locked
svhost runs at high CPU and unknown audio appears RRS feed

  • Question

  • svhost runs at high CPU and unknown audio appears without any browser running!Canceling in taskmanager does not help as it starts up again within a few seconds.Do you have any knoweledge as to how to remove this infection?
    Tuesday, October 8, 2013 4:46 PM

Answers

  • Yes, definitely - try these steps:

    0) As T. Kujala said, you can perform a "Clean Boot," which basically disables all "non-Microsoft" services, so if it runs perfectly with 'Clean Boot,' then you know it is a third-party service or software causing the havoc; but if it runs horribly on Clean Boot, then it is a Microsoft issue, or hardware/firmware issue (flaky memory, hard drive trying to go bad, power supply overheating, bad/corrupt/outdated MS driver/firmware, etc.)

    1) Run your Virus scanner and/or download some tools, like

      a) MalwareBytes antimalware product &

      b) ccleaner

      c) Microsoft Security Essentials (free AV and anti-malware suite)

      d) ProcessExplorer (part of Mark Russinovich's "pstools " suite)

    2) Start in Safe mode. Reboot, press F8 intermittently, until you have the menu, choose "Safe Mode."

    3) DISABLE Restore Points - Hackers have tools that populate the 'cache area' that is controlled by System Restore, so if you turn that off, temporarily, while in safe mode, it can prevent those 'pre-fetch' viruses and malware from "restoring themselves:"

      a) Click “Start," choose “Control Panel,” choose “System and Security” then choose “System Protection.”
      b) Choose the hard disk where you want to disable "system protection" (usually just the C: drive is sufficient);
      c) Click “Configure,” then choose “Turn off System Protection.” Click “OK” and close all the related windows.

    4) Fun FULL, DEEP scan with each product, and it should point to some obvious programs/problems, and should quarantine those. I recommend the following order:

      *) First, Update your normal AV software definitions & run a full scan with that product 

      a) Run malware bytes, carefully let it clean the malware it finds (like ALL AV/Malware products, sometimes it will say something is malware when it is not - so, just always use caution)

      b) Run ccleaner (let it clean Registry and some other app files - click through the tabs, it will be evident) - NOTE: I think ccleaner clears ALL "Temporary Internet Files / cache" - otherwise, in IE, do "Tools, Internet Options," and click "Delete" and choose at least the first 3 boxes (Preserve Favorites, Temporary Internet files, & Cookies). Should be okay to preserve favorites.

      c) Run Microsoft Security Essentials - let it clean and quarantine things it thinks are bad.

    5) Double-check while in safe mode - look at registry "RUN" keys for both HKLM and HKCU:

    As you probably know, from Windows command shell, type:

    regedit
    the above command will get you into the registry editor.

    Many programs populate the RUN key because, on each system boot, all items in this key are started!

    NOTE: BACKUP THE REGISTRY AND/OR THESE 2 KEYS *BEFORE* YOU CHANGE THEM, JUST IN CASE!

    DO *NOT* DELETE THE "RUN" KEY ITSELF, ONLY THE *VALUES/KEYS* UNDERNEATH IT!

    You can right-click the computer at top of the registry and choose "Export" and give it a file name & location that you will remember - that will backup the entire registry. Below are the two main RUN keys to check:

    “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” (best to clean this for each user profile, but especially for the one experiencing the problems) 

    “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” (this is for the whole machine)

    Open the above keys and check the things running underneath those keys:

     a) On each of those keys, you can right-click on the RUN key itself and choose "Export" - saving those keys individually, in case you mess up something and don't want to restore the entire registry.

     b) Get rid of any odd values - since you Exported (saved) the keys, you can remove items underneath the keys

         Do NOT remove the RUN key itself; and note that some things may NEED to be there, so be careful.

    NOTE: I think above deleting odd entries under RUN key covers most bases, but also, in Windows, click "Start," "All Programs," "Startup" and see if anything odd is in "Startup;" if so, you can right-click and delete it - this deletes the entry from 'Startup' - does not delete the software itself.

    6) Empty the wastebasket - you would be surprised what hackers can hide in there!

    7) Use this article: cleaning the "Print Spooler" - hackers LOVE to put stuff in the print spooler area. Meanwhile, you can type "services.msc" to go into the Services UI, then find the "Print Spooler" service and make sure it is set to "Disabled" for now, and click "Stop" to stop the service, if it's started. Once cleaned, you can later restart the spooler service and set it back to Automatic.

    8) Check "hosts" file - Click "Start" and then type:

    notepad "c:\windows\system32\drivers\etc\hosts"
    and look for any odd values/redirects in your hosts file. Remove any bad/unknown entries and do File, Save.

    Here is a look at a "normal, unaltered, blank/vanilla" hosts file:

    9) Then, after you do all your cleanup, reboot to NORMAL mode (let the system reboot and don't do the F8 option, and it will reboot normally)

    10) Check if the odd activity is still happening - if so, you can run the previously-download "Process Explorer" and sometimes that can show you the hidden processes, sub-processes (entire process tree(s)) and threads, and you can identify them, screen-shot them, make note of them as needed, kill them one at a time, and see if one of those is wreaking havoc.

    NOTE: Process Explorer WILL show you the related processes & sub-processes in the process trees - meaning it can show you what "detailed" program is using SVCHOST.EXE. Often, without this tool, such tasks remain 'hidden.'

    Those, off top of my head, are some of the typical first steps I take - sorry if I missed any.

    Please remember to "Mark as Answer," if I helped you significantly resolve your issue or, at least "Vote," so that it helps the user community identify useful posts. Thanks!


    tnjman











    Tuesday, October 8, 2013 7:13 PM
  • You should run a full virus scan.

