scvhost.exe using up 50-99% cpu power

[nanothegreat]

I'm running a MSI k7n2 delta with an AMD athlon 1ghz proc. and 256 megs of ram. I'm running windows XP sp1 and am using the onboard nic to connect to my external dsl modem. I'm also using intel networking cards and anypoint software to allow another computer running win98 to access the internet. The problem is that svchost.exe (system version) is constantly using up 50-99% of the cpu power. Even when I'm just surfing the web the cpu is running at 100%. Anyone have any ideas on how to fix this? I tried a virus scan and found nothing and have downloaded and installed the latest MSI drivers. I also ran ad aware and deleted all the extra cookies it found, but it had no effect. Thanks for all the help!

 

[blcjr]

Read this.

 

[Megatomic]

Are you certain that it's svchost.exe and not scvhost.exe and/or svhost1.exe that is consuming your CPU cycles? I recently fixed one of my coworkers home computer that was infected by the welchia worm and that's how I found it (scvhost.exe and svhost1.exe running and seen in task manager taking from 60% to 99% of the CPU).

 

[Abzstrak]

sounds like a worm to me.... what antivirus are you using? is it up to date?

 

[Neverrain]

I referred him to Symantec's web scanner

 

[Neverrain]

Originally posted by: blcjr
Read this.

Question, if he does tasklist /m and posts what's running for the svchost will that help in figuring out why it's raping his resources? (I care because it's my brother). I mean, unless I'm missing something big, which is possible, that article just describes the svchost but I'm pretty sure that most people could read that and smile but still have no idea how to fix their problem?

 

[blcjr]

Originally posted by: Neverrain

Originally posted by: blcjr
Read this.

Question, if he does tasklist /m and posts what's running for the svchost will that help in figuring out why it's raping his resources? (I care because it's my brother). I mean, unless I'm missing something big, which is possible, that article just describes the svchost but I'm pretty sure that most people could read that and smile but still have no idea how to fix their problem?

The article doesn't just describe svchost, but also describes a utility that will list the services that svchost is hosting. I would think this would help in identifying the services using up the cpu cycles.

 

[Megatomic]

Well, did anyone verify that the listings in the task manager are truly svchost.exe and not some slightly misnamed variant like scvhost.exe or svhost1.exe? I'm telling you, the guy who I helped out is not a n00b and the name of those worms were soooo close to svchost.exe that he thought he was seeing svchost.exe.

Check it, this does sound like a worm if not the same worm I found.

 

[Neverrain]

Sorry, I had just clicked through to the XP page seeing as he's on XP. So the normal tlist -s shows all the services that svchost is hosting, and then doing tlist [pid] shows all the .DLLs that it's using. Is there a way to break that up into which services is using up the cycles? Or will be it pretty obvious if there's something out of place? I mean I see the list, but really have no idea what to do with it. Can you or someone post a guide or a suggestion on what to do to find out which services are eating the CPU and how to get rid of them?

 

[straubs]

1. Is it in all caps? If so, you got yourself a virus! MS never names files in all caps...in 2k or XP at least.

2. Is it running from the folder C:\windows\system32\wins? Just browse to this folder and look. If so, you got yourself a virus! (and most likely it is Nachi or Welchia)

3. Go HERE and download Process Explorer. This is a small, free program with no install, that basically is a more advanced Task Manager. It will show you the path to the file for each process currently running. This is very helpful when checking for spyware or viruses.

 

[Neverrain]

Thanks for the reply. There's a .pdf file at www.blackviper.com that lists services and tells which process they run under. Hopefully he can play around with those and cut down the cpu rapage

 

[straubs]

Looking at his original question, it doesn't matter what services he disables. The "real" svchost.exe should never continously use that amount of processor time. Disabling services is good too, but that's answering another question.

I'm still betting it's a virus as this is exactly the main symptom I look for when diagnosing nachi and welchia virus problems. I'm sure there are others that do this as well, but those two have been causing the most problems lately.

 

[KF]

>I'm still betting it's a virus as this is exactly the main symptom I look for
> when diagnosing nachi and welchia virus problems.

Not much doubt really, is there? All that CPU time is probably spent sending packets on the Internet looking for open ports to infiltrate.

Good thing about Welchia is it deletes Blaster. All Welchia does, besides get itself on other computers, is delete Blaster. It's kind of like the polio vaccine that is a virus itself, but protects you against polio.

They could put the freeware Zone Alarm firewall on the computer, and it should tell about all the sending going on.

 

[nanothegreat]

There are currently 4 svchost.exe's running. They are all named svchost.exe, exactly like that, no caps, no different spellings. 2 run under the username SYSTEM, 1 under LOCAL SERVICE, and 1 under NETWORK SERVICE. One of the ones running under system is causing the problems. All are running from the path C:/WINDOWS/system32. The svchost.exe in question is running a crapload of things in the tasklist. The others are running between 1 and 6 services, but this one is running 31.

 

[straubs]

Originally posted by: nanothegreat
There are currently 4 svchost.exe's running. They are all named svchost.exe, exactly like that, no caps, no different spellings. 2 run under the username SYSTEM, 1 under LOCAL SERVICE, and 1 under NETWORK SERVICE. One of the ones running under system is causing the problems. All are running from the path C:/WINDOWS/system32. The svchost.exe in question is running a crapload of things in the tasklist. The others are running between 1 and 6 services, but this one is running 31.

