svchosts.exe

[Betty Libby]

I hava a AMD 1900+ running norton security 2003 and antivirus 2003. I also
use ad-aware and spy bot.

The problem is that the svchosts.exe service constantly eats up 30 to 60
percent of processor time. I have seen it completely peg the processor for
extended periods of time. I used the program Wintasks to try to identify
what was running behind the service. I was thinkng it was a sound card
issue. From what I can this instance of svchosts.exe that is eating at my
resources are all microsoft dll's. SO here I am trying to found out to
miniize its processor usage. Below are all of the modules that are active.
I know this is an exhausted list. How to I either trim it down or narrow
down the offending dll's. I appreciate any help. Thanks


cryptsvc.dll d:\windows\system32\cryptsvc.dll
CRYPTUI.dll D:\WINDOWS\System32\CRYPTUI.dll
dhcpcsvc.dll d:\windows\system32\dhcpcsvc.dll
dmserver.dll d:\windows\system32\dmserver.dll
DNSAPI.dll d:\windows\system32\DNSAPI.dll
ersvc.dll d:\windows\system32\ersvc.dll
es.dll d:\windows\system32\es.dll
ESENT.dll d:\windows\system32\ESENT.dll
esscli.dll D:\WINDOWS\System32\Wbem\esscli.dll
FastProx.dll D:\WINDOWS\System32\Wbem\FastProx.dll
GDI32.dll D:\WINDOWS\system32\GDI32.dll
h323.tsp D:\WINDOWS\System32\h323.tsp
HID.DLL D:\WINDOWS\System32\HID.DLL
hidphone.tsp D:\WINDOWS\System32\hidphone.tsp
hnetcfg.dll D:\WINDOWS\System32\hnetcfg.dll
ICAAPI.dll d:\windows\system32\ICAAPI.dll
IMAGEHLP.dll D:\WINDOWS\system32\IMAGEHLP.dll
ipconf.tsp D:\WINDOWS\System32\ipconf.tsp
iphlpapi.dll d:\windows\system32\iphlpapi.dll
ipxwan.dll D:\WINDOWS\System32\ipxwan.dll
kernel32.dll D:\WINDOWS\system32\kernel32.dll
kmddsp.tsp D:\WINDOWS\System32\kmddsp.tsp
MPRAPI.dll D:\WINDOWS\System32\MPRAPI.dll
MSASN1.dll D:\WINDOWS\system32\MSASN1.dll
msgsvc.dll d:\windows\system32\msgsvc.dll
msi.dll D:\WINDOWS\System32\msi.dll
MSIDLE.DLL D:\WINDOWS\System32\MSIDLE.DLL
mstlsapi.dll d:\windows\system32\mstlsapi.dll
msv1_0.dll D:\WINDOWS\system32\msv1_0.dll
MSVCP60.dll d:\windows\system32\MSVCP60.dll
msvcrt.dll D:\WINDOWS\system32\msvcrt.dll
mswsock.dll D:\WINDOWS\system32\mswsock.dll
MTXCLU.DLL D:\WINDOWS\system32\MTXCLU.DLL
mtxoci.dll D:\WINDOWS\System32\mtxoci.dll
NCObjAPI.DLL D:\WINDOWS\System32\NCObjAPI.DLL
ncprov.dll D:\WINDOWS\System32\wbem\ncprov.dll
ndptsp.tsp D:\WINDOWS\System32\ndptsp.tsp
NETAPI32.dll d:\windows\system32\NETAPI32.dll
netcfgx.dll D:\WINDOWS\System32\netcfgx.dll
netman.dll d:\windows\system32\netman.dll
NETRAP.dll D:\WINDOWS\System32\NETRAP.dll
NETSHELL.dll D:\WINDOWS\system32\NETSHELL.dll
ntdll.dll D:\WINDOWS\System32\ntdll.dll
NTDSAPI.dll d:\windows\system32\NTDSAPI.dll
ntlsapi.dll D:\WINDOWS\System32\ntlsapi.dll
NTMARTA.DLL D:\WINDOWS\System32\NTMARTA.DLL
ole32.dll D:\WINDOWS\system32\ole32.dll
OLEAUT32.dll D:\WINDOWS\system32\OLEAUT32.dll
pchsvc.dll d:\windows\pchealth\helpctr\binaries\pchsvc.dll
POWRPROF.dll d:\windows\system32\POWRPROF.dll
PSAPI.DLL d:\windows\system32\PSAPI.DLL
rasadhlp.dll D:\WINDOWS\System32\rasadhlp.dll
RASAPI32.dll D:\WINDOWS\System32\RASAPI32.dll
