Answered by:
svchost.exe -k netsvcs is taking 100% CPU

-
I am on a desktop Windows XP - Service Pack3
My computer is using 100% CPU.
I used Process Explore to find what was using all the CPU.
it was svchost.exe -k netsvcs
I ran virus scans - nothing was found.
I searched for svchost.exe and deleted all those not in the C:\Windows\System32 directory.
It did find a couple files called SMSvchost.exe ina c:\windows\Microsot.net\Framework\v3.0 directory
I ran HiJackThis and this is the log
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 12:46:41 PM, on 6/4/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
FIREFOX: 20.0.1 (en-US)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\igfxsrvc.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Portfolio Director\PortfolioDirector.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\My Documents\Downloads\ProcessExplorer\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:21320
O2 - BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe Acrobat Create PDF Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [PrnStatusMX] C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0ANwA1ADAANAAyADQAMAA5ADkALQBWAE8AUAArADMALQBGAEwAKwA5AC0AWABPADMANgArADEALQBEAEQAVAArADAALQBYAE8AOQArADEALQBTAFQAOQAwAEYAQQBQAFAAKwAxAC0ARgBVAEkAKwAyAC0ARgA5ADAAVABCACsAMgA"&"prod=90"&"ver=9.0.894
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10x_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10x_ActiveX.exe -update activex (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1370348817593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1370276369484
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://al-fdc-sa2.advisor-connection.com/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27068A69-9F3D-4B77-A39E-F93E2392CE75}: NameServer = 4.2.2.1,4.2.2.3
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Real-Time Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
--
End of file - 11994 bytes
Can anyone please help!
Thank You.
Question
Answers
-
Wow. It may be best, as suggested above, to try a malware removal forum (the "Am I infected" link, but there are many others).
(It is possible that these addresses come from your dns cache but still best to eliminate possibility of malware as cause)
- Edited by mystifeid Friday, June 07, 2013 3:04 AM
- Marked as answer by arnavsharmaMVP, Moderator Sunday, June 09, 2013 6:21 AM
-
Yes, there can be possibility. You can start with MSE http://www.microsoft.com/security/pc-security/mse.aspx
For scanning the system
Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked as answer by arnavsharmaMVP, Moderator Saturday, June 08, 2013 8:38 AM
-
Those are the processes and not the actual files. Check, its been labelled as "Running processes"
And not files present.
If you do care to read first, from the original post by KenCrom:
I searched for svchost.exe and deleted all those not in the C:\Windows\System32 directory.
- Marked as answer by arnavsharmaMVP, Moderator Saturday, June 08, 2013 8:38 AM
-
Unfortunately, you may not be in the clear. Rootkits can hide themselves in multiple devious ways. Do not rely on one tool. This is why I suggested a malware removal forum where you will assisted one-on-one until all that can be done, has been done. To be safe, my advice would be still to start a thread in one of those forums (such as the one already provided), giving them full details. At least it will be easier now that your pc is useable again.
The alternative is this
http://technet.microsoft.com/en-us/library/cc512587.aspx- Marked as answer by arnavsharmaMVP, Moderator Sunday, June 09, 2013 6:15 AM
All replies
-
Run the following command:
tasklist /svc /fi "imagename eq svchost.exe"
That will tell you what services are being controlled by the service host. You can force stop the services to free up CPUArnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
-
The you need to continue with this and stop some services from services.msc.
Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
-
Please try opening Task Manager and noting the PID (Process ID) of the offending process (That is using all your cpu)
To be safe please also consider starting a thread here
Download, unzip and open the appropriate (32 or 64 bit) standalone executable CurrPorts (cports.exe) Download link is at the bottom of this page.
http://www.nirsoft.net/utils/cports.html
Look for and report how many entries (if any) have a matching Process ID. Also list (if any) their Remote Address. These address(es) may give some clue as to whether the cause of the problem is benign or malicious.
Am I infected? What do I do?- Edited by mystifeid Thursday, June 06, 2013 2:06 AM
-
there must be dependencies on these, right click on service and click on Dependencies tab. Check and close the services.
Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
You shouldn't have to stop Windows' system services to bring down CPU usage. It's either something wrong with the services or some malware infection.
I think it's more likely a malware infection because in your original post you found many svchost.exe files outside of System32.