That looks normal so far... What are the 31 processes listed under that one?
Are any of them cmd.exe?

I'm guessing you used process explorer to see that much detail. Is there any chance you could post a screenshot of that?

If this isn't a virus, then I'm becoming more interested in what it is.

 

[straubs]

Originally posted by: nanothegreat
There are currently 4 svchost.exe's running. They are all named svchost.exe, exactly like that, no caps, no different spellings. 2 run under the username SYSTEM, 1 under LOCAL SERVICE, and 1 under NETWORK SERVICE. One of the ones running under system is causing the problems. All are running from the path C:/WINDOWS/system32. The svchost.exe in question is running a crapload of things in the tasklist. The others are running between 1 and 6 services, but this one is running 31.

That looks normal so far... What are the 31 processes listed under that one?
Are any of them cmd.exe?

I'm guessing you used process explorer to see that much detail. Is there any chance you could post a screenshot of that?

If this isn't a virus, then I'm becoming more interested in what it is.

 

[nanothegreat]

The 31 services are: AudioSrv, Browser, CryptSvc, Dhcp, dmserver, ERSvc, EventSystem, FastUserSwitchingCompatability, helpsvc, lanmanserver, Netman, Nla, RasAuto, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, srservice, TapiSrv, Termservice, Themes, TrkWks, uploadmgr, W32Time, winmgmt, WmdmPmSp, wuauserv, and WZCSVC.

 

[dml54]

why don't you scan for viruses? cause thats what you got

 

[Neverrain]

In the original post he said he scanned for viruses already.

 

[dml54]

I had the same problem with it using 80 to 100% CPU usage just a week ago. PC-Cillin 2003, AVG 6.0, and Norton Antivirus 2002 couldn't find it after the virus pattern files were updated, so I used Norton Antivirus 2004 Pro trial version and it found two worms/viral infections as they were called, so I then went to symantec site and used the utilities to remove the specific virus. I still think he has a virus

 

[straubs]

I dont have access to my XP machine to check those processes (and this one is very locked down) so I'll have to look later.

Some more questions:

1. What product and version did you use to scan for viruses? Also, I assume it was updated to the very latest virus definitions just before scanning?

2. It seems you are connected directly to your DSL modem. Do you run a software firewall? Quite simply, you must either have a hardware firewall (usually in the form of a router for a home user) or run a software firewall if you are connecting directly to a broadband modem. If you don't, it's only a matter of time before you get a virus or hacked, as we learned with the Windows RPC flaws. Which brings me to...

3. I'm also using intel networking cards and anypoint software to allow another computer running win98 to access the internet
Does this mean you have TWO network cards in your current computer? Out of curiosity, why didn't you buy a cable/dsl router for this purpose?

4. Do you know how to use "msconfig" and/or the registry?

5. It would be easier for us to diagnose your problem if you download HijackThis so you can post the details of your current configuration. It lists a whole bunch of useful things. This might prove to be more useful in this scenario than Process Explorer.

 

[Neverrain]

1. Like I said above, I sent him to the Symantec web scanner. I'll tell him to try the NA2004Pro trial when I see him online.

2. No, no firewall or anything. He just got XP on it last week and it started right away. Yes, we realize the no firewall problem. We'll worry about that once we get the svhost figured out.

3. No, he has one. The anypoint cards are only able to talk to each other and use a normal phone line to do so. We used them because while yes, a router and two network cards would be better, etc., we bought the Anypoints awhile ago and the computer that's having the svhost is a new one my parents just bought. Because of that, now's not really the time to ask for even more money to buy the router etc. And yes I know it's safer, etc. but life is life and now's definately not the time

4. Anything regarding msconfig or the registry he needs help with I can help him with.

I think it's time to get the Scoobie crew

 

[dml54]

Cheaper than buying a router/firwall unit would be to make one

 

[straubs]

Sorry, I missed where you said you were his brother

Originally posted by: Neverrain
1. Like I said above, I sent him to the Symantec web scanner. I'll tell him to try the NA2004Pro trial when I see him online.

What *did* he try already? I'm just curious...

2. No, no firewall or anything. He just got XP on it last week and it started right away. Yes, we realize the no firewall problem. We'll worry about that once we get the svhost figured out.

OK, I see. That could be directly related. I've seen new computers get infected before logging in the first time on our network here. Now I tend to put the RPC patch on first, then connect it to the network.

3. No, he has one. The anypoint cards are only able to talk to each other and use a normal phone line to do so. We used them because while yes, a router and two network cards would be better, etc., we bought the Anypoints awhile ago and the computer that's having the svhost is a new one my parents just bought. Because of that, now's not really the time to ask for even more money to buy the router etc. And yes I know it's safer, etc. but life is life and now's definately not the time

Understood.

4. Anything regarding msconfig or the registry he needs help with I can help him with.

Good deal.

So you guys already went through the startup list to disable unneeded things, right? I would just use msconfig to do that. Just uncheck all the crap (at least at first) to see if it gets better after rebooting.

Did you look in the C:\windows\system32\wins directory? I don't think you answered that one. The directory should be there, but empty.

Have you gone through the service list in services.msc (from run box) and stopped everything you don't need? By that, I don't mean stopping everything under the sun, as a lot of it is needed for windows to function, but using a list like the one at blackviper.com.

 

[straubs]

Oh yeah, this is so obvious that I didn't ask.

You did install all the critical updates right? Not just SP1.