Rampent Processes

[darkforce898]

Info:
64-Bit Processor
Windows XP 64 Bit Edition


During normal operations of my computer, when I look at the Task Manager, I notice that I have multiple copies of multiple processes running. Some of them are have a *32 after the second process (or both); which I am guessing is the 32 Bit compliant version of that process. But some of them are exactly the same.

Two with *32:
Apache.exe
CLI.exe

Doubled, On With *32:
ctfmon.exe
rundll.exe

Six Occurances:
svchost.exe

The memory usage of these processes ranges from 3,000 K to 50,000 K. I have looked into why my svchost.exe would multiple so many times, but I have been unable to find a solution. It is not located anyplace on my computer other than:
C:\WINDOWS\system32
and
C:\WINDOWS\SysWOW64
so i do not think it is a virus or spyware. I have run avast! and trendmicro and do not get any hits.

On thing i do notice though is that when i go into command promt and type "tasklist /svc" i get "ERROR: An internal error occurred."

I can post a HiJack This log if needed. Any help would be greatly appreciated.

[DynamicTech]

are the processes causing any system instability? I don't see anything here that is suspicious, other than the sysWOW64 dir (i haven't run across it before, but that does not mean it's evil). If all the occurances of svchost.exe are spelled
svchost.exe and not scvhost.exe, you are fine. There is always multiple occurances of this running. If your system is running slow, feed it some RAM and make sure you have plenty of storage. You'll need it running a web server. The *32 most likely denotes 32 bit apps.

[GaryRouth]

Hi darkforce898

The tasklist /svc usually works well in WinXP Pro systems, but not in the Home version - and evidently it's not so great in your 64-bit version. SysInternals has a nifty little utility (actually, they have many - poke around their site for several handy tools) called "Process Explorer" that can help you see and control exactly what's running and when. The latest version, 10.05, comes in a 64-bit version that is compatible not only with 64-bit XP, but also with the versions of Vista released so far.

If you want to review the background information for svchost, I've pasted the link below for Microsoft's little blurb on that.
http://support.microsoft.com/?kbid=314056

SysInternals' Process Explorer
http://www.sysinternals.com/Utilitie...sExplorer.html
_______________
Cli.exe = is from your ATi video card (the "C" is for "Catalyst", I believe).

Apache.exe = I can see that two of these would be a somewhat heavy overhead, since it's the Windows version of the Apache server. If you aren't running a server, you'll need to get into your startups & figure out how it's loading. Along with the information Process Explorer gives you, you might also find their utility "Autoruns" helpful - this can help you sort the processes starting up each time your system starts http://www.sysinternals.com/Utilities/Autoruns.html
Of course, so can a good look through XP's built-in msconfig, but as you can see, the SysInternals utility provides more details. The recent version of Autoruns is also Windows XP 64-bit compatible.
_________________
Ctf.mon - is from Microsoft Office applications. Here's the MS Faqs page for the Office 2002 version http://support.microsoft.com/kb/q282599/ There are versions of this process in Office XP too. Process Explorer can help you determine if the versions you have running are legitimate programs, or malware (the malware usually starts from a different folder than the legit file). Here's an example of various users feedback on ctfmon http://www.neuber.com/taskmanager/pr...tfmon.exe.html

rundll.exe - I'm not sure about 64-bit XP, but it's not supposed to run in WinNT/2000/XP/2003. [rundll32.exe does appear in the NT-kernel Windows versions]. It's presence should always be investigated with thorough scanning (& when malware - removal). Here's sysinfo.org's info page http://www.sysinfo.org/startuplist.p...ter=rundll.exe
___________________

By all means, run thorough malware scans as soon as possible. Use any online scans as a follow-up (you'll have to check for 64-bit compatibility).

Then you can enjoy the handy utilities to keep your system tuned just right afterwards.

Best of luck
. . . Gary

... and, since this is your first post here - Welcome to the PC Mechanic forums.

[late edit -- sorry, I missed explaining one of your processes on the list: sysWOW64 intercepts read or write calls to \Windows\system32 and redirects them to \Windows\sysWOW64 -- it is for backward compatibility (in order to run 32bit programs in 64bit Windows). This is very similiar to the scheme used to run 16-bit programs under 32-bit Windows. ]