WinXP SE: SvcHost (SYSTEM) process takes most of CPU

[Arvi Laanemets]

Hi

Yesterday evening I was asked to control a computer (WinXP HE, SP1, ADSL)
modem, WinXP firewall), because it was too slow. I checked it with 3
different antivirus (AntiVir, Housecall PC-Cillin on-line, AVG) and removed
25-30 infected files, mostly troyans. I checked the computer with Ad-Aware
SE and Spybot too ~70 objects were found and removed. All temporary folders
were emptied. I checked with regedit all Run keys in HKLM & HKCU and removed
all abundant (2 spyware records) from there. Comfile, exefile etc. keys in
HKCR looked OK.

After that, when restarted, all was OK in task manager's TaskList - until
ADSL connection started. Then one of svchost (SYSTEM) processes started to
take more and more CPU. It was 4%-10% at start, then 10%-30%, etc. until
50%-95% after some time. A little after the CPU usage stabilized, there was
a sudden change - CPU dropped to ~20%, and then rised again to ~90% - then
dropped again, etc. The length of cycle was less than a minute.

At same time as svchost, was active taskmgr which used ~4% CPU.

I tried to investigate, what really was using this much CPU (from command
window: tasklist /svc), but tasklist.exe was missing from computer at all.
Then I checked with regedit, what was started from various svchost's
(HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost) , and I deleted
all entries which somehow dad to do with remote access to computer and were
not essential to OS working. Nothing was changed!

Maybe some fresh ideas available here!
Thanks in advance!

 

[Kelly]

Pretty much normal. What does System Idle read?
http://www.google.com/search?hl=en&q=SvcHost&btnG=Google+Search

In the meantime, run this combo:

Run Ad-Aware SE, Spybot and HijackThis:
http://www.majorgeeks.com/downloads31.html

Note: Update each program, once installed, before running.

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp


--
All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

 

[Arvi Laanemets]

Hi

Pretty much normal. What does System Idle read?

100% - SvcHost% - taskmgr%(~4%) - RemainingProcesses%(~2%...3%), i.e.
something between 70% and 0% mostly, average will be somewhere between
30%-40%, I think, but ~10% of time it's less than 10% System Idle CPU - with
only Task manager opened.

http://www.google.com/search?hl=en&q=SvcHost&btnG=Google+Search

In the meantime, run this combo:

Run Ad-Aware SE, Spybot and HijackThis:
http://www.majorgeeks.com/downloads31.html

Runned both Ad-Aware and Spybot (both updated). I didn't use HijackThis,
because I have tried it once only on my own computer, and I was not sure
about results it returned. There was a bunch or registry entries which were
defined as changed, but I didn't have such entries in my registry at all !?

Note: Update each program, once installed, before running.

Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp

It was one of 3 various antiviruses I used to scan the computer with. It was
too late for me yesterday to try the second another online scanner, I use
sometimes (www.bitdefender.com).

 

[PaddyBob]

Hi Arvi,

It would come in handy to know exactly which process of the SVCHost is
giving you problems, as svchost is controlling loads and loads of processes.
(Just to name a couple: DNSCache, Eventsystem, Seclogon, WinMgmt, etc...
there's more than 20 on a normal Domain Networked XP-Pro machine. On a HE
machine, there will be a couple less, but still an impressive amount)

Check if you're able to download the process explorer from
http://www.sysinternals.com
Let us know what you finally find out which exact SVCHost process is giving
you trouble. To be quite honest with you, I don't think this is a virus,
however, it might be malware or a rogue service...

Cheers,

Robert

 

[Arvi Laanemets]

Hi

Thanks! I downloaded it. I'll give it a try today or tomorrow evening.

I agree that this don't look like virus. Maybe something is trying to
connect to somewhere outside, but can't. P.e. some trojan or spyware
component, which was partially removed. Or firewall doesn't let it to
connect. It look like some process is desperately trying to connect at
start, and when convienced that this isn't possible, runs some check after
every 20-30 seconds.

 

[DanS]

Hi

Thanks! I downloaded it. I'll give it a try today or tomorrow evening.

I agree that this don't look like virus. Maybe something is trying to
connect to somewhere outside, but can't. P.e. some trojan or spyware
component, which was partially removed. Or firewall doesn't let it to
connect. It look like some process is desperately trying to connect at
start, and when convienced that this isn't possible, runs some check
after every 20-30 seconds.

a good port monitor program is DiamondCS Port Explorer. there's a time
limit demo at their website. with this you can be able to tell if
something's trying to phone home.

www.diamondcs.com.au/portexplorer/

 

[Kelly]

Exactly why you need to trust HijackThis! I use this program daily in my
shop here and have never been led wrong. You can look over the config if
you like to be sure of setting your defaults and/or send the report to:

Browser Hijack and Malware Removal Forums
http://forums.net-integration.net/index.php?c=19

How to obtain the most effective support
http://www.net-integration.net/tools/procedure.html

Spyware, Thiefware, Browser Hijackers, etc. Parasites Forum
http://forums.spywareinfo.com/index.php?s=7dc481729338294fb5d64090b77ef364&showtopic=9882


--
All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com