-
here is the report on the selected PID number
svchost.exe 1416 3913 80 http 173.241.242.12 ox-173-241-242-12.xv.dc.openx.org svchost.exe 1416 3907 80 http 74.125.228.92 iad23s07-in-f28.1e100.net svchost.exe 1416 3919 80 http 166.78.84.128 svchost.exe 1416 4266 80 http 69.171.242.27 edge-star-ecmp-02-ash3.facebook.com svchost.exe 1416 4310 80 http 173.194.74.121 qe-in-f121.1e100.net svchost.exe 1416 3928 80 http 64.208.138.133 svchost.exe 1416 3905 80 http 74.125.228.60 iad23s06-in-f28.1e100.net svchost.exe 1416 2071 80 http 173.208.110.122 173.208.110.122.rdns.ubiquityservers.com svchost.exe 1416 2358 80 http 204.93.42.224 svchost.exe 1416 3915 80 http 64.150.182.250 64-150-182-250.dedicated.abac.net svchost.exe 1416 2072 80 http 173.208.110.122 173.208.110.122.rdns.ubiquityservers.com svchost.exe 1416 2284 80 http 204.93.42.224 svchost.exe 1416 3467 80 http 74.125.228.100 iad23s08-in-f4.1e100.net svchost.exe 1416 2273 80 http 74.125.228.100 iad23s08-in-f4.1e100.net svchost.exe 1416 123 svchost.exe 1416 1035 svchost.exe 1416 123 svchost.exe 1416 3045 80 http 107.20.157.184 ec2-107-20-157-184.compute-1.amazonaws.com svchost.exe 1416 3756 80 http 8.18.45.80 ad-dc6.mediaplex.com svchost.exe 1416 3871 80 http 74.125.226.233 lga15s29-in-f9.1e100.net svchost.exe 1416 3552 80 http 50.57.204.7 svchost.exe 1416 3755 80 http 23.66.161.120 a23-66-161-120.deploy.akamaitechnologies.com svchost.exe 1416 2911 80 http 108.162.195.91 svchost.exe 1416 3760 80 http 69.25.24.24 svchost.exe 1416 3815 80 http 216.137.41.222 server-216-137-41-222.ewr2.r.cloudfront.net svchost.exe 1416 3753 80 http 208.91.175.36 tp00-iad0.everesttech.net svchost.exe 1416 3546 80 http 54.224.64.238 ec2-54-224-64-238.compute-1.amazonaws.com svchost.exe 1416 3826 80 http 198.101.129.169 svchost.exe 1416 3243 80 http 184.28.233.231 a184-28-233-231.deploy.akamaitechnologies.com svchost.exe 1416 3758 80 http 80.12.97.163 svchost.exe 1416 3444 80 http 95.154.251.6 svchost.exe 1416 3816 80 http 204.2.196.137 svchost.exe 1416 3577 80 http 204.93.43.16 svchost.exe 1416 3835 80 http 64.208.138.110 svchost.exe 1416 3757 80 http 8.18.45.81 img-dc6.mediaplex.com svchost.exe 1416 2914 80 http 108.162.195.91 svchost.exe 1416 3677 80 http 165.254.40.139 svchost.exe 1416 3817 80 http 166.78.84.128 svchost.exe 1416 3829 80 http 64.208.138.196 svchost.exe 1416 3346 80 http 165.254.34.234 svchost.exe 1416 3845 80 http 50.97.44.108 50.97.44.108-static.reverse.softlayer.com svchost.exe 1416 3818 80 http 166.78.84.128 svchost.exe 1416 3813 80 http 199.16.156.72 svchost.exe 1416 3832 80 http 68.67.159.210 svchost.exe 1416 3547 80 http 184.73.184.162 ec2-184-73-184-162.compute-1.amazonaws.com svchost.exe 1416 3812 80 http 207.171.162.95 162-95.amazon.com svchost.exe 1416 3869 80 http 173.194.43.34 lga15s35-in-f2.1e100.net svchost.exe 1416 3785 80 http 80.12.97.50 svchost.exe 1416 3652 80 http 173.241.242.12 ox-173-241-242-12.xv.dc.openx.org svchost.exe 1416 3611 80 http 95.154.251.6 svchost.exe 1416 3762 80 http 208.91.175.36 tp00-iad0.everesttech.net svchost.exe 1416 2920 80 http 54.235.138.139 ec2-54-235-138-139.compute-1.amazonaws.com svchost.exe 1416 3048 80 http 54.235.138.139 ec2-54-235-138-139.compute-1.amazonaws.com svchost.exe 1416 3836 80 http 95.154.251.6 svchost.exe 1416 3612 80 http 95.154.251.6 svchost.exe 1416 2931 80 http 54.243.212.244 ec2-54-243-212-244.compute-1.amazonaws.com svchost.exe 1416 3198 80 http 69.25.24.23 svchost.exe 1416 3795 80 http 64.12.106.8 m-prd-ads02-adcom-mtc.evip.aol.com svchost.exe 1416 2918 443 https 204.246.169.31 server-204-246-169-31.jfk1.r.cloudfront.net svchost.exe 1416 3831 80 http 204.13.194.146 svchost.exe 1416 2356 80 http 54.243.212.244 ec2-54-243-212-244.compute-1.amazonaws.com svchost.exe 1416 3834 80 http 68.67.159.223 svchost.exe 1416 3822 80 http 50.57.204.7 svchost.exe 1416 3833 80 http 204.13.194.146 svchost.exe 1416 3639 80 http 204.2.196.144 svchost.exe 1416 3814 80 http 72.21.202.183
