none
svchost.exe -k netsvcs is taking 100% CPU

    Question

  • I am on a desktop Windows XP - Service Pack3

    My computer is using 100% CPU.

    I used Process Explore to find what was using all the CPU.

    it was svchost.exe -k netsvcs

    I ran virus scans - nothing was found.

    I searched for svchost.exe and deleted all those not in the  C:\Windows\System32 directory.

    It did find a couple files called SMSvchost.exe ina c:\windows\Microsot.net\Framework\v3.0 directory

    I ran HiJackThis and this is the log

    Logfile of Trend Micro HijackThis v2.0.5
    Scan saved at 12:46:41 PM, on 6/4/2013
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)

    FIREFOX: 20.0.1 (en-US)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\Java\jre7\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Portfolio Director\PortfolioDirector.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Documents and Settings\Owner\My Documents\Downloads\ProcessExplorer\procexp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
    C:\WINDOWS\notepad.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:21320
    O2 - BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe Acrobat Create PDF Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
    O4 - HKLM\..\Run: [PrnStatusMX] C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
    O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0ANwA1ADAANAAyADQAMAA5ADkALQBWAE8AUAArADMALQBGAEwAKwA5AC0AWABPADMANgArADEALQBEAEQAVAArADAALQBYAE8AOQArADEALQBTAFQAOQAwAEYAQQBQAFAAKwAxAC0ARgBVAEkAKwAyAC0ARgA5ADAAVABCACsAMgA"&"prod=90"&"ver=9.0.894
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10x_ActiveX.exe -update activex (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10x_ActiveX.exe -update activex (User 'Default user')
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1370348817593
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1370276369484
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab
    O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://al-fdc-sa2.advisor-connection.com/dana-cached/sc/JuniperSetupClient.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{27068A69-9F3D-4B77-A39E-F93E2392CE75}: NameServer = 4.2.2.1,4.2.2.3
    O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
    O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira Real-Time Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
    O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
    O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
    O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
    O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
    O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe

    --
    End of file - 11994 bytes


    Can anyone please help!

    Thank You.
    Tuesday, June 04, 2013 4:57 PM

Answers

  • Wow. It may be best, as suggested above, to try a malware removal forum (the "Am I infected" link, but there are many others).

    (It is possible that these addresses come from your dns cache but still best to eliminate possibility of malware as cause)

    Thursday, June 06, 2013 6:19 PM
  • Yes, there can be possibility. You can start with MSE  http://www.microsoft.com/security/pc-security/mse.aspx

    For scanning the system


    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, June 07, 2013 3:35 AM
  • Those are the processes and not the actual files. Check, its been labelled as "Running processes" 

    And not files present. 

    If you do care to read first, from the original post by KenCrom:

    I searched for svchost.exe and deleted all those not in the  C:\Windows\System32 directory.
    Friday, June 07, 2013 5:48 AM
  • Unfortunately, you may not be in the clear. Rootkits can hide themselves in multiple devious ways. Do not rely on one tool. This is why I suggested a malware removal forum where you will assisted one-on-one until all that can be done, has been done. To be safe, my advice would be still to start a thread in one of those forums (such as the one already provided), giving them full details. At least it will be easier now that your pc is useable again.

    The alternative is this

    http://technet.microsoft.com/en-us/library/cc512587.aspx
    Friday, June 07, 2013 1:22 PM

All replies

  • Run the following command:
    tasklist /svc /fi "imagename eq svchost.exe"

    That will tell you what services are being controlled by the service host. You can force stop the services to free up CPU

    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, June 05, 2013 9:00 AM
  • They all seem to be important process and when I stop them I loose functionality.
    Wednesday, June 05, 2013 3:02 PM
  • The you need to continue with this and stop some services from services.msc.

    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, June 05, 2013 3:36 PM
  • There were three processes I could not stop.

