Just recently I opened the task manager in Windows XP Professional to close
an unresposive program and I noticed that my CPU usage was not what it was
supposed to be (it is supposed to be next to none if nothing was going). I
checked all of my processes and I know what they all are and they are all
supposed to be running, but I noticed that one of the svchost.exe's and the
System process were still taking up cpu time even though I was not doing
anything, and my cpu usage was going between about 10% and 30%. I have done
multiple scans for spyware, adware, viruses. I have checked my USB devices
and they are not the cause. I am not a newbie at this, so I know what I am
doing and I have not seen this before. Any input would be helpful.

Hi / Bonjour *Timmay* :

> Just recently I opened the task manager in Windows XP Professional to close
> an unresposive program and I noticed that my CPU usage was not what it was
> supposed to be (it is supposed to be next to none if nothing was going). I
> checked all of my processes and I know what they all are and they are all
> supposed to be running, but I noticed that one of the svchost.exe's and the
> System process were still taking up cpu time even though I was not doing
> anything, and my cpu usage was going between about 10% and 30%. I have done
> multiple scans for spyware, adware, viruses. I have checked my USB devices
> and they are not the cause. I am not a newbie at this, so I know what I am
> doing and I have not seen this before. Any input would be helpful.


svchost or somethings like scvhost ???
Note - the real svchost do not appear in Msconfig/Startup

Startup name Process name Comment
scvhost svzhost.exe Add by a variant of SPYBOT worm !
scvhost.exe scvhost.exe Add by the trojan LOHAV-N!
Service Host svchost.exe Add by the TORVEL worm!
Service Host Driver svchost.exe Add by the trojan HITON!
Service Process SVCHOST.EXE Add by the virus DARKER!
etc.

You can have a better control of what's running in your PC with
Process Explorer :
http://www.sysinternals.com/Utilitie...sExplorer.html

Please note that if Heinz have 57 varieties ,W xp sp2 have 7 varieties of svchost :

C:\WINDOWS\System32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k DCOMLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k imgsvc

Those ones are mandatories :
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs

then:
C:\WINDOWS\system32\svchost -k HTTPFilter
correspond to HTTP SSL service

C:\WINDOWS\system32\svchost -k LocalService
corrrespond to services such as WebClient

C:\WINDOWS\system32\svchost -k Network Service
correspond to services such as Client DNS

C:\WINDOWS\System32\svchost.exe -k imgsvc
correspond to Windows Image Acquisition (WIA)

For services configuration :
http://www.theeldergeek.com/services_guide.htm

Some links for security check up :

A )"Mini- antivirus" to be runned in safe mode:

1-TrendMicro : disable your AV before.

The "sysclean":
http://www.trendmicro.com/download/dcs.asp
+
The virus patterns :
http://www.trendmicro.com/download/pattern.asp

Put them in the same folder and launch the program.

2-Stinger :
http://vil.nai.com/vil/stinger/

3-Avast cleaner :
http://www.avast.com/eng/avast_cleaner.html

4-MS:
http://www.microsoft.com/downloads/d...displaylang=fr

5-Kaspersky:
ftp://ftp.kaspersky.ru/utils/clrav.com

6-Anti Root-Kits
F-Secure (beta)
http://www.f-secure.com/blacklight/

B) Online scan:

1-Anti-trojan:
http://www.windowsecurity.com/trojanscan/

2-Anti-spy:
http://www.spywareguide.com/txt_onlinescan.html
http://store.ca.com/dr/v2/ec_main.en...715&CID=181432

3-Anti-virus:
www.trendmicro.com

No more idea.

Let us know.



--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on / Bientôt sur www.msmvps.com

In news:60CD2911-E9BD-42FE-BB37-(E-Mail Removed),
Timmay <(E-Mail Removed)> had this to say:

My reply is at the bottom of your sent message:

> Just recently I opened the task manager in Windows XP Professional to
> close an unresposive program and I noticed that my CPU usage was not
> what it was supposed to be (it is supposed to be next to none if
> nothing was going). I checked all of my processes and I know what
> they all are and they are all supposed to be running, but I noticed
> that one of the svchost.exe's and the System process were still
> taking up cpu time even though I was not doing anything, and my cpu
> usage was going between about 10% and 30%. I have done multiple
> scans for spyware, adware, viruses. I have checked my USB devices
> and they are not the cause. I am not a newbie at this, so I know
> what I am doing and I have not seen this before. Any input would be
> helpful.

start
run
type 'cmd' and hit enter
type 'tasklist /svc' and hit enter
(in both cases don't use the quotes)

Look in the svchost.exe listings for something not belonging. scvhost.exe is
a generic name for a DLL loaded into memory. It might have been an
application that had been closed and not completely unloaded from memory -
poor coding. It might be malware of some type though you say you scanned.
Did you do so with the latest definitions? In safe mode? Is it like this all
the time? Is it like this after rebooting? As I mentioned, it could simply
be an application that you'd closed (rampant memory leaks and perhaps the
original reason you'd opened task manager in the first place) still
lingering on due to shoddy code. If you want more information on malware and
some cleaning advice:

Malware Cleaning :
http://www.kgiii.info/windows/all/ge...alwarefix.html

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes

As a response to Claude's message, I am positive it is not scvhost.exe, I AM
aware this is bad thing to have that one. I'll try checking tasklist /svc.
It is using processor time all of the time, not just after reboot. I have
not tried to scan in safe mode, I didn't really know it made a difference. I
just had a problem with a Microsoft Update that crashed WinXP and I spent
most of my time yesterday getting
it to boot back up again.