-
Here is the log for the PID error
svchost.exe 1416 3913 80 http 173.241.242.12 ox-173-241-242-12.xv.dc.openx.org
svchost.exe 1416 3907 80 http 74.125.228.92 iad23s07-in-f28.1e100.net
svchost.exe 1416 3919 80 http 166.78.84.128
svchost.exe 1416 4266 80 http 69.171.242.27 edge-star-ecmp-02-ash3.facebook.com
svchost.exe 1416 4310 80 http 173.194.74.121 qe-in-f121.1e100.net
svchost.exe 1416 3928 80 http 64.208.138.133
svchost.exe 1416 3905 80 http 74.125.228.60 iad23s06-in-f28.1e100.net
svchost.exe 1416 2071 80 http 173.208.110.122 173.208.110.122.rdns.ubiquityservers.com
svchost.exe 1416 2358 80 http 204.93.42.224
svchost.exe 1416 3915 80 http 64.150.182.250 64-150-182-250.dedicated.abac.net
svchost.exe 1416 2072 80 http 173.208.110.122 173.208.110.122.rdns.ubiquityservers.com
svchost.exe 1416 2284 80 http 204.93.42.224
svchost.exe 1416 3467 80 http 74.125.228.100 iad23s08-in-f4.1e100.net
svchost.exe 1416 2273 80 http 74.125.228.100 iad23s08-in-f4.1e100.net
svchost.exe 1416 123
svchost.exe 1416 1035
svchost.exe 1416 123
svchost.exe 1416 3045 80 http 107.20.157.184 ec2-107-20-157-184.compute-1.amazonaws.com
svchost.exe 1416 3756 80 http 8.18.45.80 ad-dc6.mediaplex.com
svchost.exe 1416 3871 80 http 74.125.226.233 lga15s29-in-f9.1e100.net
svchost.exe 1416 3552 80 http 50.57.204.7
svchost.exe 1416 3755 80 http 23.66.161.120 a23-66-161-120.deploy.akamaitechnologies.com
svchost.exe 1416 2911 80 http 108.162.195.91
svchost.exe 1416 3760 80 http 69.25.24.24
svchost.exe 1416 3815 80 http 216.137.41.222 server-216-137-41-222.ewr2.r.cloudfront.net
svchost.exe 1416 3753 80 http 208.91.175.36 tp00-iad0.everesttech.net
svchost.exe 1416 3546 80 http 54.224.64.238 ec2-54-224-64-238.compute-1.amazonaws.com
svchost.exe 1416 3826 80 http 198.101.129.169
svchost.exe 1416 3243 80 http 184.28.233.231 a184-28-233-231.deploy.akamaitechnologies.com
svchost.exe 1416 3758 80 http 80.12.97.163
svchost.exe 1416 3444 80 http 95.154.251.6
svchost.exe 1416 3816 80 http 204.2.196.137
svchost.exe 1416 3577 80 http 204.93.43.16
svchost.exe 1416 3835 80 http 64.208.138.110
svchost.exe 1416 3757 80 http 8.18.45.81 img-dc6.mediaplex.com
svchost.exe 1416 2914 80 http 108.162.195.91
svchost.exe 1416 3677 80 http 165.254.40.139
svchost.exe 1416 3817 80 http 166.78.84.128
svchost.exe 1416 3829 80 http 64.208.138.196
svchost.exe 1416 3346 80 http 165.254.34.234
svchost.exe 1416 3845 80 http 50.97.44.108 50.97.44.108-static.reverse.softlayer.com
svchost.exe 1416 3818 80 http 166.78.84.128
svchost.exe 1416 3813 80 http 199.16.156.72
svchost.exe 1416 3832 80 http 68.67.159.210
svchost.exe 1416 3547 80 http 184.73.184.162 ec2-184-73-184-162.compute-1.amazonaws.com
svchost.exe 1416 3812 80 http 207.171.162.95 162-95.amazon.com
svchost.exe 1416 3869 80 http 173.194.43.34 lga15s35-in-f2.1e100.net
svchost.exe 1416 3785 80 http 80.12.97.50
svchost.exe 1416 3652 80 http 173.241.242.12 ox-173-241-242-12.xv.dc.openx.org
svchost.exe 1416 3611 80 http 95.154.251.6
svchost.exe 1416 3762 80 http 208.91.175.36 tp00-iad0.everesttech.net
