Link to home
Start Free TrialLog in
Avatar of Polemic
PolemicFlag for New Zealand

asked on

svchost.exe using 100% of CPU

I have a PIII with 512Mb of RAM, running Windows XP Pro with SP2 installed. Antivirus protection is from Avast! Home Edition. Firewall is Zone Alarm (not pro) with the Internet security zone set to "High".

Spyware protection is from Spybot Search and Destroy and Spyware Baster. Trojan protection is Trojan Hunter Guard.

All the above utilities have both engines and definitions up-to-date. Most are set to update automatically where this is an option. None reported problems before or subsequent to the problem I am about to describe (including manually initiated scans with all the above utilities).

The PC connects to the Internet via a NetComm NB1300 Plus 4 modem/router, driven via Ethernet. The Ethernet board is a Realtek RTL8139/810x Family Fast Ethernet NIC. It has the latest drivers from Realtek. Realtek Diagnostics indicate that register access, eeprom access, loopback and link all pass. However, when I try to run Advanced Diagnostics in Initiator mode it responds “Responder not found” and similarly in Responder mode it responds “Initiator not found”.

LAN Connection properties have TCP/IP enabled, with IP and DNS addresses assigned automatically. Client for Microsoft Networks is enabled, but QoS Packets and File and Printer sharing are not. IEEE 802.1x authentication is enabled via “Smart Card or other Certificate”. I assume all these were set by the modem’s install program, since I did not set them myself. The LAN Address is assigned by DHCP.

This set-up worked okay for the past three months or so. Then I began to notice that the PC would slow down immediately on starting. Task Manager revealed that an instance of svchost.exe was using 90 to 100% of CPU.

Investigation with Process Explorer (www.sysinternals.com) showed that the problematic instance of svchost.exe was being used by the DNS service. If logged in as Administrator I am able to kill the process. This causes a disconnection from the net but this appears to re-establish itself and work normally. However, from time to time the problem will occur, resulting in a loss of function – usually at a crucial time. It also means that non-administrator users, who cannot kill the process, face using a slow PC which can’t go online and which eventually sounds and overheat alarm – which can’t be doing the CPU any good!

For the sake of clarity I have edited a netstats –a log and append this below. I have removed the “Foreign Address” column, which read 0.0.0.0:0 for every TCP instance and *:* for every UDP instance; and removed the “State” column which read LISTENING for every TCP instance and was blank for every UDP instance.


Proto Local Address PID
TCP 0.0.0.0:80 1736
TCP 0.0.0.0:135 796
TCP 0.0.0.0:445 4
TCP 0.0.0.0:1027 1560
TCP 0.0.0.0:2522 1560
TCP 0.0.0.0:2901 1560
TCP 0.0.0.0:8103 1560
TCP 0.0.0.0:8500 1560
TCP 0.0.0.0:19997 1540
TCP 0.0.0.0:19998 1612
TCP 0.0.0.0:50300 1700
TCP 127.0.0.1:25 2504
TCP 127.0.0.1:110 2504
TCP 127.0.0.1:143 2504
TCP 127.0.0.1:1032 2748
TCP 211.27.201.49:139 4
UDP 0.0.0.0:445 4
UDP 0.0.0.0:500 548
UDP 0.0.0.0:4500 548
UDP 127.0.0.1:123 840
UDP 127.0.0.1:1446 784
UDP 127.0.0.1:1900 972
UDP 127.0.0.1:2233 3340
UDP 211.27.201.49:68 840
UDP 211.27.201.49:123 840
UDP 211.27.201.49:137 4
UDP 211.27.201.49:138 4
UDP 211.27.201.49:1900 972

HiJack this logfile for above

--------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:35:07 PM, on 23/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Tweak-XP Pro\AdBlocker.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
G:\CFusionMX\runtime\bin\jrunsvc.exe
G:\CFusionMX\db\slserver52\bin\swagent.exe
G:\CFusionMX\runtime\bin\jrun.exe
G:\CFusionMX\db\slserver52\bin\swstrtr.exe
G:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
G:\Program Files\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BlockAds] "G:\Program Files\Tweak-XP Pro\AdBlocker.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download using Download &Express - file://C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE_5_0_1_7.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - G:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - G:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - G:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: MS Software Generic Host Process for Win32 Services (svchost) - Unknown owner - C:\WINDOWS\SYSTEM\svchost.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

That's it. If there's any other information you require, ask and I'll do my best to find it.

Thanks for helping!
Avatar of FalconHawk
FalconHawk

"C:\WINDOWS\system32\ZoneLabs\vsmon.exe"

This one can likely cause the problem, depending on the version (yes, i KNOW its a perfectly safe firewall). The VSmon.exe is the monitor for the firewall trafic. only, at some versions of it, it seems to have a crazy touch, that makes the amount of paging memory much lower. it cant be reset to the normal value with it running eigther.