    RasMan

    TapiSRV

    and

    W32Time

    I stopped all the other processes, and they had no effect on the CPU usage.

    Thank you!


    • Edited by KenCrom Wednesday, June 05, 2013 8:07 PM
    Wednesday, June 05, 2013 8:05 PM
  • Please try opening Task Manager and noting the PID (Process ID) of the offending process (That is using all your cpu)

    Download, unzip and open the appropriate (32 or 64 bit) standalone executable CurrPorts (cports.exe) Download link is at the bottom of this page.
    http://www.nirsoft.net/utils/cports.html

    Look for and report how many entries (if any) have a matching Process ID. Also list (if any) their Remote Address. These address(es) may give some clue as to whether the cause of the problem is benign or malicious.

    To be safe please also consider starting a thread here
    Am I infected? What do I do?

    • Edited by mystifeid Thursday, June 06, 2013 2:06 AM
    Thursday, June 06, 2013 1:52 AM
  • there must be dependencies on these, right click on service and click on Dependencies tab. Check and close the services. 

    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, June 06, 2013 4:37 AM
  • You shouldn't have to stop Windows' system services to bring down CPU usage. It's either something wrong with the services or some malware infection.

    I think it's more likely a malware infection because in your original post you found many svchost.exe files outside of System32.

    Thursday, June 06, 2013 5:25 AM
  • here is the report on the selected PID number

