SVCHOST.EXE hogging all my CPU usage

Solved
Thread Status:
Not open for further replies.
  1. Alyem

    Alyem New Member Bronze Member

    Joined:
    Dec 21, 2009
    Posts:
    25
    Likes Received:
    0
    Local time:
    16:17
    My System
    Loading...

    My computer is running CPU usage at 100% because of a SVCHOST.EXE file, which seems to be for the most part running at 80% up to 94% all of the time. I used Process Explorer to find out what is running under that and found 2 programs, Terminal Service (termsrv.dll) and DCOM Server Process Launcher (rpcss.dll). This is wreaking havoc with my computer as it's running extremely slow and I'm unable to work, which I do form home on my computer, because it's locking up on me. Any ideas on how to tone these programs down?
  2. Alyem

    Alyem New Member Bronze Member

    Joined:
    Dec 21, 2009
    Posts:
    25
    Likes Received:
    0
    Local time:
    16:17
    My System
    Loading...

    Nobody? :(
  3. DCiAdmin

    DCiAdmin Well-Known Member

    Joined:
    Sep 30, 2008
    Posts:
    1,907
    Likes Received:
    274
    Local time:
    18:17
    My System
    Loading...

    Hello Alyem! Welcome to PCHF :)

    PCHF is a volunteer site manned by experienced volunteer techs that provide support as real life and time permits. Your delay is likely a direct result of life interrupting :)

    Please download SysInternal's ProcessExplorer to examine what processes are making the SVCHOST.exe that is consuming so many resources. They are seldom anything that can be stopped as the SVCHOST is a Microsoft method of compiling many small processes together to run as a Server.
  4. Alyem

    Alyem New Member Bronze Member

    Joined:
    Dec 21, 2009
    Posts:
    25
    Likes Received:
    0
    Local time:
    16:17
    My System
    Loading...

    I did that with the results I gave in my first post. This just seems so weird because it was running fine until yesterday, so I don't know why this sudden change.
  5. DCiAdmin

    DCiAdmin Well-Known Member

    Joined:
    Sep 30, 2008
    Posts:
    1,907
    Likes Received:
    274
    Local time:
    18:17
    My System
    Loading...

    I am so sorry! I started at your 2nd post and missed the 1st :( My bad!

    Let's get you run through the PCHF PreWork doc to see if there is malware causing the issue. Please follow the steps as outlined and post all requested logs back into this thread. I'll then get the thread relocated for the PCHF Security team to review.

    Thanks!
  6. Alyem

    Alyem New Member Bronze Member

    Joined:
    Dec 21, 2009
    Posts:
    25
    Likes Received:
    0
    Local time:
    16:17
    My System
    Loading...

    Okay, here is the DDS and let me know if I'm doing this right.


    DDS (Ver_09-12-01.01) - FAT32x86
    Run by Windows User at 15:59:17.77 on Tue 12/22/2009
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.293 [GMT -8:00]
    AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Windows User\Local Settings\Temporary Internet Files\Content.IE5\E62UK3KM\dds[1].scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    ============== Pseudo HJT Report ===============
    uStart Page = about:blank
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Page =
    mStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = localhost
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*Yahoo!
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [SystemTray] SysTray.Exe
    mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    StartupFolder: c:\documents and settings\windows user\start menu\programs\startup\siszyd32.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    Trusted Zone: probitymt.com\fn
    DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
    DPF: {32564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8dmo.cab
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
    DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38206.812037037
    DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: klogon - c:\windows\system32\klogon.dll
    AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
    mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
    mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /app:eek:e /caller:win9x /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
    mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
    mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /app:wab /caller:win9x /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
    mASetup: {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} - c:\windows\system32\updcrl.exe -e -u c:\windows\system\verisignpub1.crl
    ============= SERVICES / DRIVERS ===============
    R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
    R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-6-18 226832]
    R3 crtaud;Conexant Riptide WDM Audio Driver;c:\windows\system32\drivers\crtaud.sys [2005-4-12 42112]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
    R3 rpfun;Conexant Riptide Dummy Driver;c:\windows\system32\drivers\rpfun.sys [2005-4-12 3840]
    R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;c:\windows\system32\drivers\rthwcls.sys [2005-4-12 30720]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-4-19 176896]
    =============== Created Last 30 ================

    ==================== Find3M ====================
    2009-12-22 23:35:32 1744 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-12-22 18:24:10 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2009-12-22 18:24:10 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2009-12-22 18:24:10 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2009-12-22 18:24:10 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2009-12-20 04:45:52 2180 ----a-w- c:\windows\system32\d3d8caps.dat
    2009-12-14 23:25:04 4 ----a-w- c:\docume~1\window~1\applic~1\EXText Diagnostic Upload Queue.dat
    2006-02-09 00:47:14 774144 ----a-w- c:\program files\RngInterstitial.dll
    2000-06-16 20:26:22 271 --sh--w- c:\program files\desktop.ini
    2000-06-16 20:26:22 23357 ---h--w- c:\program files\folder.htt
    2008-09-07 04:26:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat
    ============= FINISH: 16:19:34.06 ===============

    Attached Files:

    • DDS.txt
      File size:
      9.7 KB
      Views:
      0
  7. Alyem

    Alyem New Member Bronze Member

    Joined:
    Dec 21, 2009
    Posts:
    25
    Likes Received:
    0
    Local time:
    16:17
    My System
    Loading...