svchost.exe 1416 2920 80 http 54.235.138.139 ec2-54-235-138-139.compute-1.amazonaws.com
svchost.exe 1416 3048 80 http 54.235.138.139 ec2-54-235-138-139.compute-1.amazonaws.com
svchost.exe 1416 3836 80 http 95.154.251.6
svchost.exe 1416 3612 80 http 95.154.251.6
svchost.exe 1416 2931 80 http 54.243.212.244 ec2-54-243-212-244.compute-1.amazonaws.com
svchost.exe 1416 3198 80 http 69.25.24.23
svchost.exe 1416 3795 80 http 64.12.106.8 m-prd-ads02-adcom-mtc.evip.aol.com
svchost.exe 1416 2918 443 https 204.246.169.31 server-204-246-169-31.jfk1.r.cloudfront.net
svchost.exe 1416 3831 80 http 204.13.194.146
svchost.exe 1416 2356 80 http 54.243.212.244 ec2-54-243-212-244.compute-1.amazonaws.com
svchost.exe 1416 3834 80 http 68.67.159.223
svchost.exe 1416 3822 80 http 50.57.204.7
svchost.exe 1416 3833 80 http 204.13.194.146
svchost.exe 1416 3639 80 http 204.2.196.144
svchost.exe 1416 3814 80 http 72.21.202.183 -
Wow. It may be best, as suggested above, to try a malware removal forum (the "Am I infected" link, but there are many others).
(It is possible that these addresses come from your dns cache but still best to eliminate possibility of malware as cause)
- Edited by mystifeid Friday, June 07, 2013 3:04 AM
- Marked as answer by arnavsharmaMVP, Moderator Sunday, June 09, 2013 6:21 AM
-
You shouldn't have to stop Windows' system services to bring down CPU usage. It's either something wrong with the services or some malware infection.
I think it's more likely a malware infection because in your original post you found many svchost.exe files outside of System32.
Those are the processes and not the actual files. Check, its been labelled as "Running processes"
And not files present.
Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Yes, there can be possibility. You can start with MSE http://www.microsoft.com/security/pc-security/mse.aspx
For scanning the system
Arnav Sharma | Facebook | Twitter Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked as answer by arnavsharmaMVP, Moderator Saturday, June 08, 2013 8:38 AM
-
Those are the processes and not the actual files. Check, its been labelled as "Running processes"
And not files present.
If you do care to read first, from the original post by KenCrom:
I searched for svchost.exe and deleted all those not in the C:\Windows\System32 directory.
- Marked as answer by arnavsharmaMVP, Moderator Saturday, June 08, 2013 8:38 AM
-
-
-
Unfortunately, you may not be in the clear. Rootkits can hide themselves in multiple devious ways. Do not rely on one tool. This is why I suggested a malware removal forum where you will assisted one-on-one until all that can be done, has been done. To be safe, my advice would be still to start a thread in one of those forums (such as the one already provided), giving them full details. At least it will be easier now that your pc is useable again.
The alternative is this
http://technet.microsoft.com/en-us/library/cc512587.aspx- Marked as answer by arnavsharmaMVP, Moderator Sunday, June 09, 2013 6:15 AM
-
-
@mystifeid You deserve your second post being marked as an answer. After all, although I already suspected malware (because the OP wrote about multiple svchost.exe s being found), you deserve a better credit because you confirmed the existence of malware
-
I'm quite happy for the OP to have full credit for solving his own problem. But I think there's still a chance he'll return and say - yeah, there is still something nasty on this pc.
What will he think if he returns tomorrow and sees those replies marked as answer? Already.
