svchost success! BUT

[Peter Dishington]

I have had a problem with 100% cpu usage caused by svchost for some time but
now it is fixed. I got Process Explorer (free) from
<http://www.sysinternals.com/> which showed me which services were using the
culprit svchost. I used the database at
<http://www.blackviper.com/WinXP/servicecfg.htm> to see what the services
meant then used Start/run/services.msc to stop the services one at time with
Task Manager running to see what effect it had. The culprit was Internet
Connection Firewall (ICF)/ Internet Connection Sharing (ICF) which is now
disabled. I am using Norton firewall.

My questions are;
Do I have a virus?
Where did it come from?
Do I have to delete and re-install some file?
Will not having Internet Connection Sharing affect the ability to share the
internet connection when I connect my laptop via the hub?
Why didn't Norton or any of the other scans (Spybot, Adaware, and the
on-line <http://www.trojanscan.com/trojanscan/scanner.htm>) find the
problem?
Why is it so hard to find and fix?

 

[Unknown]

Norton is the cause of it. (Norton firewall)

 

[Chuck]

I have had a problem with 100% cpu usage caused by svchost for some time but
now it is fixed. I got Process Explorer (free) from
<http://www.sysinternals.com/> which showed me which services were using the
culprit svchost. I used the database at
<http://www.blackviper.com/WinXP/servicecfg.htm> to see what the services
meant then used Start/run/services.msc to stop the services one at time with
Task Manager running to see what effect it had. The culprit was Internet
Connection Firewall (ICF)/ Internet Connection Sharing (ICF) which is now
disabled. I am using Norton firewall.

My questions are;
Do I have a virus?
Where did it come from?
Do I have to delete and re-install some file?
Will not having Internet Connection Sharing affect the ability to share the
internet connection when I connect my laptop via the hub?
Why didn't Norton or any of the other scans (Spybot, Adaware, and the
on-line <http://www.trojanscan.com/trojanscan/scanner.htm>) find the
problem?
Why is it so hard to find and fix?

Peter,

My guess is that you are not infected, so there was nothing for Norton or any of
the other scans to detect.

Your ICF (Internet Connection Firewall) was probably reacting to the trash worm
traffic which is at a constant level right now. If you have broadband internet,
or dialup internet with PPP-compatible client, you will benefit by installing a
firewall appliance. Both ICF and NIS (Norton firewall) will spend less time
analysing the constant trash worm traffic, your CPU will run much less, and you
will be able to share your internet connection without running any software such
as ICS.

Please don't confuse ICF (Internet Connection Firewall) and ICS (Internet
Connection Sharing). It's possible that having both ICF and NIS running
simultaneously could have caused problems. If you don't get a firewall
appliance, you will need ICS (or a proxy server such as Analogx Proxy
<http://www.analogx.com/contents/download/network/proxy.htm>) to share the
connection with your laptop.

A NAT router / firewall appliance will be the best solution all around. If you
can afford more than one computer, you can afford a firewall appliance.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.