Solved

svchost.exe hogging internet bandwidth

Posted on 2010-08-31
5
1,132 Views
Last Modified: 2013-12-06
I am working on an older Dell Dimension 4300 w/ WINDOWS XP that had a pretty bad Malware infection.  I thought I got it cleaned up but after leaving the system on overnight, i came in the next day and it is constantly uploading somthing at a steady 1MB per second.  I have ran all of my tools again and still does it.  

EDIT: I determined it was uploading by looking at out routers live bandwidth stats, and also Windows XP Task Manager.

I have all services disabled as well as startup programs.  If needed, I can post a Hijackthis log or whatever you need so we can figure this out.

Wanted to add that i just ended a svchost.exe prosess and now its not uploading.  

Like always, Thanks ahead of time for your help.
0
Comment
Question by:david1986
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 

Author Comment

by:david1986
ID: 33570331
Hey All,

Here's an update on where we're at:

First off, if you Google "svchost.exe hogging internet bandwidth" there are lots of similar reports of problems.
http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=svchost.exe+hogging+internet+bandwidth#hl=en&q=svchost.exe+hogging+internet+bandwidth&aq=f&aqi=&aql=&oq=&gs_rfai=&pbx=1&fp=3318d71742fc0392

From all of our diagnostics, it certainly appears the issue is related to a malware infection disguising itself as svchost. The question is: How do we remove this infection?


Rebooting in safe mode with networking: The issue STILL occurs.

Killing various svchost.exe processes seems to solve the problem....but of course it reoccurs upon reboot.

Looking at the HiJackThis log, I don't see anything out of the ordinary...but once again I suspect this is due to the disguise of the malware.

Really appreciate the advice on this one!

-DAVID
0
 
LVL 8

Accepted Solution

by:
tskelly082598 earned 500 total points
ID: 33570619
Search for svchost.exe and see if there is more than one. The legitimate svchost.exe should be in C:\Windows\System32 There may be a malicious svchost.exe in a different subfolder that could be deleted after you stop the process in task manager. It may also be a file that is restored from another copy with a different name, for example, a file in a temp folder ending with .tmp
0
 
LVL 22

Expert Comment

by:optoma
ID: 33570835
Run TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

If still having issue run Combofix and post log here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

>If they dont run, redownload them but rename them prior to saving them
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33572609
Also run malwarebytes in safe mode and update it before running a full system scan:

http://www.malwarebytes.org/mbam-download.php

I hope that would help

Sudeep
0
 

Author Closing Comment

by:david1986
ID: 33581857
worked great problem solved
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Web Browsers Start Page Hijacker 14 246
Kaspersky Antivirus reports 4 103
Trojan 28 119
Behavior-based and anomalies detection for Microsoft 3 64
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question