    svchost.exe 1416 3913 80 http 173.241.242.12 ox-173-241-242-12.xv.dc.openx.org
    svchost.exe 1416 3907 80 http 74.125.228.92 iad23s07-in-f28.1e100.net
    svchost.exe 1416 3919 80 http 166.78.84.128
    svchost.exe 1416 4266 80 http 69.171.242.27 edge-star-ecmp-02-ash3.facebook.com
    svchost.exe 1416 4310 80 http 173.194.74.121 qe-in-f121.1e100.net
    svchost.exe 1416 3928 80 http 64.208.138.133
    svchost.exe 1416 3905 80 http 74.125.228.60 iad23s06-in-f28.1e100.net
    svchost.exe 1416 2071 80 http 173.208.110.122 173.208.110.122.rdns.ubiquityservers.com
    svchost.exe 1416 2358 80 http 204.93.42.224
    svchost.exe 1416 3915 80 http 64.150.182.250 64-150-182-250.dedicated.abac.net
    svchost.exe 1416 2072 80 http 173.208.110.122 173.208.110.122.rdns.ubiquityservers.com
    svchost.exe 1416 2284 80 http 204.93.42.224
    svchost.exe 1416 3467 80 http 74.125.228.100 iad23s08-in-f4.1e100.net
    svchost.exe 1416 2273 80 http 74.125.228.100 iad23s08-in-f4.1e100.net
    svchost.exe 1416 123
    svchost.exe 1416 1035
    svchost.exe 1416 123
    svchost.exe 1416 3045 80 http 107.20.157.184 ec2-107-20-157-184.compute-1.amazonaws.com
    svchost.exe 1416 3756 80 http 8.18.45.80 ad-dc6.mediaplex.com
    svchost.exe 1416 3871 80 http 74.125.226.233 lga15s29-in-f9.1e100.net
    svchost.exe 1416 3552 80 http 50.57.204.7
    svchost.exe 1416 3755 80 http 23.66.161.120 a23-66-161-120.deploy.akamaitechnologies.com
    svchost.exe 1416 2911 80 http 108.162.195.91
    svchost.exe 1416 3760 80 http 69.25.24.24
    svchost.exe 1416 3815 80 http 216.137.41.222 server-216-137-41-222.ewr2.r.cloudfront.net
    svchost.exe 1416 3753 80 http 208.91.175.36 tp00-iad0.everesttech.net
    svchost.exe 1416 3546 80 http 54.224.64.238 ec2-54-224-64-238.compute-1.amazonaws.com
    svchost.exe 1416 3826 80 http 198.101.129.169
    svchost.exe 1416 3243 80 http 184.28.233.231 a184-28-233-231.deploy.akamaitechnologies.com
    svchost.exe 1416 3758 80 http 80.12.97.163
    svchost.exe 1416 3444 80 http 95.154.251.6
    svchost.exe 1416 3816 80 http 204.2.196.137
    svchost.exe 1416 3577 80 http 204.93.43.16
    svchost.exe 1416 3835 80 http 64.208.138.110
    svchost.exe 1416 3757 80 http 8.18.45.81 img-dc6.mediaplex.com
    svchost.exe 1416 2914 80 http 108.162.195.91
    svchost.exe 1416 3677 80 http 165.254.40.139
    svchost.exe 1416 3817 80 http 166.78.84.128
    svchost.exe 1416 3829 80 http 64.208.138.196
    svchost.exe 1416 3346 80 http 165.254.34.234
    svchost.exe 1416 3845 80 http 50.97.44.108 50.97.44.108-static.reverse.softlayer.com
    svchost.exe 1416 3818 80 http 166.78.84.128
    svchost.exe 1416 3813 80 http 199.16.156.72
    svchost.exe 1416 3832 80 http 68.67.159.210
    svchost.exe 1416 3547 80 http 184.73.184.162 ec2-184-73-184-162.compute-1.amazonaws.com
    svchost.exe 1416 3812 80 http 207.171.162.95 162-95.amazon.com
    svchost.exe 1416 3869 80 http 173.194.43.34 lga15s35-in-f2.1e100.net
    svchost.exe 1416 3785 80 http 80.12.97.50
    svchost.exe 1416 3652 80 http 173.241.242.12 ox-173-241-242-12.xv.dc.openx.org
    svchost.exe 1416 3611 80 http 95.154.251.6
    svchost.exe 1416 3762 80 http 208.91.175.36 tp00-iad0.everesttech.net
    svchost.exe 1416 2920 80 http 54.235.138.139 ec2-54-235-138-139.compute-1.amazonaws.com
    svchost.exe 1416 3048 80 http 54.235.138.139 ec2-54-235-138-139.compute-1.amazonaws.com
    svchost.exe 1416 3836 80 http 95.154.251.6
    svchost.exe 1416 3612 80 http 95.154.251.6
    svchost.exe 1416 2931 80 http 54.243.212.244 ec2-54-243-212-244.compute-1.amazonaws.com
    svchost.exe 1416 3198 80 http 69.25.24.23
    svchost.exe 1416 3795 80 http 64.12.106.8 m-prd-ads02-adcom-mtc.evip.aol.com
    svchost.exe 1416 2918 443 https 204.246.169.31 server-204-246-169-31.jfk1.r.cloudfront.net
    svchost.exe 1416 3831 80 http 204.13.194.146
    svchost.exe 1416 2356 80 http 54.243.212.244 ec2-54-243-212-244.compute-1.amazonaws.com
    svchost.exe 1416 3834 80 http 68.67.159.223
    svchost.exe 1416 3822 80 http 50.57.204.7
    svchost.exe 1416 3833 80 http 204.13.194.146
    svchost.exe 1416 3639 80 http 204.2.196.144
    svchost.exe 1416 3814 80 http 72.21.202.183
            