What would you think if you were the OP ?
Credit ? You mean points. What a laugh.
Personally, I can't wait until I have more points, because then I'm gonna, then I'm gonna ... oh wait ...
You know, I've spent quite a reasonable part of today writing a script for this chap
http://social.msdn.microsoft.com/Forums/en-US/scripting/thread/616283d9-3f86-41ad-879a-e1f446f40f27
and an improved version 3 will be out soon. It's on an unmoderated forum where 95% of threads are never marked as answer no matter how good the replies. I can guarantee I will come close to falling over if this thread is ever marked with an answer.
When you do get one of these though, and the OP comes back and says "Well, gee thanks, you really helped," (like the one above) - well that really means something. By comparison, when a moderator marks a reply of mine as answer, at best, it leaves an empty feeling, partly from the continuing amazement that they are actually allowed to do this.
But when one of them pats itself on the back for some worthless fumbling, well... -
Well, I have been on this website for more than a year now, so I know it's not a new thing that answers are marked by moderators and answerers. I personally like this policy of having answerers and moderators being allowed to mark answers. It takes a lot of time and thinking to find a solution to a problem (unless the problem is straightforward). It is very common that the OPs never reply at all, so your hard work at solving the problem doesn't hold any value. I won't mind if they did away with Recognition points and the achievements system - but that's how they select Answerers, Moderators, MCCs and even MVPs. I really feel bad when my real attempt and sometimes real solutions are left without being marked whereas posts such as "We need more details to understand the issue" or "Please post in a more appropriate forum" (when someone posts in wrong forum) are marked as answers. This is because an answerer was wrongly appointed (just like the one who marked answer in this thread) because the Forum Owners looked at the Recognition points and appointed that person, without even taking a look at the quality of posts.
That's why I want credits to be rightly awarded. So that the right person who worked hard moderates the forums and marks answers after reading all the posts thoroughly and then marking an answer, in case the OP never replies, instead of the current behavior -> OP didn't reply, somebody posted and proposed his own post as answer. The moderator (in many cases) marks that self-proposed post as answer, without giving any thorough look at other posts. That's all. I want hardwork to be recognized.
-
Fair enough I suppose and very understandable.
There are situations that provoke the same sort of response in me. These include
- someone asking for an entire script but opening the thread as a discussion
- someone who receives a detailed reply, says 'thank-you', then marks the thank-you as answer.
But as someone who uses search a lot, my overriding concern is to see questions connected to viable solutions. How many times have you had to sift through a couple of hundred web pages to find a solution to a problem only to think, why was all that other stuff presented before this - this is obviously the only real solution.
Moderators marking answers is more likely to contribute to this obfuscation (as in this case). Real value is more likely when the asker marks their own question.
Having spent a lot of time on unmoderated forums I have seen that there are many more ways to deter an asker from replying or marking a reply than there are ways of encouraging them. If you care about these things you learn to take a great deal more care with your own replies.
Hard work provides it's own rewards. Once spent five weeks full time finding an answer to a one question. Wrote and rewrote a couple of thousand lines of script. Generated a Chinese localisation. Read and experimented with many things. Learnt a lot of stuff that, at the time, I thought I didn't want to know. Except for the last hour or two I thought I'd never find an answer but as is so often the case, I found not one but two solutions. I was pretty happy.
How do I compare the value of the experience gained from those five weeks to any recognition points ? There is no comparison. The experience is the reward. -
And for some reason, I see that I am also now 'credited' but the OP's solution ?...allow me to reiterate - this problem :
svchost.exe -k netsvcs is taking 100% CPU
should have been connected to this reply and no other (after about a month - not 20 hours - of inactivity on the thread)
I think the problem is fixed. I used Malwarebytes Anti Rootkit and it finally found 3 infections. I rebooted and it seems to be running fine now!
-
Moderators marking answers won't lead to obfuscation if moderators would be marking answers after going through the posts thoroughly. Anyways, since these posts are of hardly any value here, it would be much better to start a discussion thread on the TechNet Forum Feedback.
-
-
After a fresh install, installing drivers, service pack 3, antivirus, wireless network adapter and IE 8,
Windows update would not work, and CPU at 100%
Turned off Windows update, CPU dropped down from 100% and followed the instructions on the pagehttp://www.tntnetworx.net/fix-for-windows-xp-sp3-svchost-exe-100-cpu-usage-issue/
Reset the Automatic Updates System – Windows XP SP3
Open a command prompt: Start | Run | cmd /Enter
net stop “Automatic Updates” – ENTER
del /f /s /q %windir%\SoftwareDistribution\*.* – ENTER
net start “Automatic Updates” – ENTER
wuauclt.exe /detectnow – ENTER
Windows update worked, and I installed Microsoft update, it is currently checking for updates.
