PDA

View Full Version : Dell Laptop Fubared!!!! HELP!!!! SVCHOST.EXE @ 99% CPU USAGE!!!!


SLippe
03-30-07, 06:29 AM
Okay, so this guy here at work gives me his Dell Laptop to "clean". It was shutting off and getting BSOD. I fixed the shutting down part by simply cleaning the little HSF in the back right. It was clogged with dust and overheating. Now, here comes the fun part...

He has a C: and E: partition only and both are full. So, I can't add anything to it without him first backing-up or deleting his own files. Ad-Aware SE ran OK and Spy-Bot S@D ran OK. Both finding stuff, but nothing major. However, he did have a Trojan that AVG found, but only one time. After cleaning that file, the real fun began. I can't get it to connect to my Cable Modem for nothing! It shows packets going out, but nothing coming in. I even manuallly typed in the DNS Server and IP, etc. Nothing. Also, there was a SVCHOST.EXE eating up about 99% of the CPU causing AVG to scan snail-slow, I mean slow! I got it take care of, but then another SVCHOST.EXE started and it too is running at 99% CPU. I can't really do anything else at this point, as I gave up!

Any suggestion on how to get the damn SVCHOST.EXE to stop running? BTW, it even ran in SAFE MODE. I can't update anything without the internet connection, nor can I add anything to it, not that it needs anything, but still. Oh yeah, Diskeeper 2007 wouldn't even run to Defrag it. PHUCK!

PLEASE, ANY HELP WOULD BE APPRECIATED!!!!

buffbiff21
03-30-07, 07:27 AM
Try this:

http://i119.photobucket.com/albums/o148/buffbiff21/asdfsd.jpg

kill the process tree. if that does not work then its some exotic spyware bs that your buddy got looking at pr0n.

911medic
03-30-07, 07:27 AM
svhost.exe problems can be tough...

It's possible that AVG misidentified something as a trojan (unless you recognized it). Can you do a system restore back to before you deleted the trojan? Then you can confirm with a second or third program before deleting the trojan.

You could also try a different virus scanner or two, if you can connect (or maybe install from a thumbdrive).

You could also go into Services and manually go through them and find which ones are running under svhost.exe. Try disabling them one by one until your problem goes away. I think there are up to a half dozen or so that can run under that service name.

Good luck!

evilghost
03-30-07, 08:19 AM
It's highly likely, almost 100% likely, that SVCHOST.exe is not the Windows Generic Host Process service and is instead a compromised executable. See if SVCHOST.exe is running under the username instead of System, this likely indicates it's a rogue. You should be able to easily terminate the process using pskill.exe or Task Manager; killing NT Service Spawned SVCHOST executables should return "Access Denied".

If the machine had a Trojan it's likely already root-kitted or compromised. I'd look at doing a full rebuild since the modern root-kits for Win32 are almost undetectable by any normal means (ADS stream scanning, Virus scan, malware scan, etc).

You could have rogue services installed as a result of the trojan. 99% CPU sounds like malware trying to seed itself across a network connection. Get Process Explorer and isolate the 99% CPU svchost.exe process and find the full path to the exectuable, see if it's in a different location than %WINDIR%\System32. Also, you could run a Unix "Strings" on it to see if it's UPX packed (indicating malware) or if there are possibly other hostile strings. An MD5 sum of the questionable binary compared to a known-good binary would also prove effective.

Also see what you have running in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Process Explorer:
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx

PSKill:
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/PsKill.mspx

Filemon:
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Filemon.mspx

Bman212121
03-30-07, 01:11 PM
Yea, that definitely sounds like the virus SVCHOST. (Since you stated he had a trojan) It is also possible that it is not a virus, as windows updates use the svchost to get there updates. I just had to deal with this at work because we had several machines with both processor cores pegged at 100%. There is a hotfix out to solve the problem.

http://support.microsoft.com/kb/932494/en-us

http://support.microsoft.com/kb/927891/

The second link has the file to download. I actually had to put it onto a thumb drive and boot into safe mode to put it onto the computer because it was unresponsive. After I applied the fix it was happy again.

ViN86
03-30-07, 02:53 PM
mine does it sometime, but i just let it go and it usually stops. itll be at 99% CPU usage (have no idea why, it only happens on my laptop). then i just let it go and it falls back down and idles eventually.

maybe theres something wrong with laptops and XP or theres something wrong with our PC's :confused:

SLippe
03-30-07, 10:31 PM
Okay, thanks, fellas. I'll try some of those progs out this weekend.

mullet
03-31-07, 01:07 AM
God that av is so sooooooo distracting. :wonder:

Bman212121
03-31-07, 01:09 AM
mine does it sometime, but i just let it go and it usually stops. itll be at 99% CPU usage (have no idea why, it only happens on my laptop). then i just let it go and it falls back down and idles eventually.

maybe theres something wrong with laptops and XP or theres something wrong with our PC's :confused:


Look at the post right above yours, do you have windows updates set to automatically check for new updates? That could easily be the cause as to why it is using all of the cpu time when it is getting new updates.

t3hl33td4rg0n
03-31-07, 01:45 AM
When I worked in a computer shop about 2 years ago, I remember getting several PC's infected and having the same symptoms... The 3 big viruses during that time was Sasser, Blaster, and Sky something.

Oh, and get rid of AVG, its incompetant... Grab something better like F-Prot or CA E-Trust

evilghost
03-31-07, 02:44 PM
Oh, and get rid of Windows XP, its incompetant... Grab something better like Ubuntu or Fedora Core ;)

LORD-eX-Bu
03-31-07, 02:58 PM
just remove the NB hard drive and hook it up to another computer, from there scan it and clean it. Meh, thats what I did anyways:D

t3hl33td4rg0n
04-01-07, 02:51 AM
Oh, and get rid of Windows XP, its incompetant... Grab something better like Ubuntu or Fedora Core ;)

RedHat changed the name... Its just Fedora now... Well, it will be in 7 when its out ;) :captnkill:

BronzeGod
04-01-07, 09:14 AM
Reformat is teh key!

ViN86
04-01-07, 01:54 PM
Look at the post right above yours, do you have windows updates set to automatically check for new updates? That could easily be the cause as to why it is using all of the cpu time when it is getting new updates.
yes, i read it. i do have automatic updates on. but i dont get errors as described in the windows site. instead, the updates finish and it goes away.

it doesnt bother me, so i just leave it.

-Aerows-
04-02-07, 11:23 PM
RedHat changed the name... Its just Fedora now... Well, it will be in 7 when its out ;) :captnkill:

Ubuntu Beta 7.04 is pretty sweet. Works great under VMWare.

evilghost
04-03-07, 07:40 AM
Ubuntu Beta 7.04 is pretty sweet. Works great under VMWare.

Agree, I love "Angry Deer" too, using it at home on my laptop and at work on my work machine. Wife is still on Edgy Eft and my server is still on Dapper Drake.

nekrosoft13
04-03-07, 07:49 AM
had that once in one PC i was fixing.

svchost.exe infact wasn't what it apeared. computer was fine offline, once it detected network connection it was sending thousands of e-mails per minute.