raschap.dll D:\WINDOWS\System32\raschap.dll
RASDLG.dll D:\WINDOWS\System32\RASDLG.dll
rasman.dll D:\WINDOWS\System32\rasman.dll
rasmans.dll D:\WINDOWS\System32\rasmans.dll
rasppp.dll D:\WINDOWS\System32\rasppp.dll
rastapi.dll D:\WINDOWS\System32\rastapi.dll
rastls.dll D:\WINDOWS\System32\rastls.dll
rdpwsx.dll D:\WINDOWS\System32\rdpwsx.dll
REGAPI.dll D:\WINDOWS\System32\REGAPI.dll
repdrvfs.dll D:\WINDOWS\System32\wbem\repdrvfs.dll
RESUTILS.DLL D:\WINDOWS\System32\RESUTILS.DLL
RPCRT4.dll D:\WINDOWS\system32\RPCRT4.dll
rsaenh.dll D:\WINDOWS\System32\rsaenh.dll
rtutils.dll d:\windows\system32\rtutils.dll
SAMLIB.dll D:\WINDOWS\System32\SAMLIB.dll
SCHANNEL.dll D:\WINDOWS\System32\SCHANNEL.dll
schedsvc.dll d:\windows\system32\schedsvc.dll
seclogon.dll d:\windows\system32\seclogon.dll
Secur32.dll d:\windows\system32\Secur32.dll
sens.dll d:\windows\system32\sens.dll
SETUPAPI.dll D:\WINDOWS\System32\SETUPAPI.dll
sfc.dll D:\WINDOWS\System32\sfc.dll
sfc_os.dll D:\WINDOWS\System32\sfc_os.dll
shell32.dll D:\WINDOWS\system32\shell32.dll
SHLWAPI.dll D:\WINDOWS\system32\SHLWAPI.dll
shsvcs.dll d:\windows\system32\shsvcs.dll
srsvc.dll d:\windows\system32\srsvc.dll
srvsvc.dll d:\windows\system32\srvsvc.dll
SSDPAPI.dll D:\WINDOWS\System32\SSDPAPI.dll
SXS.DLL D:\WINDOWS\System32\SXS.DLL
TAPI32.dll D:\WINDOWS\System32\TAPI32.dll
tapisrv.dll d:\windows\system32\tapisrv.dll
termsrv.dll d:\windows\system32\termsrv.dll
trkwks.dll d:\windows\system32\trkwks.dll
unimdm.tsp D:\WINDOWS\System32\unimdm.tsp
uniplat.dll D:\WINDOWS\System32\uniplat.dll
upnp.dll D:\WINDOWS\System32\upnp.dll
USER32.dll D:\WINDOWS\system32\USER32.dll
USERENV.dll D:\WINDOWS\system32\USERENV.dll
UxTheme.dll D:\WINDOWS\System32\UxTheme.dll
VERSION.dll D:\WINDOWS\system32\VERSION.dll
VSSAPI.DLL D:\WINDOWS\System32\VSSAPI.DLL
w32time.dll d:\windows\system32\w32time.dll
wbemcomn.dll d:\windows\system32\wbem\wbemcomn.dll
wbemcons.dll D:\WINDOWS\System32\wbem\wbemcons.dll
wbemcore.dll D:\WINDOWS\System32\Wbem\wbemcore.dll
wbemess.dll D:\WINDOWS\System32\wbem\wbemess.dll
winhttp.dll D:\WINDOWS\System32\winhttp.dll
WININET.dll D:\WINDOWS\system32\WININET.dll
WINIPSEC.DLL D:\WINDOWS\System32\WINIPSEC.DLL
WINMM.dll D:\WINDOWS\System32\WINMM.dll
WinSCard.dll D:\WINDOWS\System32\WinSCard.dll
winspool.drv D:\WINDOWS\System32\winspool.drv
WINSTA.dll D:\WINDOWS\System32\WINSTA.dll
WINTRUST.dll D:\WINDOWS\System32\WINTRUST.dll
wkssvc.dll d:\windows\system32\wkssvc.dll
WLDAP32.dll D:\WINDOWS\system32\WLDAP32.dll
WMI.dll d:\windows\system32\WMI.dll
wmiprvsd.dll D:\WINDOWS\System32\wbem\wmiprvsd.dll
wmisvc.dll d:\windows\system32\wbem\wmisvc.dll
wmiutils.dll D:\WINDOWS\System32\wbem\wmiutils.dll
WS2_32.dll d:\windows\system32\WS2_32.dll
WS2HELP.dll d:\windows\system32\WS2HELP.dll
wshisn.dll D:\WINDOWS\System32\wshisn.dll
wshtcpip.dll D:\WINDOWS\System32\wshtcpip.dll
WSOCK32.dll D:\WINDOWS\System32\WSOCK32.dll
WTSAPI32.dll d:\windows\system32\WTSAPI32.dll
wuaueng.dll D:\WINDOWS\System32\wuaueng.dll
wuauserv.dll d:\windows\system32\wuauserv.dll
wzcsvc.dll d:\windows\system32\wzcsvc.dll