Thanks

"Galen" wrote:

> In news:60CD2911-E9BD-42FE-BB37-(E-Mail Removed),
> Timmay <(E-Mail Removed)> had this to say:
>
> My reply is at the bottom of your sent message:
>
> > Just recently I opened the task manager in Windows XP Professional to
> > close an unresposive program and I noticed that my CPU usage was not
> > what it was supposed to be (it is supposed to be next to none if
> > nothing was going). I checked all of my processes and I know what
> > they all are and they are all supposed to be running, but I noticed
> > that one of the svchost.exe's and the System process were still
> > taking up cpu time even though I was not doing anything, and my cpu
> > usage was going between about 10% and 30%. I have done multiple
> > scans for spyware, adware, viruses. I have checked my USB devices
> > and they are not the cause. I am not a newbie at this, so I know
> > what I am doing and I have not seen this before. Any input would be
> > helpful.
>
> start
> run
> type 'cmd' and hit enter
> type 'tasklist /svc' and hit enter
> (in both cases don't use the quotes)
>
> Look in the svchost.exe listings for something not belonging. scvhost.exe is
> a generic name for a DLL loaded into memory. It might have been an
> application that had been closed and not completely unloaded from memory -
> poor coding. It might be malware of some type though you say you scanned.
> Did you do so with the latest definitions? In safe mode? Is it like this all
> the time? Is it like this after rebooting? As I mentioned, it could simply
> be an application that you'd closed (rampant memory leaks and perhaps the
> original reason you'd opened task manager in the first place) still
> lingering on due to shoddy code. If you want more information on malware and
> some cleaning advice:
>
> Malware Cleaning :
> http://www.kgiii.info/windows/all/ge...alwarefix.html
>
> Galen
> --
>
> "And that recommendation, with the exaggerated estimate of my ability
> with which he prefaced it, was, if you will believe me, Watson, the
> very first thing which ever made me feel that a profession might be
> made out of what had up to that time been the merest hobby."
>
> Sherlock Holmes
>
>
>

Hi / Bonjour *Timmay* :

> As a response to Claude's message, I am positive it is not scvhost.exe, I AM
> aware this is bad thing to have that one. I'll try checking tasklist /svc.
> It is using processor time all of the time, not just after reboot. I have
> not tried to scan in safe mode, I didn't really know it made a difference.

In the safe mode the malware process is not running.
Therefore it's easier to remove it.



--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on / Bientôt sur www.msmvps.com

I did tasklist /svc and there was not anything there that shouldn't be. I
knew what everything that was listed was used for. Anything else I could try?

"Timmay" wrote:

> As a response to Claude's message, I am positive it is not scvhost.exe, I AM
> aware this is bad thing to have that one. I'll try checking tasklist /svc.
> It is using processor time all of the time, not just after reboot. I have
> not tried to scan in safe mode, I didn't really know it made a difference. I
> just had a problem with a Microsoft Update that crashed WinXP and I spent
> most of my time yesterday getting
> it to boot back up again.
>
> Thanks
>
> "Galen" wrote:
>
> > In news:60CD2911-E9BD-42FE-BB37-(E-Mail Removed),
> > Timmay <(E-Mail Removed)> had this to say:
> >
> > My reply is at the bottom of your sent message:
> >
> > > Just recently I opened the task manager in Windows XP Professional to
> > > close an unresposive program and I noticed that my CPU usage was not
> > > what it was supposed to be (it is supposed to be next to none if
> > > nothing was going). I checked all of my processes and I know what
> > > they all are and they are all supposed to be running, but I noticed
> > > that one of the svchost.exe's and the System process were still
> > > taking up cpu time even though I was not doing anything, and my cpu
> > > usage was going between about 10% and 30%. I have done multiple
> > > scans for spyware, adware, viruses. I have checked my USB devices
> > > and they are not the cause. I am not a newbie at this, so I know
> > > what I am doing and I have not seen this before. Any input would be
> > > helpful.
> >
> > start
> > run
> > type 'cmd' and hit enter
> > type 'tasklist /svc' and hit enter
> > (in both cases don't use the quotes)
> >
> > Look in the svchost.exe listings for something not belonging. scvhost.exe is
> > a generic name for a DLL loaded into memory. It might have been an
> > application that had been closed and not completely unloaded from memory -
> > poor coding. It might be malware of some type though you say you scanned.
> > Did you do so with the latest definitions? In safe mode? Is it like this all
> > the time? Is it like this after rebooting? As I mentioned, it could simply
> > be an application that you'd closed (rampant memory leaks and perhaps the
> > original reason you'd opened task manager in the first place) still
> > lingering on due to shoddy code. If you want more information on malware and
> > some cleaning advice:
> >
> > Malware Cleaning :
> > http://www.kgiii.info/windows/all/ge...alwarefix.html
> >
> > Galen
> > --
> >
> > "And that recommendation, with the exaggerated estimate of my ability
> > with which he prefaced it, was, if you will believe me, Watson, the
> > very first thing which ever made me feel that a profession might be
> > made out of what had up to that time been the merest hobby."
> >
> > Sherlock Holmes
> >
> >
> >

Hi / Bonjour *Timmay* :

> I did tasklist /svc and there was not anything there that shouldn't be. I
> knew what everything that was listed was used for. Anything else I could try?


Scan with HijackThis and post the log here.

http://www.merijn.org/downloads.html




--
Claude LaFrenière [MVP] :-)

«My Principal Design Was To Inform, Not To Amuse Thee.»
Lemuel Gulliver, The Travels (IV:12)
http://climenole.serendipia.net
Soon on / Bientôt sur www.msmvps.com