    Thursday, June 06, 2013 2:17 PM
  • Here is the log for the PID  error

    svchost.exe    1416    3913    80    http    173.241.242.12    ox-173-241-242-12.xv.dc.openx.org                                                                    
    svchost.exe    1416    3907    80    http    74.125.228.92    iad23s07-in-f28.1e100.net                                                                    
    svchost.exe    1416    3919    80    http    166.78.84.128                                                                        
    svchost.exe    1416    4266    80    http    69.171.242.27    edge-star-ecmp-02-ash3.facebook.com                                                                    
    svchost.exe    1416    4310    80    http    173.194.74.121    qe-in-f121.1e100.net                                                                    
    svchost.exe    1416    3928    80    http    64.208.138.133                                                                        
    svchost.exe    1416    3905    80    http    74.125.228.60    iad23s06-in-f28.1e100.net                                                                    
    svchost.exe    1416    2071    80    http    173.208.110.122    173.208.110.122.rdns.ubiquityservers.com                                                                    
    svchost.exe    1416    2358    80    http    204.93.42.224                                                                        
    svchost.exe    1416    3915    80    http    64.150.182.250    64-150-182-250.dedicated.abac.net                                                                    
    svchost.exe    1416    2072    80    http    173.208.110.122    173.208.110.122.rdns.ubiquityservers.com                                                                    
    svchost.exe    1416    2284    80    http    204.93.42.224                                                                        
    svchost.exe    1416    3467    80    http    74.125.228.100    iad23s08-in-f4.1e100.net                                                                    
    svchost.exe    1416    2273    80    http    74.125.228.100    iad23s08-in-f4.1e100.net                                                                    
    svchost.exe    1416    123                                                                                    
    svchost.exe    1416    1035                                                                                    
    svchost.exe    1416    123                                                                                    
    svchost.exe    1416    3045    80    http    107.20.157.184    ec2-107-20-157-184.compute-1.amazonaws.com                                                                    
    svchost.exe    1416    3756    80    http    8.18.45.80    ad-dc6.mediaplex.com                                                                    
    svchost.exe    1416    3871    80    http    74.125.226.233    lga15s29-in-f9.1e100.net                                                                    
    svchost.exe    1416    3552    80    http    50.57.204.7                                                                        
    svchost.exe    1416    3755    80    http    23.66.161.120    a23-66-161-120.deploy.akamaitechnologies.com                                                                    
    svchost.exe    1416    2911    80    http    108.162.195.91                                                                        
    svchost.exe    1416    3760    80    http    69.25.24.24                                                                        
    svchost.exe    1416    3815    80    http    216.137.41.222    server-216-137-41-222.ewr2.r.cloudfront.net                                                                    
    svchost.exe    1416    3753    80    http    208.91.175.36    tp00-iad0.everesttech.net                                                                    
    svchost.exe    1416    3546    80    http    54.224.64.238    ec2-54-224-64-238.compute-1.amazonaws.com                                                                    
    svchost.exe    1416    3826    80    http    198.101.129.169                                                                        
    svchost.exe    1416    3243    80    http    184.28.233.231    a184-28-233-231.deploy.akamaitechnologies.com                                                                    
    svchost.exe    1416    3758    80    http    80.12.97.163                                                                        
    svchost.exe    1416    3444    80    http    95.154.251.6                                                                        
    svchost.exe    1416    3816    80    http    204.2.196.137                                                                        
    svchost.exe    1416    3577    80    http    204.93.43.16                                                                        
    svchost.exe    1416    3835    80    http    64.208.138.110                                                                        
    svchost.exe    1416    3757    80    http    8.18.45.81    img-dc6.mediaplex.com                                                                    
    svchost.exe    1416    2914    80    http    108.162.195.91                                                                        
    svchost.exe    1416    3677    80    http    165.254.40.139                                                                        
    svchost.exe    1416    3817    80    http    166.78.84.128                                                                        
    svchost.exe    1416    3829    80    http    64.208.138.196                                                                        
    svchost.exe    1416    3346    80    http    165.254.34.234                                                                        
    svchost.exe    1416    3845    80    http    50.97.44.108    50.97.44.108-static.reverse.softlayer.com                                                                    
    svchost.exe    1416    3818    80    http    166.78.84.128                                                                        
    svchost.exe    1416    3813    80    http    199.16.156.72                                                                        
    svchost.exe    1416    3832    80    http    68.67.159.210                                                                        
    svchost.exe    1416    3547    80    http    184.73.184.162    ec2-184-73-184-162.compute-1.amazonaws.com                                                                    
    svchost.exe    1416    3812    80    http    207.171.162.95    162-95.amazon.com                                                                    
    svchost.exe    1416    3869    80    http    173.194.43.34    lga15s35-in-f2.1e100.net                                                                    
    svchost.exe    1416    3785    80    http    80.12.97.50                                                                        
    svchost.exe    1416    3652    80    http    173.241.242.12    ox-173-241-242-12.xv.dc.openx.org                                                                    
    svchost.exe    1416    3611    80    http    95.154.251.6                                                                        
    svchost.exe    1416    3762    80    http    208.91.175.36    tp00-iad0.everesttech.net                                                                    
    svchost.exe    1416    2920    80    http    54.235.138.139    ec2-54-235-138-139.compute-1.amazonaws.com                                                                    
    svchost.exe    1416    3048    80    http    54.235.138.139    ec2-54-235-138-139.compute-1.amazonaws.com                                                                    
    svchost.exe    1416    3836    80    http    95.154.251.6                                                                        
    svchost.exe    1416    3612    80    http    95.154.251.6                                                                        
    svchost.exe    1416    2931    80    http    54.243.212.244    ec2-54-243-212-244.compute-1.amazonaws.com                                                                    
    svchost.exe    1416    3198    80    http    69.25.24.23                                                                        
    svchost.exe    1416    3795    80    http    64.12.106.8    m-prd-ads02-adcom-mtc.evip.aol.com                                                                    
    svchost.exe    1416    2918    443    https    204.246.169.31    server-204-246-169-31.jfk1.r.cloudfront.net                                                                    
    svchost.exe    1416    3831    80    http    204.13.194.146                                                                        
    svchost.exe    1416    2356    80    http    54.243.212.244    ec2-54-243-212-244.compute-1.amazonaws.com                                                                    
    svchost.exe    1416    3834    80    http    68.67.159.223                                                                        
    svchost.exe    1416    3822    80    http    50.57.204.7                                                                        
    svchost.exe    1416    3833    80    http    204.13.194.146                                                                        
    svchost.exe    1416    3639    80    http    204.2.196.144                                                                        
    svchost.exe    1416    3814    80    http    72.21.202.183

