svchost.exe with PID 1368

Dear friends, I hope you will able to help me in fighting versus svchost.exe. As my pc has gone slowly and slowly, I started to keep the task manager window always open. So I noticed there an svchost particularly heavy was always present, using constantly 50% of the processor resources. More: other svchost are present, of course, but they start, work, and quit. So I have looked for a free softwer that could tell me more about the activity of "that" svchost task; I founded the software"Svchost viewer", that told me that my enemy has the PID 1368, that is responsible of many activities including exchanges on the web.
What I think it is useful for you, is that when I cancel that svchost: 1. the sound card and the speakers are disabled, and I can not eneble it more as long as I will restart pc; 2. on the bottom-right bar of activities, appears the "IT" icon, which tells that the "italian keybord" is used. 3. No other things seem to happen: the processor returns to be completely in my possess, internet works normally, and so on. Another thing I noticed is that when I start the pc, and the Task manager windows, there is always a WINWORD task in execution, that I really could not understand, and many times appears a dialog-panel that tells me that "the "Normal model has been modified", and asks me if I want to save the modified version. I answer not.
--
Now the question is:
Do you think (as I do) that there is someone who uses my pc as soon as I start it?
Or this mis-working can be caused by wrongs MS updating?
My Anti-virus could not catch anything, and the malware softwer either.
--
I will be grateful for any answer, advice and so on.
Forgie me for my poor english, I am a bit out of practice.
Bye,
Sir Oliver

 

http://filehippo.com/download_process_explorer/history/

first download process explorer , I would try an earlier version , I use version 16.4

when you use PE and right click on an example process it will show exactly what service is using that svchost,

winword.exe is on if you have an office doc open, click yes next time and see if the message goes for good, if you have problems with office then you can go to add/remove in the control panel, scroll down to office , select, and choose to repair by hitting the change button.

http://www.watchingthenet.com/how-to-identify-what-programs-started-svchostexe-in-windows.html

read through above on how to use tasklist in command prompt and PE to identify what the PID 1398 pertains to which program. Then you can uninstall the program, reboot, and then reinstall the program.

 

Thank you, Beth, for your quick reply.
I have just downloaded the latest release of process explorer, and had a glance to how it works.
Tomorrow in the morning (now it's time to sleep ), I will start the pc and surely I'll find my enemy stealing resources.
For the moment, I just want to tell you that I use very rarely Winword, and when I find svchost working with pid 1368, I have NOT any winword session open, and NOTa .doc file (on my willness, at least). Furtherly, I have already tried to remove the whole office suite, including Winword, and re-install it. But I have not had any result: when I restarted the pc, 1368 starts right again to steal 50% of my processor.
--
Well. Tomorrow I'll post the result of my attempt.
Bye, and thanks again

 

okay will check back but is 1368 the pid for word?? it might be some other program and the latest version of process explorer is not for xp but vista and up so that is why I suggested an earlier version to use with xp, I use version 16.4

 

Here I am, Beth.
For the 1st thing, I downloaded the PE version you suggested.
But I have not moved any step forward. The only thing I can say is that Winword tasks and svchost with 1368 pid seem to be different troubles.
Infact, to day I have the 1368 pid svchost with its 50% of cpu taken just after the boot, but nowinword tasks. This is not my usualo situation, but I just refer what happens.
About 1368 pid svchost, I have read the list of the programs and ruotines that it usually care of, but I could not find any indication (perhaps I am not able in this) any information about which of those was in execution powered by that svchost, in that moment.
Can you tell me something more, please ?
And: do you think all this thing can be caused by viruses, imalwares and so on, or that it could be a consequence of some microsoft updating, or something like that ?
I'm very interested in your own opinion.
Unfortunately, as there is no more microsoft support for XP, I cannot ask for their help.
Bye, and thank you again for every information.
Sir Oliver

 

process explorer will list exactly what is under each svchost when you right click on it

and please my name is not Beth,

 

reply #2, just hover over the svchost after highlighting and then it will list what service is using that particular svchost.

 

Hello, Elisabeth,
(and forgive me: I didn't want to hurt you calling you with a short-name). Sorry.
I do not manage to do what you asked me. Infact, when I rigth-click on the line of pid-1368-svchost, the panel showed give me the possibility of choose one of theese: Set affinity; Set priority; Kill process; Kill process tree; Restart; Suspend; Debug; Create dump; Check virus total; Properties; Search online.
The list of the tasks under svchost is automatically shown when the mouse passes on the line, but there is not any way to do nothing, as you can not click on none of the lines shown. Furtherly, I supposed that it is just the list of the activities that 1368 can govern, as there is not any information about which of those is in execution at that moment. In any way, I could not cancel none of those. I can just cancel the whole pid-1368-svchost. I can not understand what happens after canceling it, as I do not loose all the processes it seems to govern, according to the list (on ithe contrary, it seems I do not loose anything else but sound-card use and something about keybord, that is switched on "IT" - I suppose it stands for "Italy"). Surely, I can fully use my processor, after killing 1368.T
hanks in advance for any other suggestios.
Friendly,
Sir Oliver

 

did you see my second reply??

when you right click you will see properties, choose , and within that dialog box you will see many tabs that give a lot of information, please check these to see if you can get it to be more clear info on the program, and also it would also be good to uninstall and reinstall your sound card and check your keyboard settings, as these seem to be the only items affected.

