svhost.exe and lsass.exe using 75-100% processor - all of the time

[Bob]

Hello all,

I have a uses system that is running XP Professional SP3 on a 2003 Domain.
Yesterday morning the person called and and their system is running very
slow, I looked at task manager and saw svhost.exe and lsass.exe draining all
of the processor time - memory usage was down, using approx 303MB with all of
their applications opened.

I did end svhost.exe but lsass.exe will still pulling processor, memory is
good.

I run weekly full security scans weekly on all systems - I use Symantec
Endpoint Protection. for fun ---- I stopped system restore, boot up in safe
mode and ran a full scan, I had the following on the system ----

w32.koobface.b
packed.generic.234
backdoor.trojan

All were deleted, I got removal instrunctions off Symantec website, and took
care of that. Still problem with both. On the net I saw that lsass.exe can be
hiding a security threat -----

Has anyone come across svhost.exe and lsass.exe using all of your processor
time, but the memory is normal ---- and how you resolved ?

The high processor usage on lsass.exe is still happening - 20/250 minutes
after the system is boot up/signed into the LAN.

Thanks,
Bob

 

[JS]

From Ramesh's web site: http://windowsxp.mvps.org/svchost.htm
Also: http://support.microsoft.com/?kbid=314056

To find out more about Svchost.exe entries try Process Explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Once you have Process Explorer installed and running:
In the taskbar select View and check the:
'Show Process Tree' and the 'Show Lower Pane' options.
Move your mouse cursor over any column in the right hand pane and
right click and check the following boxes:
'Command Line' and 'Version'.
(This will provide some of the detailed info you may need)

Next expand the Process tree until 'Services.exe' has been expanded.
Next move the mouse cursor over the Svchost.exe process that you are
interested in. (You should now see a pop up with a list of services
associated with the Svchost.exe you selected)

Note: some Svchost entries may need to be expanded to show the
detail (sub processes), in this case click on the + located to the left of
the entry. Explorer and System/Services also need to be expanded.

Next double click on the Svchost.exe process that you are interested in.
The 'Properties' Window should now be displayed with numerous tabs.
(Two important tabs to look at are: Services and Environment)

Searching for web based information about a process:
Then mouse over the specific process that's you are interested in.
Next click on that process to highlight it,
Now that it's highlighted, right click and from the options listed select:
Search Online
This should display what out there on the web about that process.

As mentioned before: You can also double click on any process
to open up a more detailed 'Properties' window.

 

[PA Bear [MS MVP]]

All were deleted, I got removal instrunctions off Symantec website, and

took
care of that. Still problem with both.

I'm afraid you've got more work to do!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.