    Thursday, June 06, 2013 2:19 PM
  • Wow. It may be best, as suggested above, to try a malware removal forum (the "Am I infected" link, but there are many others).

    (It is possible that these addresses come from your dns cache but still best to eliminate possibility of malware as cause)

    Thursday, June 06, 2013 6:19 PM
  • You shouldn't have to stop Windows' system services to bring down CPU usage. It's either something wrong with the services or some malware infection.

    I think it's more likely a malware infection because in your original post you found many svchost.exe files outside of System32.

    Those are the processes and not the actual files. Check, its been labelled as "Running processes" 

    And not files present. 


    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, June 07, 2013 3:33 AM
  • Yes, there can be possibility. You can start with MSE  http://www.microsoft.com/security/pc-security/mse.aspx

    For scanning the system


    Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, June 07, 2013 3:35 AM
  • Those are the processes and not the actual files. Check, its been labelled as "Running processes" 

    And not files present. 

    If you do care to read first, from the original post by KenCrom:

    I searched for svchost.exe and deleted all those not in the  C:\Windows\System32 directory.
    Friday, June 07, 2013 5:48 AM
  • Thanks for the help!

    I think the problem is fixed. I used Malwarebytes Anti Rootkit and it finally found 3 infections. I rebooted and it seems to be running fine now!

    Friday, June 07, 2013 12:59 PM
  • Yep, I think you were right. AntiRootkit seemed to fix it.

    Thank you!

    Friday, June 07, 2013 1:00 PM
  • Unfortunately, you may not be in the clear. Rootkits can hide themselves in multiple devious ways. Do not rely on one tool. This is why I suggested a malware removal forum where you will assisted one-on-one until all that can be done, has been done. To be safe, my advice would be still to start a thread in one of those forums (such as the one already provided), giving them full details. At least it will be easier now that your pc is useable again.