Have any errors come up in event viewer??
start/control panel/administrative tools/event viewer

 

Hallo, Elisabeth.

To start, I have a news:
The svchost that steals 50% of my processor time, which at least for the last weeks, before I started this thread, has always been associated with PID 1368, now appears associated with PID 1380 or 1376.
I do not know if it means something, and – in case – what it means
I just refer it.

Besides, after after right clicking on the line of the svchost, and choosen “properties”, I have read the panels shown; I do not know what are the meanings of the various things written in the columns. I can just say that the number of TID is always different, but the programs listed in the column “threads” start with wuaweng.dll and mtkmlpa.exe.

To finish, even if the PID is different, the services listed in the apposit panel are always the same: Audio Servica, Browser, Crypt Services, Client DHCP and so on (more than 50. The one that sounds a little like wuaweng is “wauser” = automatic windows updating .

In the panel “Remote addresses” are listed two UDPs: the firs is denominated “localhost:ntp”, the second “MSI-9621470e81.lan:ntp” (which sound as my pc, because it is an MSI one.

On the panel Disc and network there are not reading or writig from/on the hard disk.

When I cancel the svchost, even if thePID number hs changed, the results are the same I told you before: sound card disabled and “IT” on the activities bottom bar.

Thank you for any other indication/suggestion.

Sir Oliver

P.S.: I did not catch if there is, on this forum, the possibility of attach any screen-shot. Till now, it seems there is only the possibility of link some URL, but not of attach files of pictures. Can you tell me more about it?

Thank you very much

 

Ntkrnlpa.exe is an integral part of windows core, from my researching have also seemed as if the drive could be going bad

have you done a drive check with either chkdsk with the /r parameter or with the disc check program from you drive's manufacturer? you need to do these things

========================

look next to the post reply button down on the right

 

Hallo Elizabeth.
I am not so skilled as you are about basic software and xp. I can only note that, until I cancel "that" svchost, even if it steals 48-50% of my processor, the sound card works regularly. So I can not think the driver is going bad (if you refer to the sound card driver).
Now i'll run the drive check.
I'll write a new post as soon as I have the result, I hope very fast.
Sir Oliver

 

I was referring to the hard drive, for the disc check and also if the sound card works fine otherwise than no I do not think the driver is bad, it is just used in that particular svchost. For example there is one that goes to 100% cpu on my pc when I use auto updates and if I cancel that process, then I lose my firewall and have to restart the pc.

 

Here I am.
It has lasted a lot of time....
No disk troubles or damages have deen detected by chkdsk, neither "/f" nor "/r".
--
An aspect that is caming out in theese last days is that, 8 out of 10 times I have booted the pc, an "avira" antivirus warning appears to tell me that "C:\System volume information\.....\A9303509.dll containing the model of TR/Trash.gen has been disabled and put in isolation". After I quit this warning, starts a "Luke filewalker" (I suppoe an extra check by the "Avira" suite), and I can't use the pc for the next 10 minutes!.
This do not happens always, everytime, but just 7-8 times out of 10.
--
As regards to the sound car driver, could you tell me what else I can do and how ? I'm pleased about things I learnt talking with you, but the only thing I can do now with "that" svchost is to cancel it. I can't tell how to cancel just the part that refers to the sound card driver.

Thank you for every other tip.
To the next.

Sir Oliver

 

I must post a "P.S." just two hours after.
Now, the "Avira" antivirus warnings appear also during the time I use pc, not just after booting it. The number of -dll is different, increasing, but the avoided-attempt is always the same I told in the previous post (TR/Trash.Gen).
I wander (and ask you, if you can recognize it) what or who is trying to run that model and that .dll, what it means, ecc.
Now, I will cancel "that" svchost, and watch if the "Avira" warnings occurs also with "that" svchost, or not. I hpe this can help us to understaend if the two troubles are linked.
Bye, and thank you for your patience.
Sir Oliver

 

does your antivirus Avira still support xp??

Go to start/ right click on My Computer/ choose properties/ under the system restore tab, click the box that says turn off system restore, (this will erase all system restore points) find where avira has it's quarantine and delete all that is in there, then reboot the pc

if you wish you can turn the system restore back on

how much free space do you have?

run your defragmenter, it will probably take awhile depending on the percentage of fragmentation.

go to start/run/ type in msconfig/ under the startup tab what do you have that comes on with the PC?

please answer all questions and tell my what happens when you perform the above steps.