    Here are the results from the security check

    Results of screen317's Security Check version 0.99.1
    Windows XP Service Pack 3
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Security Center service is not running! This report may not be accurate!
    Kaspersky Anti-Virus 2009
    Kaspersky Anti-Virus 2009
    Antivirus up to date!
    ``````````````````````````````
    Anti-malware/Other Utilities Check:

    Windows Defender
    BMA_Ghosts and Phantoms Screen Saver
    CCleaner
    Java(TM) 6 Update 7
    Out of date Java installed!
    Adobe Flash Player 10
    Adobe Reader 9.2
    ``````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    ``````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)
    `````````End of Log```````````
  8. Alyem

    Alyem New Member Bronze Member

    Joined:
    Dec 21, 2009
    Posts:
    25
    Likes Received:
    0
    Local time:
    16:17
    My System
    Loading...

    Is that all you need?
  9. DCiAdmin

    DCiAdmin Well-Known Member

    Joined:
    Sep 30, 2008
    Posts:
    1,907
    Likes Received:
    274
    Local time:
    18:17
    My System
    Loading...

    So far :) Let me get this relocated to the Security area of the forum for you.

    Thanks!
  10. Alyem

    Alyem New Member Bronze Member

    Joined:
    Dec 21, 2009
    Posts:
    25
    Likes Received:
    0
    Local time:
    16:17
    My System
    Loading...

    Thank you
  11. Alyem

    Alyem New Member Bronze Member

    Joined:
    Dec 21, 2009
    Posts:
    25
    Likes Received:
    0
    Local time:
    16:17
    My System
    Loading...

    Ack! I signed on this morning to check if there was an answer yet and something called "Security Tool" popped up saying I had malicious programs that needed to be cleaned. Is this part of the programs I had to run yesterday for the above information or a virus?
  12. Alyem

    Alyem New Member Bronze Member

    Joined:
    Dec 21, 2009
    Posts:
    25
    Likes Received:
    0
    Local time:
    16:17
    My System
    Loading...

    I just now got the blue screen of death. Help!
  13. DCiAdmin

    DCiAdmin Well-Known Member

    Joined:
    Sep 30, 2008
    Posts:
    1,907
    Likes Received:
    274
    Local time:
    18:17
    My System
    Loading...

    Security tool is unrelated to our PreWork tools. You might need to complete your tasks with PCHF Security logged in through Safe Mode with Networking. F8 immediately upon reboot until either you recieve a beep or the menu to select StartUp mode. The menu will follow the beep :)
  14. Alyem

    Alyem New Member Bronze Member

    Joined:
    Dec 21, 2009
    Posts:
    25
    Likes Received:
    0
    Local time:
    16:17
    My System
    Loading...

    In safe mode now and waiting for further instructions. Thanks
  15. Pancake

    Pancake Well-Known Member

    Joined:
    Jun 1, 2006
    Posts:
    3,921
    Likes Received:
    5
    Location:
    Victoria, Australia
    Local time:
    09:17
    My System
    Loading...

    Hi.Welcome to the forum

    Run both these programs.

    Please download Malwarebytes' Anti-Malware from one of these places:
    |MG| Malwarebytes Anti-Malware 1.42 Download
    http://www.besttechie.net/tools/mbam-setup.exe


    Double Click mbam-setup.exe to install the application.
    If it will not run make a copy of the MBAM.exe and rename MBAM.exe to xxx.exe and run that.Keep the genuine MBAM.exe as we may need to run that later as is.
    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.

    * Once the program has loaded, select "Perform Quick Scan", then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * Copy&Paste the entire report in your next reply.
    PLEASE NOTE:
    If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

    Once that Malwarebytes' Anti-Malware is done removing the malware and you have rebooted the computer, browse around and see if you are still having that problem.

    =====================================


    You will need to download ComboFix.exe. Download Combofix from this link only.

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    http://www.forospyware.com/sUBs/ComboFix.exe


    * IMPORTANT !!! * IMPORTANT !!! Place Combofix on your Desktop


    Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools. More help on your specific AV here: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Double click on KittyFix.exe & follow the prompts.
    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    [​IMG]
    Click on Yes to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the ComboFix.txt in your reply.

    Caution.....
    Never use this program to remove files.Only use it with help from an experienced security adviser.Wrongful use can damage your computer.
Similar Threads
Forum Title Date
System Security SVCHOST Hogging CPU Feb 27, 2008

Thread Status:
Not open for further replies.