    The alternative is this

    http://technet.microsoft.com/en-us/library/cc512587.aspx
    Friday, June 07, 2013 1:22 PM
  • Why has this thread been marked answered by someone other than the OP when the OP's last post was less than 24 hours ago??

    Why wasn't the OP's own post marked as sole answer ? Perhaps if he ever returns he can do so whilst unmarking those above.
    Saturday, June 08, 2013 10:42 AM
  • @mystifeid You deserve your second post being marked as an answer. After all, although I already suspected malware (because the OP wrote about multiple svchost.exe s being found), you deserve a better credit because you confirmed the existence of malware
    Saturday, June 08, 2013 4:13 PM
  • I'm quite happy for the OP to have full credit for solving his own problem. But I think there's still a chance he'll return and say - yeah, there is still something nasty on this pc.

    What will he think if he returns tomorrow and sees those replies marked as answer? Already.

    What would you think if you were the OP ?

    Credit ? You mean points. What a laugh. 

    Personally, I can't wait until I have more points, because then I'm gonna, then I'm gonna ... oh wait ...

    You know, I've spent quite a reasonable part of today writing a script for this chap

    http://social.msdn.microsoft.com/Forums/en-US/scripting/thread/616283d9-3f86-41ad-879a-e1f446f40f27

    and an improved version 3 will be out soon. It's on an unmoderated forum where 95% of threads are never marked as answer no matter how good the replies. I can guarantee I will come close to falling over if this thread is ever marked with an answer.

    When you do get one of these though, and the OP comes back and says "Well, gee thanks, you really helped," (like the one above) - well that really means something. By comparison, when a moderator marks a reply of mine as answer, at best, it leaves an empty feeling, partly from the continuing amazement that they are actually allowed to do this.

    But when one of them pats itself on the back for some worthless fumbling, well...
    Saturday, June 08, 2013 9:36 PM
  • Well, I have been on this website for more than a year now, so I know it's not a new thing that answers are marked by moderators and answerers. I personally like this policy of having answerers and moderators being allowed to mark answers. It takes a lot of time and thinking to find a solution to a problem (unless the problem is straightforward). It is very common that the OPs never reply at all, so your hard work at solving the problem doesn't hold any value. I won't mind if they did away with Recognition points and the achievements system - but that's how they select Answerers, Moderators, MCCs and even MVPs. I really feel bad when my real attempt and sometimes real solutions are left without being marked whereas posts such as "We need more details to understand the issue" or "Please post in a more appropriate forum" (when someone posts in wrong forum) are marked as answers. This is because an answerer was wrongly appointed (just like the one who marked answer in this thread) because the Forum Owners looked at the Recognition points and appointed that person, without even taking a look at the quality of posts.

    That's why I want credits to be rightly awarded. So that the right person who worked hard moderates the forums and marks answers after reading all the posts thoroughly and then marking an answer, in case the OP never replies, instead of the current behavior -> OP didn't reply, somebody posted and proposed his own post as answer. The moderator (in many cases) marks that self-proposed post as answer, without giving any thorough look at other posts. That's all. I want hardwork to be recognized.

    Sunday, June 09, 2013 5:06 AM
  • Fair enough I suppose and very understandable.

    There are situations that provoke the same sort of response in me. These include
    - someone asking for an entire script but opening the thread as a discussion
    - someone who receives a detailed reply, says 'thank-you', then marks the thank-you as answer.

    But as someone who uses search a lot, my overriding concern is to see questions connected to viable solutions. How many times have you had to sift through a couple of hundred web pages to find a solution to a problem only to think, why was all that other stuff presented before this - this is obviously the only real solution.