 

Hallo.
I try to answer in the order you asked.
1. does your antivirus Avira still support xp??
Answer: I really do not know, and I do not know who may I ask to, as avira does not give any way to contact.
2. Go to start/ right click on My Computer/ choose properties/ under the system restore tab, click the box that says turn off system restore, (this will erase all system restore points) find where avira has it's quarantine and delete all that is in there, then reboot the pc
Answer: it is impossible for me to do things just as you wrote, as it seems that my version of xp looks rather different from your one. I have not "My Computer" where to right click ecc., I just have something that can be translated as "Computer resources" that can't be right clicked, and in any case does not show any tab with "Properties". No one of the tabs (or, as I say, panels) looks like "system restore". So I could not follow your tip. Sorry about this. Can you tell me another way ?
3. how much free space do you have?
Answer: My hard disk is splitten into two different virtual ones, indicated as "C" and "D" - "C" has a capacity of 78 GB, and 16 GB are still free; "D" has a capacity of 68 BG, and 62GB are free.
4. run your defragmenter,
Answer: I have run defrag. "C" really needed to be defragmented. Now it looks good.
5. go to start/run/ type in msconfig/ under the startup tab what do you have that comes on with the PC?
Answer: I have done it. I have a long list of programs that are started just after boot. Unfortunately, there is not the possibility of copy and past on this message. So I just could tell you some of those names. I gave a glance, but I do not know what look for.
---
The avira warnings go on appearing also after killing "that" svchost, so I should think that they are two different things. In any case, I searched on the web about "Trash.Gen", and I discovered it is a Trojan used to steal personal information of the pc owner. I could understand why, till a little of days ago, I have never received.
It looks like the matter is getting more and more complicated.
I do hope I will not need to format again my pc: is a hard work for me, as I am not so skilled, and I have not the money to pay for tecnicians, as their cost is not less than buy an used pc.
--
Have you enough patience to go on helping me?
I hope so.
Bye.
Stefano

 

P.S.: I have just received an automatic email from Avira's support, that identifies that "Trash.Gen" as dangerous malware, and link it to a file that had been put into quarantine.as "zip/A0303520.exe". Unfortunately, I am not able to know WHEN this happened, and WHAT was this zip file.

 

disable system restore:

start/control panel/ system , this will open up the properties of my computer and the system restore tab is there.
-----------------------
https://www.avira.com/en/support-product-lifecycle

according to the above , avira does not support xp, are you using the paid version or the free version??
-------------------

are you on 64bit or 32bit xp?? home or professional or MCE??
---------------

I would uninstall Avira, using their removal tool:

https://www.avira.com/en/support-download-avira-antivir-removal-tool/

(if it is the free version if not you need to contact the customer support section for help in dealing with a virus)
Then I would in stall the free version of 360 Total Security , and install it offline so that you are not vulnerable to non protection

https://www.360totalsecurity.com/en/

right under the download button is a white line of type saying offline installer, choose this and then disconnect from the internet after download is finished
then uninstall avira
then reboot
install 360
reboot and then run a full scan, rebooting as necessary all before you connect to the internet
--------------

https://www.malwarebytes.com/

I would also download (once you are back online with an active antivirus)
the free version of malwarebytes 3 and run a full scan , this will be lengthy as it will download the database first, and then scan, afterwards you can uninstall it but it is always good to have an extra malware scanner as an on demand scanner.

-----------------

In my msconfig I have 2 items only, my antivirus and ERUNT which I use instead of system restore as it will generate less space used and I have it set up to activate every time I restart to get a new picture of the registry.

------------------

anything in quarantine you do not have to worry about, but since it is a system restore file, that is why I want to have system restore shut down and all points wiped clean. A zip file is a compressed file to save space.

------------------

couple of questions asked above, let me know the answers and let me know about Avira, and the results of the scans

you can take a screenshot of your msconfig list OR do the following:

Start > Programs > Accessories > System Tools > System Information. From there, click on the plus sign next to Software Environment in the left-hand pane. There should be a Startup Programs entry. Click on that, and after a bit your startup programs will list, THEN go to edit, select all, edit, copy, and then open Notepad ( from start, programs, notepad) and then right click inside the text area of notepad and choose paste, this will copy the list to notepad OR you can open a reply box here at this forum and right click in the reply box and choose paste.

as I pointed out in my earlier reply you can copy and paste and also upload a file or an image, look to the right of the Post Reply button for these options.

 

I will start answering to some of your questions.
1. I use Avira free version.
2. This pc is a 32bit one, and the O.S. is a regular XP Pro, SP 3
3. I know what a zip file is, but with just the name "zip", I can't get what zip file ifected my pc (if this is the reason of the TR/Trash.Gen warnings; I do not think this is, in any case, the cause of "svchost PID 1368". But I am not an expert, my opinion worths so little...).
--
So, now i am going to execute all your tips, step by step.
I hope the pc will regularly start again after each one, as I am always worried about this kind of operations.
In any case, before starting, I will copy onmy external hard disk all my files, starting from the works I have recently changed.
So, please, give me a little more time.
Iìll write a new post as soon as I have something new.
For the moment, I want to thank you by the heart, for you kindness, patience and disponibility.
Thank you very much indeed, and...
To the next time.
Bye,
Sir Oliver