 

[mb]

I hava a AMD 1900+ running norton security 2003 and antivirus 2003. I also
use ad-aware and spy bot.

The problem is that the svchosts.exe service constantly eats up 30 to 60
percent of processor time. I have seen it completely peg the processor for
extended periods of time. I used the program Wintasks to try to identify
what was running behind the service. I was thinkng it was a sound card
issue. From what I can this instance of svchosts.exe that is eating at my
resources are all microsoft dll's. SO here I am trying to found out to
miniize its processor usage. Below are all of the modules that are active.
I know this is an exhausted list. How to I either trim it down or narrow
down the offending dll's. I appreciate any help. Thanks

If you have a program called "svchosts.exe" running, I think your first
course of action would be a virus check and then some sort of spyware
removal tool. Best get a firewall running while you're at it.

 

[mrlegend90]

As was in my post I am running all kinds of protection software and I scan
my system daily.

 

[Guest]

Hello
If svchosys.exe is using that much processor time you
most likely have a virus!
http://www.answersthatwork.com/Tasklist_pages/tasklist_s.h
tm

 

[mb]

As was in my post I am running all kinds of protection software and I scan
my system daily.

Then where does this svchosts.exe come from? It's not a Windows file looks
like it has been 'disguised' as svchost.exe, which *is* a Windows file.

 

[mrlegend90]

That is my question? All that I can tell is that alot of the dll's are
related to Microsoft files.

 

[mb]

That is my question? All that I can tell is that alot of the dll's are
related to Microsoft files.

I'm trying to tell you that you have a virus!
"svchosts.exe" is NOT a valid Windows file, but has been named so that it
looks like the valid Windows file "svchost.exe"

 

[mb]

I'm trying to tell you that you have a virus!
"svchosts.exe" is NOT a valid Windows file, but has been named so that it
looks like the valid Windows file "svchost.exe"

Oops, didn't finish that...
I think it's called the Porn Google virus.
Are you getting porn sites loaded into your favourites?

 

[jdm42595]

Not true. svchosts IS a valid windows file on XP and 2000. It's the name
you see that comes up for mutliple small OS things that are running in the
background. Not saying yours couldn't have been hijacked..but it is a valid
process and you will always see it.