    Moderators marking answers is more likely to contribute to this obfuscation (as in this case). Real value is more likely when the asker marks their own question.

    Having spent a lot of time on unmoderated forums I have seen that there are many more ways to deter an asker from replying or marking a reply than there are ways of encouraging them. If you care about these things you learn to take a great deal more care with your own replies.

    Hard work provides it's own rewards. Once spent five weeks full time finding an answer to a one question. Wrote and rewrote a couple of thousand lines of script. Generated a Chinese localisation. Read and experimented with many things. Learnt a lot of stuff that, at the time, I thought I didn't want to know. Except for the last hour or two I thought I'd never find an answer but as is so often the case, I found not one but two solutions. I was pretty happy.

    How do I compare the value of the experience gained from those five weeks to any recognition points ? There is no comparison. The experience is the reward.
    Sunday, June 09, 2013 6:37 AM
  • And for some reason, I see that I am also now 'credited' but the OP's solution ?...allow me to reiterate - this problem :
    svchost.exe -k netsvcs is taking 100% CPU
    should have been connected to this reply and no other (after about a month - not 20 hours - of inactivity on the thread)
    I think the problem is fixed. I used Malwarebytes Anti Rootkit and it finally found 3 infections. I rebooted and it seems to be running fine now!
    Sunday, June 09, 2013 7:01 AM
  • Moderators marking answers won't lead to obfuscation if moderators would be marking answers after going through the posts thoroughly. Anyways, since these posts are of hardly any value here, it would be much better to start a discussion thread on the TechNet Forum Feedback.
    Sunday, June 09, 2013 8:06 AM
  • In my case, i solved this problem stoping service "Windows Update".

    My WSUS server was downloaded more than 50 updates last night and still very slow, causing slowness or high CPU usage in my client computers/servers.


    BANZAI

    Thursday, September 12, 2013 10:03 PM
  • After a fresh install, installing drivers, service pack 3, antivirus, wireless network adapter and IE 8,
    Windows update would not work, and CPU at 100% 
    Turned off Windows update, CPU dropped down from 100% and followed the instructions on the page

    http://www.tntnetworx.net/fix-for-windows-xp-sp3-svchost-exe-100-cpu-usage-issue/

    Reset the Automatic Updates System – Windows XP SP3

    Open a command prompt: Start | Run | cmd /Enter

    net stop “Automatic Updates” – ENTER

    del /f /s /q %windir%\SoftwareDistribution\*.* – ENTER

    net start “Automatic Updates” – ENTER

    wuauclt.exe /detectnow – ENTER

    Windows update worked, and I installed Microsoft update, it is currently checking for updates.
    Hope this helps someone else.

    Wednesday, October 23, 2013 12:43 AM
  • You totally nailed it. I had a fresh install and ran into the same issue. It pegged again a few minutes after implementing this, but stopping the Windows Update service works for me.

    Thanks for the find!

    Saturday, October 26, 2013 8:32 PM
  • I turned Automatic Updates off and it released all the CPU usage svchost.exe was using and the System Idle went back to about 94%. If I turn updates on Svchost.exe again takes all the CPU. I'm just running with Automatic Updates off until I can find a fix. I'll run it manually when I want.  
    Sunday, November 17, 2013 5:51 AM
  • I did run Norton Antivirus and Malwarebytes and nothing was found in either.
    Sunday, November 17, 2013 5:53 AM
  • While everyone could be right about spyware/malware you need to update to the Sp3 fix for the issue first and see if that solves the issue....99.98% of the time this has been the issue after the SP3 update was done...

    to fix the service pack 3 issue is KB2870699

    http://www.microsoft.com/en-us/download/details.aspx?id=40119.  It's to resolve the problem with high CPU.