From the startup list, i can see no other programs that are illegal, but i can see 1 thing: and that is your letting run quite a few at startup. This is also something that can cause the slow; windows+ a lot of programs loading= slow pc :)

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. the high usage is common; it sometimes is the only usage, making it seem that there is a lot of processor time im it, but if its the only one active, 100% is just normal.

The port traffic is normal to, however i still didnt figure out why its there; at least its harmless.
Have you installed something recently?
Very often, conlicts with svchost have external causes.
I noticed you have a lot of security software installed. It might be too much.
For example, trojan horses and virii are usually found by the same engines, that use the same methods, and therefore conflict when used at the same time. Same thing with spyware removal tools.
SOLUTION
Avatar of anil_u
anil_u

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
> (Yahoo! Audio Conferencing) -

um, you seem to have an awful lot going on that is, shall we say, less business oriented/less productive.  While chat rooms leave one open such as for more such problems, audio is notorious consumer of resources.
Try also command:
TaskList  /SVC
To further checkout the task you question
Avatar of Polemic

ASKER

anil_u: I ran an Avast! scan on everything in and under c:\windows which came up clean.  However, when I check the properties of the svchost.exe in c:\windows\system I get no "version" info; it tells me it was created on 22/05/2000, and the file size is 114kb.  By contrast, the svchost.exe in c:\windows\system32 does have version info indicating it is from Microsoft (v 5.1.2600.2180 as it happens) and a file size of only 14kb.  So this does seem suspicious. I'm going to try renaming it and see what happen on the next start.

FalconHawk / SunBow: I've used "Startup Inspector for Windows" to get rid of a lot of unnecessary junk such as fast-starts for Quicktime, iTunes etc.  I'd get rid of a lot of the rest of it if I knew how to do so - for instance I never use Yahoo audio conferencing, and Yahoo messenger isn't installed on this PC!

jltari: No I haven't installed anything recently, other than auto-updates to antivirus, firewall etc.  Spybot recommends running with Spyware Blaster for additional protection. I installed Trojan Hunter only after the problem started, just in case Avast was missing a Trojan.

FalconHawk: "VSmon.exe... makes the amount of paging memory much lower. it cant be reset to the normal value with it running eigther..."  So do you have a suggestion? I can always start in Safe Mode and make some adjustents, if you can suggest any?

Thanks all
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Polemic

ASKER

smiffy13: Ran both of these. Stinger found nothing, Housecall found WORM_AGOBOT-2 and removed it. However this hasn't fixed the problem :-/ But thanks for that - I thought I'd caught everything with the scans I'd already done!
The fact that you've had a virus infection, then you may have damaged windows objects. Try running sfc /scannow from the Run command, you'll need to put your XP setup disk in your CD Rom. Also I see you have a few "Spy-Bot" programs, personally I've found the MS Antispyware program to be so good I've unistalled all my other anti-spy programs in preference to the MS offering. I see you don't appear to have this program - I guess it wouldn't hurt if you installed & ran it - it's available for free here: http://www.microsoft.com/athome/security/spyware/software/default.mspx

As suggested above: that svchost from windows/system looks very suspicious, the only version I have is in the system32 library - the same as you: 14Kb.

Can you have a look at your event logs: Control Panel, Administrative tools, Event Viewer.
Hi Polemic
Did you have a chance to rename that file and reboot, is the problem still there...

If not download Process Viewer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
This should give you more of an insight as to what that svchost is. Post the result back here...

Actually ignore my last post, I should have read your description properly :)
Hi!

As pointed out above -
svchost.exe running from this location: C:\WINDOWS\SYSTEM\svchost.exe
is "suspicious" - it"s a clear indicator of a virus/trojan/malware.
The ONLY valid location for svchost.exe to run from is:
C:\WINDOWS\System32\svchost.exe

From the "Run" box, type services.msc and see if there is anything
related to it, that is being run as a service.
If there is; try stopping it, then disable it and then try to delete it.
If something is locking it; try this free utility - WhoLockMe - to determine what's locking it:
http://www.majorgeeks.com/download4429.html

Try running this scan and see if it comes up with something - EScan-MWAV (free version):
http://www.mwti.net/antivirus/free_utilities.asp
This scanner sometimes picks up things that others miss.

Also, "Safemode" ?!

Good luck!

RF
Title: svchost.exe using :
SunBow Date: 02/25/2005 Try also command:
TaskList  /SVC
Avatar of Polemic

ASKER

Well, much to my amazement, upon re-starting today the problem has gone.  This followed my identifying and removing the AGOBOT-2 worm, and renaming the suspicious svchost.exe file found under c:\windows\system rather than c:\windows\system32.

I'm not sure whether one or both solutions solved the problem (sorry, in hindsight I should take each suggestion one at a time to be absolutely certain, but I just wanted to get this fixed!).  In any case, both were valuable suggestions and resulted in the removal of something which, if it wasn't the cause of this particular problem was certainly likely to cause another.

So with thanks to everyone for their help and suggestions I will split the points between anil_u and sniffy13.
thanks Polemic - good result.
Thanks - glad I could help
> the suspicious svchost.exe file found under c:\windows\system