Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Run-away svchost.exe process - trojan? 1

Status
Not open for further replies.

SlimPick

Technical User
Dec 19, 2003
4
US
Greetings. This site looks like a great source of info. Hope someone can help me. I have a svchost process consuming 99% of my cpu. Needless to say, this is killing everything else. I've run HijackThis and AVG AV software. I recognize all entries in HJT output. AVG passes clean. No wierd entries in the registry/Run key. TFAK and TDS trojan hunters show nothing. Another ideas on another course of action (besides reformat/re-install!). Thanks, in advance. Regards, Slim
 
I dont know a specific answer to your question, two general comments:
A program called cwshredder helps some with problem entries-from same place hijack this comes from


pestpatrol has an on-line scan-its kind of a leader for their product, it will identify stuff, but you have to then buy the product to fix it--but if it would happen to identify something for you, that might give you an idea for a next step.
 
I appreciate the prompt response, Diogenes10. I ran the scanner which turned up a bunch of spyware cookies but no proggies or anything else to explain the 99% cpu usage of svchost.exe. I'm still trying to get a handle on it. What say ye all? - Slim
 
I've run into this before. It was a conflict with another program (Clean Slate, a poor lockdown tool), but others may do the same thing.
Have you tried closing other programs one at a time (from task manager) to see if it drops back to normal 0%?

 
Hi !

For windows xp
Use CMD prompt , and
TASKLIST /SVC
to see whats running under the SVCHOST's sessions.
[tt]
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 596 N/A
csrss.exe 1044 N/A
winlogon.exe 1068 N/A
services.exe 1116 Eventlog, PlugPlay
lsass.exe 1128 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 1296 RpcSs
svchost.exe 1456 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
TapiSrv, TermService, Themes, TrkWks,
uploadmgr, W32Time, winmgmt, WZCSVC
svchost.exe 1784 Dnscache
svchost.exe 1796 Alerter, LmHosts, RemoteRegistry, WebClient
spoolsv.exe 1956 Spooler
alg.exe 260 ALG
avgserv.exe 292 AvgServ
cvpnd.exe 308 CVPND
GEARSEC.EXE 672 GEARSecurity
nvsvc32.exe 700 NVSvc
Explorer.EXE 1664 N/A
avgcc32.exe 2188 N/A
MXOaldr.exe 3964 N/A
MBM5.EXE 336 N/A
CloneCDTray.exe 4028 N/A
iTouch.exe 1424 N/A
sstray.exe 3016 N/A
ctfmon.exe 2208 N/A
sgmain.exe 2820 N/A
sgbhp.exe 3304 N/A
WISPTIS.EXE 3332 N/A
svchost.exe 2056 stisvc
csrss.exe 1780 N/A
winlogon.exe 1968 N/A
Explorer.EXE 3848 N/A
avgcc32.exe 2484 N/A
MXOaldr.exe 3248 N/A
MBM5.EXE 3824 N/A
CloneCDTray.exe 788 N/A
iTouch.exe 2024 N/A
sstray.exe 900 N/A
ctfmon.exe 472 N/A
sgmain.exe 1036 N/A
sgbhp.exe 2140 N/A
iexplore.exe 1720 N/A
iexplore.exe 1820 N/A
iexplore.exe 2564 N/A
cmd.exe 2204 N/A
tasklist.exe 3656 N/A
wmiprvse.exe 2636 N/A
[/tt]
syar
 
Don't mention it .
(it's easy to forget the easy stuff)

I'm now working on my[reindeer2]red nose as my holyday
have started

merrrry x-mss(sigh)
syar
 
Great responses all. I've run "tasklist /svc" (syar2k3) and see that the offending service is the dreaded RPCSS. I got the PID from Task Manager and "tasklist /m" shows me the dlls for that service as follows: (service name - PID - dlls)
svchost.exe 1068 ntdll.dll, kernel32.dll, ADVAPI32.dll, RPCRT4.dll, rpcss.dll, msvcrt.dll,
WS2_32.dll, WS2HELP.dll, USER32.dll,GDI32.dll, Secur32.dll, userenv.dll,mswsock.dll, sselsp.dll, wshtcpip.dll, wshisn.dll, WSOCK32.dll, DNSAPI.dll,
iphlpapi.dll, winrnr.dll, WLDAP32.dll, rasadhlp.dll, CLBCATQ.DLL, ole32.dll, OLEAUT32.dll, COMRes.dll, VERSION.dll,uxtheme.dll
So... verify/replace these dlls with Micro$oft? Search my harddrive for them and delete if bogus? Any obvious trojans here? Let the good times roll. What do you all think? Regards, Slim
 
I've got the same problem on machine running xp home, but it wont let me connect to internet or network. Anyone got any suggestions?
 
housecall.trendmicro.com is a good call. I had to drop the bomb on the hard drive and rebuild. I've tried a few firewalls (Kerio and Tiny) but don't like the performance hit. Will have to decide on something. Case closed for me now. Thanks to all. Regards.
 
Hey i am having the same problem as you my processes are running 4 svchost.exe and one is using up 90% of my cpu can you please tell me how you solved this problem?
 
Hey noobish,

I'm having the same issue as you. my explorer.exe is using at least 90% CPU and the remaining 10% is used either by a svchost or system idle....

have you had any luck on figuring out the culprit on yours??

 
I ran Norton (with latest vir def) and found nothing. I ran Ad Aware 6.0 and found maybe 3 things that I deleted and rebooted, yet I'm still getting the same issue. I tried ending as many processes I could as well as fragmenting the hd and doing a disk cleanup....but I still get the same result.....100% CPU usage for 15 min or more while trying to open IE.

Ok...I also tried running Spyware Sweeper and Spyware Gaurdian as well. All though it found maybe 3 instances of adware in the registry I still am having the same issues...Whenever I try to open IE, the CPU usage shoots to 100% for about 2-3 minutes then will open. This happens on any page i got to (even if I return to a previous page)


Does anyone have any ideas on what might be causing this hangup??
 
I gave up, and rebuilt my machine from the restore disc, works fine now. Just make sure you back all your data up first!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top