    Thursday, November 21, 2013 12:13 AM
  • First back up all of your data before proceeding. (Better to be safe than sorry)

    This is late but I fixed a machine today after a Rogue infection and turns out it was automatic updates causing the issue. open up

    services.msc 
    Stop "Automatic Updates" and verify that it is indeed the service causing issues. 
    If it is causing issues, pop in an XP installation cd and reboot to windows cd. (if you don't know how consult a professional) Then press R for repair when the cd starts. Type in the administrative password and type:

    **ASSUMING D: IS THE CD ROM DRIVE**

    del C:\Windows\System32\wuaueng.dll
    del C:\Windows\System32\wuaueng1.dll
    del C:\Windows\System32\svchost.dll
    del C:\Windows\System32\wuauserv.dll

    Copy D:\i386\wuaueng.dl_ C:\Windows\System32
    Copy D:\i386\wuaueng1.dl_ C:\Windows\System32
    Copy D:\i386\svchost.dl_ C:\Windows\System32
    Copy D:\i386\wuauserv.dl_ C:\Windows\System32

    ren C:\Windows\System32\wuaueng.dl_ wuaueng.dll
    ren C:\Windows\System32\wuaueng1.dl_ wuaueng1.dll
    ren C:\Windows\System32\svchost.dl_ svchost.dll
    ren C:\Windows\System32\wuauserv.dl_ wuauserv.dll

    Reboot and everything should be back to normal. Good luck!


    • Edited by Morronic Monday, December 02, 2013 6:58 AM Fixed some errors
    Monday, December 02, 2013 6:29 AM
  • i used ProcessExplorer to see what was useing and freezing my old dell xp system it was the auto updater i i smply turned mine off ITS XP END OF LIFE  I HAVE ALL AUTO UPDATEDS IT WILL EVER NEED works fine
    Sunday, December 15, 2013 6:49 PM
  • This is the best fix, but it needs updated.

    Last month in November the issue was fixed by KB2879017

    Now in December the issue is fixed by KB2988785

    http://technet.microsoft.com/en-us/security/bulletin/ms13-097

    Make sure you select the correct combination of OS/Version and IE version!!

    Thank you to all who have contributed to finding this solution!

    For more info see this article that confirms this works.

    http://www.infoworld.com/t/microsoft-windows/windows-xp-update-locks-machines-svchost-redlined-100-fix-it-kb-2879017-230733

    Thursday, December 19, 2013 8:35 PM
  • After a fresh install, installing drivers, service pack 3, antivirus, wireless network adapter and IE 8,
    Windows update would not work, and CPU at 100% 
    Turned off Windows update, CPU dropped down from 100% and followed the instructions on the page

    http://www.tntnetworx.net/fix-for-windows-xp-sp3-svchost-exe-100-cpu-usage-issue/

    Reset the Automatic Updates System – Windows XP SP3

    Open a command prompt: Start | Run | cmd /Enter

    net stop “Automatic Updates” – ENTER

    del /f /s /q %windir%\SoftwareDistribution\*.* – ENTER

    net start “Automatic Updates” – ENTER

    wuauclt.exe /detectnow – ENTER

    Windows update worked, and I installed Microsoft update, it is currently checking for updates.
    Hope this helps someone else.

    Thank you so very very much!! I have spent 3 days trying to figure out how to fix the issue. I was so determined to find an answer that actually worked, that I read through all of the other replies on this thread as well. This is the ONLY thing that has worked. I'm a mom of 4 boys, I don't have the money to have people look at & fix my comp. It's all on me. This reply just saved me a lot!! Thank you Thank you Thank you!!!!!!

    • Edited by Tracie Lynn Friday, December 20, 2013 7:42 AM Forgot to include the post I found helpful
    Friday, December 20, 2013 6:57 AM
  • Microsoft have still not fixed this problem despite two patches. Apparently it now has a high priority, so we can but hope.
    Tuesday, January 21, 2014 1:54 AM
  • It turns out that the high CPU for 5 mins every 25 mins was Windows BitDefender. Found by using your command. Thanks!
    Monday, March 10, 2014 1:16 PM