svc still did not work when run from task manager - same error message

Restored system from backup, running OK now, but task list still doesn't work.

Complete re-install looks the only option; quite a pain, don't want to do it unless I am sure tasklist will tell me something useful about the original problem and/or the re-install will clear the original problem. (The tasklist issue must be something in the installation because I have a back-up install of XP on this same machine and on that one tasklist runs fine)

What do you think?
0
 
LVL 14

Accepted Solution

by:
FriarTuk earned 800 total points
ID: 16974312
hate to say it, but i agree - if you have an image or bkup that you can restore that works i'd use it

then update everything, including installing new apps, then make a new image/bkup
0
 

Author Comment

by:SteveHodge
ID: 17030192
Did the re-install - aargh!!. There was something nasty loose in the machine, exploiting outlook express. I caught it polling my (in-house linux based) mailserver once a second with addresses taken from outlook exprss, which I only use for some very specialised purposes, so no real harm done.

It has stopped now, the svchost pop up hasn't reoccured, and tasklist now works. Only reformatted the C drive. I hope it is not lurking in one of the other drives, but time I guess will tell

Steve
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
Introduction Knockoutjs (Knockout) is a JavaScript framework (Model View ViewModel or MVVM framework).   The main ideology behind Knockout is to control from JavaScript how a page looks whilst creating an engaging user experience in the least …
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will the learn the benefit of plain text editors and code an HTML5 based template for use in further tutorials.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question