Solved

Near 100% downtime: System process grabbing 98% of CPU

Posted on 2004-04-16
6
1,108 Views
Last Modified: 2010-04-11
Well, this looks like a virus....
Rebooted the laptop after a windows update patch (other workstations got the same patch - no problem) and I'm getting 98% CPU time allocated to the System process.

Which means that any keystroke has a response time like molasses.
os: win2K
All security updates are (I think) up to date.
Norton Anti-virus is installed.

So I thought I was good.........

An Attempt to run the full system scan was aborted after 24 hours (3,000 files of many many thousand files scanned).

I can access the laptop via my local network.

I am getting lots of Netsky.P type email viruses - all caught by the Anti-virus, but all spoofing my email address. The laptop was, (Until went dead in the water), my email workstation. (Is this related?).

The laptop Task Manager shows System grabbing thr processor time but I wondered if one of the other processes was in fact the culprit (Process tree issue?).

Any help appreciated before I trash the laptop (Real pain given that lots of licences are registered on it....).

regards,
CTOSian

[In case you're wondering.. CTOS was a great operating system I used in the '80s]
0
Comment
Question by:CTOSian
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 10846816
There seem to be some issues concerning  KB 835732 (MS04-011) and Windows 2000 in certain configurations; try to remove the hotfix(es).
Here's a description about how to best remove it:
http://groups.google.de/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=%23IOM%23EzIEHA.3476%40TK2MSFTNGP11.phx.gbl
or another possibility:
http://groups.google.de/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=1d1d201c42315%2448f9c3b0%24a501280a%40phx.gbl&rnum=2

If it doesn't work, google groups for "835732" and "CPU usage" or "835732" and "realtime".
Here are the important parts of the articles above, just in case:

====8<----[MICROSOFT IS LOOKING at the KB 835732 issue now]----
To unistall it, I did the following
(1) Boot into Safe mode.
(2) Run TaskManager - and noticed that the SYSTEM process
was using 99% of the CPU time.
(3) From TaskManager set the Priority of the EXPLORER
process to REALTIME, so that I can get to the control
panel.
(4) Run ADD/REMOVE PROGRAM from control panel.
(5) Go back to TaskManager and set the Priority of
MSHTA.exe to REALTIME, so that the ADD/REMOVE PROGRAM can
get some CPU time.
(6) Select and Remove "Windows 2000 Hotfix  - KB835732".
(7) Go back to TaskManager and set the Priority
of "SPUNIST.exe" to REALTIME, for the uninstall program to
run.
(8) Wait a few minutes, and the uninstall program will
eventually ask you to click FINISH to reboot the machine.
It took a long time for the system to shutdown and I just
unplugged the power.
(9) The machine should become normal after reboot.
====8<----[MICROSOFT IS LOOKING at the KB 835732 issue now]----

====8<----[HELP...ME TOO! my machine is doing the exact same thing...]----
I found this solution below,  and it worked great.
Boot into SAFE MODE (no networking or no command prompt).
Go to: Control Panel --> Add / Remove Programs
UNINSTALL Windows Hotfix KB 835732
Reboot...

There's some additional tricks to this that you can use:

1) Instead of using add\remove programs,  run CMD and type
in:
%systemroot%\$Ntuninstallkb835732$\spuninst\spuninst.exe

or
2) if you can get to the desktop,  go to task manager.  
Give the explorer process Realtime priority.  Then go to
the command prompt and follow step #1.  Once you start up
the spuninst.exe program,  go into task manager and give
it Realtime priority as well.
====8<----[HELP...ME TOO! my machine is doing the exact same thing...]----
0
 

Author Comment

by:CTOSian
ID: 10848568
oBDa,
Excellent response!
I followed these instructions and it all worked fine... (Though I didn't need to power off).
The machine is now working fine.
Thanks very much for the help - well worth the 500 points.

regards,
CTOSian

0
 

Expert Comment

by:vanwertj
ID: 10988611
While the answer of removing the 835732 hotfix will get your computer up and running again, it doesn't address the fact that now these system are vulnerable to known exploits. I will be interested to find out how many of the people that have removed the hotfix are now having problems with the sasser.worm
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 

Author Comment

by:CTOSian
ID: 10989778
I have to assume that Microsoft are aware of this problem and are addressing it. Haven't had the time to research this though....

CTOSian
0
 
LVL 84

Expert Comment

by:oBdA
ID: 10990624
In the meantime, there's an official release describing the problems:
MS04-011: Security Update for Microsoft Windows
http://support.microsoft.com/?kbid=835732

And here's the (hopefully) fixed version of the fix:
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
0
 
LVL 84

Expert Comment

by:oBdA
ID: 10990733
Was posting a bit too fast, sorry. The fix for the fix is here (the link is in the first article); if you need the hotfix described in the article, don't be afraid to call Microsoft. Simply call them and tell them you need it, and they'll send you a download link and a password a few hours later.

Your Windows 2000-based computer stops responding, you cannot log on to Windows, or your CPU usage for the System process approaches 100 percent
http://support.microsoft.com/default.aspx?kbid=841382
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Office 365 email archive feature and comparison with different 3rd party ? 18 100
Active Directory Cleanup Report 2 44
GPO denied - but why ? 6 51
wifi security 11 37
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question