 

[Ronnie Vernon MVP]

Not true. svchosts IS a valid windows file on XP and 2000. It's the
name you see that comes up for mutliple small OS things that are
running in the background. Not saying yours couldn't have been
hijacked..but it is a valid process and you will always see it.

Unless this is a typo, it's is likely a virus. The svchosts.exe is a file
installed by the Backdoor.SDBot.E virus.

Many virus have files that closely resemble standard Windows files. This one
simply has an extra "s" inserted. This is a particularly nasty virus that
enables the creator to control and use the infected system. You can get more
information on this virus here:

Symantec Security Response - Backdoor.Sdbot.E:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.e.html


--
Ronnie Vernon
Microsoft MVP-Windows Shell/User

Please reply to the newsgroup so all may benefit.
http://www.dts-l.org
http://www.mvps.org

 

[mrlegend90]

Thanks Ron,
I checked out the symantec site in regards to the trojon mentioned. It
diesn't appear that I have iy because I do not have the registry keys
mentioned in the threat response. The one weird thing is that the mention
the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

As it turns out I don't even have that key. This seems weird because it
sounds like it is in charge of the services. I guess it is possible that it
was a unique key made by the trojan that doesn't seem to be there.
appreciate you thoughts and would ask if you have anymore ideas.

My system gets virus updates every hour. And I scan my system everyday at
idle time, so I am fairly confident that it is not a virus but a nefarious
dll. Is there any way to tracespecific dll's that are runnung underneath
the svchosts.exe. Thanks again

mrlegend90

 

[Ronnie Vernon MVP]

Thanks Ron,
I checked out the symantec site in regards to the trojon
mentioned. It diesn't appear that I have iy because I do not have
the registry keys mentioned in the threat response. The one weird
thing is that the mention the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

As it turns out I don't even have that key. This seems weird because
it sounds like it is in charge of the services. I guess it is
possible that it was a unique key made by the trojan that doesn't
seem to be there. appreciate you thoughts and would ask if you have
anymore ideas.

My system gets virus updates every hour. And I scan my system
everyday at idle time, so I am fairly confident that it is not a
virus but a nefarious dll. Is there any way to tracespecific dll's
that are runnung underneath the svchosts.exe. Thanks again

If you are still seeing this svchosts.exe file, then parts of the virus are
still present on the system. You should not be seeing this file in the
running processes. Do you also see the file svchost.exe running in the
Processes Tab of Task Manager? This one is the legitimate services host
file.

It's possible that your anti-virus software detected this virus, but simply
did not do a good job when cleaning it.

Go to Start/Run and type: msconfig and press OK. Click the Start Up tab
and look for any reference to the svchosts.exe there. If you find something,
remove the check mark and note where it is starting from. Go to that
location in the registry and delete it.

The
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices"
key in the registry is a legitimate registry key. It is used to start
services prior to when the user logs onto the system. This is why the virus
installs itself there.

This is not an issue with dll files.

--
Ronnie Vernon
Microsoft MVP-Windows Shell/User

Please reply to the newsgroup so all may benefit.
http://www.dts-l.org
http://www.mvps.org

 

[mrlegend90]

The only place I see the svchosts.exe is in the processes tab. There can be
as many as 4 of this service running at any given time. The instance that
causes the cpu utilization issue always has the same dll modules in it. I
also thought I had a virus but when no virus scanner has ever picked it up,
according to the logs. I am led to believe that it is not virus related. I
have scanned my system with Kypersky?spelling and I have used norton on my
machine since the initial install before it was ever brought online. Dddo
you have any suggestions of a better scanner that coud pick up a virus if it
has not been thourghly cleaned as youo suspect.

 

[David Carmichael]

The only place I see the svchosts.exe is in the processes tab. There can be
as many as 4 of this service running at any given time. >>SNIP<<

IS '"4"' the maximum number of processes that should be running at any one
time?? because on my system I have eight processes running???

--David