svchost 100%CPU

G data Antivirus 2010 (full product)
June 14, 2010 at 04:06:21
Specs: Windows XP, ?
Lately, svchost has been using 100% of my processor.

I have been nailed twice by malware in the last few months. Once I was able to clean the system with Hitman Pro, Malwarebytes and Super AntiSpyware.

The second time, I couldn't get anything to work but combofix.

I started to notice that when I close firefox sometimes it would not be removed from the task manager and it would show 100% cpu usage.

Then that seemed to change to the svchost.exe. Now after using my computer for a while it jumps to 100% CPU usage.

Also I can't update windows anymore. When I try, everything seems to be working fine and then it says the following updates not installed.

On top of that if I try to update using IE to update, I get the Internet Explorer cannont display the webpage I seem to get redirected when trying to access other pages about "windows updates blocked"

I have run a virus, malwarebytes and super antispyware scan with no problems listed.

my host file appears to be clean but clearly somehow I am still be blocked from certain sites and redirected when asking about update problems.

Any help is appreciated.

See More: svchost 100%CPU

Report •

June 14, 2010 at 04:47:20
It sounds like you have a particularly nasty infection. Try running you scans in windows safe mode with networking (update them again), since it will only allow certain important system processes to run when it starts which should let you find and eliminate them.
You can also download Process Explorer from Microsoft, it will tell you much more about the processes running than task manager including what EACH svchost is behind that mask of a name. This will help you can identify what processes to shut down (it can shut them down like task manager) and give you a clue to uninstalling (add-remove programs) or deleting files manually. Sometimes just shutting down the right part of the attack is the key to removing it. Process explorer is a tool I find useful.

You have to be a little bit crazy to keep you from going insane.
If all else fails, read instructions.

Report •

June 14, 2010 at 05:36:00
Process Explorer shows the svchost file with a sub file of wuauclt.exe.

The svc file is listed as a generic host process for win32 services.

I have run a hitman pro, malwarebytes and mcafee scan with nothing showing up. Nothing appears out of the ordinary in task manager other than the svchost using 100% of the processor.

Report •

June 14, 2010 at 05:51:28
This is crazy. If I try to copy the hijack log file and past it in this message, I get a connection reset error.

How in the world is something blocking me from pasting the log file here?

Report •

Related Solutions

June 14, 2010 at 07:04:29
I checked the process library, This is what I found:

wuauclt.exe (Safe)

Description: From Windows Update AutoUpdate Client. Background process which checks with Microsoft website for updates to the operating system. Shows up on the Task Manager's processes list when it is waiting for a response, e.g. to confirm permission to download an update.
Severity: Safe
Related Link: Go!
Posted By: Neuber on May 27, 2009 at 12:05:32

I see it as the update is just not able to complete (then a manual update should fix this) or something is blocking the update from completing (more probably the case). Did you update and rescan in safe mode? You can try shutting this process off and see what else is running that does not need to including Firefox, iexplorer (internet explorer), AIM, and anything that might have an internet link (some nasties masquerade as these to get an outside link). Shut down anything that is not essential to windows and your antivirus software and rescan with an updated malwarebytes and one of the better antivirus programs. Then restart into safe mode and repeat scans.
If this does not help, back up your personal files to another drive and using your XP install disc, DELETE the partition, then recreate the partition NEW and reinstall clean. Then update windows, then reinstall antivirus program, then reinstall you programs, then scan your files before reloading them.

You have to be a little bit crazy to keep you from going insane.
If all else fails, read instructions.

Report •

June 14, 2010 at 07:28:30
I tried the safe mode scans. all clean.

I am not desperate enough to reinstall windows at this point.

Anyone else have any ideas?

How is it possible to block me from pasting a hijack this log in this window?

If my host file is clean, why am I redirected when trying to find fixes for the automatic update?

How am I being blocked from the windows update page?

Report •

June 14, 2010 at 07:31:13
Running processes:
C:\Program Files\\Agent\mcagent.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\The Dragon\My Documents\My Downloaded Files\procexp.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Unknown owner - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe

Report •

June 14, 2010 at 07:44:07
Ok, that is almost the full Hijack This log.

There is one line that if I try to put in a message, I get an error message and it will not let me post it.

The connection to the server was reset while the page was loading.

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update/v6/V5Controls/en/x86/client/

Ok, that is the part of the log that was keeping me from posting the full hijack this log.

As you can see, what I did was put a space between windows update.

Somehow the words windows update without a space causes the post to be blocked. How is that even possible?

Report •

June 14, 2010 at 11:32:59
I disabled the automatic updates and that has taken care of the cpu drag although that one instance of svchost still eats up a 100mb of memory.

Also still need to find an explanation for the windows update problem and redirects.

Report •

July 22, 2010 at 11:59:53
I believe you have a malware, just don't find it yet.

>svchost still eats up a 100mb of memory.
Did you find out what process cause it? It's easy to find it using Process Explorer or Svchost Process Analyzer

There is also a good free antivirus software CureIt from Dr.Web. Run it in a safe mode. Hope it will helps.

Report •

July 23, 2010 at 09:21:51
Thanks for the response.

This was fixed ages ago. I ended up using combofix. It got rid of the pesky malware that was causing the problem.

Thanks again.

Report •

Ask Question