svchost.exe 100% cpu

Posted on 2006-04-07
Last Modified: 2008-02-01
Hi Folks,

I have a PC running Windows XP Home edition. This Pc stopped working and could not get past the logon screen (you would click on the user then it would just hang loading personal settings). I could start in safe mode, the desktop would load up but i could not access anything due to the svchost.exe and explorer.exe taking up all the CPU usage. If i stop the svchost.exe process then the explorer.exe process shoots up to 100%.

I have started in safe mode with command prompt and ran sophos command line software with the latest IDE's and it found a few viruses

After removing these and restarting i have the same problem.

Also when i start in safe mode with command prompt and then go into task manager svchost.exe is sitting at 100%

Anyone have any ideas on what i can do to sort this problem?

Many thanks in adavnce,


Question by:Baikie
    LVL 59

    Expert Comment

    Besides viruses, you should check for adware, spyware, etc.  Also try these free programs to rid your system of spyware, trojans, and other malware:
    Spybot - Search & Destroy
    LavaSoft Ad-aware  

    I use BOTH of the above programs on my 3 Windows systems; what one program misses, the other catches.  Also make sure to download the most up-to-date data before you run the programs.
    LVL 59

    Expert Comment

    from Lockergnome, 1-28-03 edition:

    Question: How do I find out what is starting a service on my computer? The name of the service is svchost.exe and the user name is Local Service. It starts with the first logon and eats a consistent 25-35% of CPU processing time. I have ended the process using the Windows Task Manager and have not had any problems. Any insight would be appreciated.
    Answer: I think we can shed a little light on your svchost.exe problem. You didn't say whether you are using Windows XP or Windows 2000, so I will try to give the information for both. First, let's address what the svchost.exe program is used for. As quoted from Microsoft Knowledge Base Article - 314056: "At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging." In layman's terms, it is basically an easy way for your computer to execute a lot of DLL files that are needed at startup. So instead of just ending one of the instances of svchost.exe, we need to find what set of DLLs might be causing your processing problem.

    In Windows XP, you can get a list of running services by going to Start | Run | type "CMD" | click OK. Type "tasklist /svc" (sans quotes) and then press Enter. Now you will have a list of every DLL running under each svchost.exe instance. For Windows 2000, you need to extract the Tlist.exe utility from the file on your Windows 2000 installation CD. You still need to open a command window, but you will need to navigate to where you extracted the Tlist.exe file to, type "tlist -s" (sans quotes), and then press Enter.

    For more information, see Microsoft Knowledge Base Article - 250320. Svchost.exe groups are identified in the following registry key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost. Also, each svchost group extracts its service names from the following registry key, whose Parameters key contains a ServiceDLL value: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ . Be sure to back up the registry key you are configuring before you make a change. You do this by browsing the desired registry key, and then going to File | Export. Follow the prompts, and you will now have a way to bring back that registry key (if you accidentally damaged it). I hope this helps to answer your question, but if you're still hunting for an answer after trying this suggestion, feel free to post your question in the Lockergnome forums, at [Brian]

    Author Comment


    cheers for the reply.

    I would be interested to know the list of running services but unfortunately when i start windows in anything other than 'safe mode with command prompt' it freezes up as the cpu is at 100%.

    Would i be able to run this tasklist form the command prompt?

    This is Xp Home edition also


    LVL 59

    Expert Comment

    Yes, you should be able to run it from Safe mode with command prompt.
    LVL 47

    Expert Comment

    This is just a shot in the dark, hijackthis will not show much info in safe mode.

    Still it might show something.
    Please download HijackThis 1.99.1
    Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log,
    then at the bottom left corner click "paste"
    Copy the address/url and post it here:

    Or copy and paste the log at;
    and click "Analyse", "Save".  Post a link to the saved list here.

    Author Comment

    Once again cheers for the replies,

    I ran Sophos from the command line and it picked the SpyJack-E virus but it could not delete the file as access denied.

    the files it could not delete were as follows:


    I  downloaded a program called Process explorer and had a look at what processes the svchost was using and sure enough the oleext.dll was listed. I killed the process from within Process explorer and the CPU came down to 0%.

    I then went back into the command prompt and manually deleted the oleext.dll without any problem. However i cannot seem to be able to delete the wininet.dll as access denied.

    Have you heard of this virus before and do you know how i can rid of it? or delete the other offending dll?

    Many Thanks,

    LVL 47

    Accepted Solution

    oleext.dll is one of the smitrem file in smitfraud family of infections. Smitfraud  also infects wininet.dll.
    If you use "Smitrem" it removes all the files belonging to smitfraud variants and it also replaces a clean copy of wininet.dll.
    The malware should've showed up in your Hijackthis log.

    and save the file to your desktop.
    Double click on the file to extract it to it's own folder on the desktop.

    Next, please reboot your computer in Safe Mode:

    Open the "smitRem" folder, then double click the "RunThis.bat" file to start the tool. Follow the prompts on screen.  Your desktop and icons will disappear and then reappear again --- this is normal.
    Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Suggested Solutions

    If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
    cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now