SVCHOST.EXE CPU constantly around 20 %

[Lem Lo]

I have a computer which had several trojan horses ( i.e.
trojan.download) and viruses (IBIS toolbar was one)

I cleaned it up through all the steps indicated by the various malware
removals. I still am seeing a constant 20 to 25 CPU for one copy of
SVCHOST.EXE (User Name LOCAL SERVICES) and about 3 to 4 CPU for another
copy of SVCHOST.EXE (User Name SYSTEM).

I also see " wowexec.exe" and " ocraware.exe" (note the leading space in
both) in the Running Processes list.

Anyone have any ideas, suggestions?

Thanks in advance,
Lem

 

[David H. Lipman]

Please go to one or more of the below online scanners and perform a scan of your platform
then report back your results.

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Symantec:
http://security.symantec.com/

BitDefender
http://www.bitdefender.com/scan/license.php

Dave





| I have a computer which had several trojan horses ( i.e.
| trojan.download) and viruses (IBIS toolbar was one)
|
| I cleaned it up through all the steps indicated by the various malware
| removals. I still am seeing a constant 20 to 25 CPU for one copy of
| SVCHOST.EXE (User Name LOCAL SERVICES) and about 3 to 4 CPU for another
| copy of SVCHOST.EXE (User Name SYSTEM).
|
| I also see " wowexec.exe" and " ocraware.exe" (note the leading space in
| both) in the Running Processes list.
|
| Anyone have any ideas, suggestions?
|
| Thanks in advance,
| Lem
|

 

[Lem Lo]

I was trying to stay disconnected from the internet, but all my latest
scans (spybot and adaware) are clean so I'll go ahead, cross my fingers
and connect on up.. here goes..

 

[Lem Lo]

Dave, as soon as I connected the ethernet cable, Zone Alarm reported
SVCHOST requested access. I granted it and the CPU for SVCHOST shot up
to 90% and is staying at 85-89.

 

[David H. Lipman]

And the results of one or more of the scans were ?

Dave





| Dave, as soon as I connected the ethernet cable, Zone Alarm reported
| SVCHOST requested access. I granted it and the CPU for SVCHOST shot up
| to 90% and is staying at 85-89.
|
| David H. Lipman wrote:
| > Please go to one or more of the below online scanners and perform a scan of your
platform
| > then report back your results.
| >
| > Trend:
| > http://housecall.antivirus.com
| > http://housecall.trendmicro.com
| >
| > F-Secure:
| > http://support.f-secure.com/enu/home/ols.shtml
| >
| > McAfee:
| > http://www.mcafee.com/myapps/mfs/default.asp
| >
| > Panda:
| > http://www.pandasoftware.com/activescan/
| >
| > Kaspersky:
| > http://www.kaspersky.com/de/scanforvirus
| >
| > Symantec:
| > http://security.symantec.com/
| >
| > BitDefender
| > http://www.bitdefender.com/scan/license.php
| >
| > Dave
| >
| >
| >
| >
| >
| > | I have a computer which had several trojan horses ( i.e.
| > | trojan.download) and viruses (IBIS toolbar was one)
| > |
| > | I cleaned it up through all the steps indicated by the various malware
| > | removals. I still am seeing a constant 20 to 25 CPU for one copy of
| > | SVCHOST.EXE (User Name LOCAL SERVICES) and about 3 to 4 CPU for another
| > | copy of SVCHOST.EXE (User Name SYSTEM).
| > |
| > | I also see " wowexec.exe" and " ocraware.exe" (note the leading space in
| > | both) in the Running Processes list.
| > |
| > | Anyone have any ideas, suggestions?
| > |
| > | Thanks in advance,
| > | Lem
| > |
| >
| >
|
|

 

[Beauregard T. Shagnasty]

Quoth the raven Lem Lo:

Dave, as soon as I connected the ethernet cable, Zone Alarm
reported SVCHOST requested access. I granted it and the CPU for
SVCHOST shot up to 90% and is staying at 85-89.

How many bytes are being sent out? This sounds like your computer is a
zombie for the spammers, and you're relaying it. (Most of my spam
comes from compromised broadband users.)

 

[Lem Lo]

TrojanDownloader.Win32.Agent.br
TrojanDownloader.Win32.Agent.bt

Both are in the Windows/System32/ folder
Names are
lspak.dll
rulesak.dll
updak.dll

 

[Lem Lo]

Quoth the raven Lem Lo:



How many bytes are being sent out? This sounds like your computer is a
zombie for the spammers, and you're relaying it. (Most of my spam comes
from compromised broadband users.)

Thanks, I'd love to do more than Quoth it.

I have left it disconnected.

 

[Lem Lo]

Quoth the raven Lem Lo:



How many bytes are being sent out? This sounds like your computer is a
zombie for the spammers, and you're relaying it. (Most of my spam comes
from compromised broadband users.)

Yes, but how?

 

[Beauregard T. Shagnasty]

Quoth the raven Lem Lo:

Yes, but how?

How what?

How do you tell how many bytes are being sent out?

Check your connection doodad in the systray and see what number of
bytes or packets have been sent, compared to the same received.
Normally, the received far outweighs the sent.

How do you tell if your computer is compromised/hijacked?

Run a good anti-virus program, and an anti-trojan program.
A-Squared is listed on this page of mine, and is free.
http://home.rochester.rr.com/bshagnasty/tips.html#spyware

It appears you are using quite an old version of Mozilla. You should
consider upgrading.

 

[Lem Lo]

Thanks I will check out your page. I'm sending this from a different
computer that is not running anything except this bare-bones newsreader,
no IE at all.

What do you think about NOD32? It seems that most people are pleased
with it. I don't mind buying a product, but I don't want to have to keep
buying a different product each time.

Cheers and thanks again.

 

[Beauregard T. Shagnasty]

Quoth the raven Lem Lo:

Thanks I will check out your page. I'm sending this from a
different computer that is not running anything except this
bare-bones newsreader, no IE at all.

Well, let us know when you get back to the other one.

What do you think about NOD32? It seems that most people are
pleased with it. I don't mind buying a product, but I don't want to
have to keep buying a different product each time.

Most say NOD32 is good. I'm happy with Avast!, and I don't have it
running in the background, as I seem to be able to recognize emails
that have virus attachments. YMMV. (I do scan files I expected to
receive, of course.)