    You can also perform a clean boot to troubleshoot a reason for high CPU usage.

    http://support.microsoft.com/kb/929135/en-us

    Tuesday, October 8, 2013 5:30 PM

All replies

  • You should run a full virus scan.

    You can also perform a clean boot to troubleshoot a reason for high CPU usage.

    http://support.microsoft.com/kb/929135/en-us

    Tuesday, October 8, 2013 5:30 PM
  • Yes, definitely - try these steps:

    0) As T. Kujala said, you can perform a "Clean Boot," which basically disables all "non-Microsoft" services, so if it runs perfectly with 'Clean Boot,' then you know it is a third-party service or software causing the havoc; but if it runs horribly on Clean Boot, then it is a Microsoft issue, or hardware/firmware issue (flaky memory, hard drive trying to go bad, power supply overheating, bad/corrupt/outdated MS driver/firmware, etc.)

    1) Run your Virus scanner and/or download some tools, like

      a) MalwareBytes antimalware product &

      b) ccleaner

      c) Microsoft Security Essentials (free AV and anti-malware suite)

      d) ProcessExplorer (part of Mark Russinovich's "pstools " suite)

    2) Start in Safe mode. Reboot, press F8 intermittently, until you have the menu, choose "Safe Mode."

    3) DISABLE Restore Points - Hackers have tools that populate the 'cache area' that is controlled by System Restore, so if you turn that off, temporarily, while in safe mode, it can prevent those 'pre-fetch' viruses and malware from "restoring themselves:"

      a) Click “Start," choose “Control Panel,” choose “System and Security” then choose “System Protection.”
      b) Choose the hard disk where you want to disable "system protection" (usually just the C: drive is sufficient);
      c) Click “Configure,” then choose “Turn off System Protection.” Click “OK” and close all the related windows.

    4) Fun FULL, DEEP scan with each product, and it should point to some obvious programs/problems, and should quarantine those. I recommend the following order:

      *) First, Update your normal AV software definitions & run a full scan with that product 

      a) Run malware bytes, carefully let it clean the malware it finds (like ALL AV/Malware products, sometimes it will say something is malware when it is not - so, just always use caution)

      b) Run ccleaner (let it clean Registry and some other app files - click through the tabs, it will be evident) - NOTE: I think ccleaner clears ALL "Temporary Internet Files / cache" - otherwise, in IE, do "Tools, Internet Options," and click "Delete" and choose at least the first 3 boxes (Preserve Favorites, Temporary Internet files, & Cookies). Should be okay to preserve favorites.

      c) Run Microsoft Security Essentials - let it clean and quarantine things it thinks are bad.

    5) Double-check while in safe mode - look at registry "RUN" keys for both HKLM and HKCU:

    As you probably know, from Windows command shell, type:

    regedit
    the above command will get you into the registry editor.

    Many programs populate the RUN key because, on each system boot, all items in this key are started!

    NOTE: BACKUP THE REGISTRY AND/OR THESE 2 KEYS *BEFORE* YOU CHANGE THEM, JUST IN CASE!

    DO *NOT* DELETE THE "RUN" KEY ITSELF, ONLY THE *VALUES/KEYS* UNDERNEATH IT!

    You can right-click the computer at top of the registry and choose "Export" and give it a file name & location that you will remember - that will backup the entire registry. Below are the two main RUN keys to check:

    “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” (best to clean this for each user profile, but especially for the one experiencing the problems) 

    “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” (this is for the whole machine)

    Open the above keys and check the things running underneath those keys:

     a) On each of those keys, you can right-click on the RUN key itself and choose "Export" - saving those keys individually, in case you mess up something and don't want to restore the entire registry.

     b) Get rid of any odd values - since you Exported (saved) the keys, you can remove items underneath the keys

         Do NOT remove the RUN key itself; and note that some things may NEED to be there, so be careful.

    NOTE: I think above deleting odd entries under RUN key covers most bases, but also, in Windows, click "Start," "All Programs," "Startup" and see if anything odd is in "Startup;" if so, you can right-click and delete it - this deletes the entry from 'Startup' - does not delete the software itself.

    6) Empty the wastebasket - you would be surprised what hackers can hide in there!

    7) Use this article: cleaning the "Print Spooler" - hackers LOVE to put stuff in the print spooler area. Meanwhile, you can type "services.msc" to go into the Services UI, then find the "Print Spooler" service and make sure it is set to "Disabled" for now, and click "Stop" to stop the service, if it's started. Once cleaned, you can later restart the spooler service and set it back to Automatic.

    8) Check "hosts" file - Click "Start" and then type:

    notepad "c:\windows\system32\drivers\etc\hosts"
    and look for any odd values/redirects in your hosts file. Remove any bad/unknown entries and do File, Save.

    Here is a look at a "normal, unaltered, blank/vanilla" hosts file:

    9) Then, after you do all your cleanup, reboot to NORMAL mode (let the system reboot and don't do the F8 option, and it will reboot normally)

    10) Check if the odd activity is still happening - if so, you can run the previously-download "Process Explorer" and sometimes that can show you the hidden processes, sub-processes (entire process tree(s)) and threads, and you can identify them, screen-shot them, make note of them as needed, kill them one at a time, and see if one of those is wreaking havoc.

    NOTE: Process Explorer WILL show you the related processes & sub-processes in the process trees - meaning it can show you what "detailed" program is using SVCHOST.EXE. Often, without this tool, such tasks remain 'hidden.'

    Those, off top of my head, are some of the typical first steps I take - sorry if I missed any.

    Please remember to "Mark as Answer," if I helped you significantly resolve your issue or, at least "Vote," so that it helps the user community identify useful posts. Thanks!


    tnjman











    Tuesday, October 8, 2013 7:13 PM