Hope this helps someone else.- Proposed as answer by Jon Hartman - techdojo.org Saturday, October 26, 2013 8:29 PM
-
-
I turned Automatic Updates off and it released all the CPU usage svchost.exe was using and the System Idle went back to about 94%. If I turn updates on Svchost.exe again takes all the CPU. I'm just running with Automatic Updates off until I can find a fix. I'll run it manually when I want.
-
-
While everyone could be right about spyware/malware you need to update to the Sp3 fix for the issue first and see if that solves the issue....99.98% of the time this has been the issue after the SP3 update was done...
to fix the service pack 3 issue is KB2870699
http://www.microsoft.com/en-us/download/details.aspx?id=40119. It's to resolve the problem with high CPU.
- Proposed as answer by Direct Computer Builders Thursday, November 21, 2013 12:13 AM
- Edited by Direct Computer Builders Thursday, November 21, 2013 12:23 AM
-
First back up all of your data before proceeding. (Better to be safe than sorry)
This is late but I fixed a machine today after a Rogue infection and turns out it was automatic updates causing the issue. open up
services.msc
Stop "Automatic Updates" and verify that it is indeed the service causing issues.
If it is causing issues, pop in an XP installation cd and reboot to windows cd. (if you don't know how consult a professional) Then press R for repair when the cd starts. Type in the administrative password and type:**ASSUMING D: IS THE CD ROM DRIVE**
del C:\Windows\System32\wuaueng.dll
del C:\Windows\System32\wuaueng1.dll
del C:\Windows\System32\svchost.dll
del C:\Windows\System32\wuauserv.dll
Copy D:\i386\wuaueng.dl_ C:\Windows\System32
Copy D:\i386\wuaueng1.dl_ C:\Windows\System32
Copy D:\i386\svchost.dl_ C:\Windows\System32
Copy D:\i386\wuauserv.dl_ C:\Windows\System32
ren C:\Windows\System32\wuaueng.dl_ wuaueng.dll
ren C:\Windows\System32\wuaueng1.dl_ wuaueng1.dll
ren C:\Windows\System32\svchost.dl_ svchost.dll
ren C:\Windows\System32\wuauserv.dl_ wuauserv.dllReboot and everything should be back to normal. Good luck!
- Edited by Morronic Monday, December 02, 2013 6:58 AM Fixed some errors
-
-
This is the best fix, but it needs updated.
Last month in November the issue was fixed by KB2879017
Now in December the issue is fixed by KB2988785
http://technet.microsoft.com/en-us/security/bulletin/ms13-097
Make sure you select the correct combination of OS/Version and IE version!!
Thank you to all who have contributed to finding this solution!
For more info see this article that confirms this works.
http://www.infoworld.com/t/microsoft-windows/windows-xp-update-locks-machines-svchost-redlined-100-fix-it-kb-2879017-230733
-
After a fresh install, installing drivers, service pack 3, antivirus, wireless network adapter and IE 8,
Windows update would not work, and CPU at 100%
Turned off Windows update, CPU dropped down from 100% and followed the instructions on the pagehttp://www.tntnetworx.net/fix-for-windows-xp-sp3-svchost-exe-100-cpu-usage-issue/
Reset the Automatic Updates System – Windows XP SP3
Open a command prompt: Start | Run | cmd /Enter
net stop “Automatic Updates” – ENTER
del /f /s /q %windir%\SoftwareDistribution\*.* – ENTER
net start “Automatic Updates” – ENTER
wuauclt.exe /detectnow – ENTER
Windows update worked, and I installed Microsoft update, it is currently checking for updates.
Hope this helps someone else.Thank you so very very much!! I have spent 3 days trying to figure out how to fix the issue. I was so determined to find an answer that actually worked, that I read through all of the other replies on this thread as well. This is the ONLY thing that has worked. I'm a mom of 4 boys, I don't have the money to have people look at & fix my comp. It's all on me. This reply just saved me a lot!! Thank you Thank you Thank you!!!!!!
- Edited by Tracie Lynn Friday, December 20, 2013 7:42 AM Forgot to include the post I found helpful
-
-