Windows Legacy OS forum

General discussion

The Sequel..CPU @ 100% because of svchost.exc SYSTEM

by unomix / August 14, 2006 10:53 AM PDT

I thought the problem was gone but alas it was not and I do have description of the print out of the svshost task situation:

svchost.exe 796 DcomLaunch, TermService

svchost.exe 840 RpcSs

svchost.exe 920 AudioSrv, Browser, dmserver, ERSvc, EventSystem, FastUserSwitchingCompatibilty, helpsvc, HidServ, lanmanserver, lanmanworkstation, Netman, Nla, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, Themes, TrkWrks, W32Time, winmgmt, wscsvc, wuauserv, WZCSVC

svshost.exe 1020 LmHosts, RemoteRegistry, SSDPSSRV, WebClient

Does any of this mean anything to anyone?

Discussion is locked
You are posting a reply to: The Sequel..CPU @ 100% because of svchost.exc SYSTEM
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: The Sequel..CPU @ 100% because of svchost.exc SYSTEM
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Why run terminal services? Why keep Gator?
by R. Proffitt Forum moderator / August 14, 2006 11:05 AM PDT
Collapse -
I don't even know what they are or how to get rid of them
by unomix / August 14, 2006 1:05 PM PDT

The only problem with the items I marked down was the report did not even appear till after the processor unlocked for a few minuets so I am not certain if all the correct processes are listed.
If there are listings such as the ones you mentioned, how do I disable and get rid of them? I looked at the site via your link and I am not sure if I understand what to do from here unless I buy their WinTasks 5 pro program .
Should I run the scan the site suggests?
I am all ears for suggestions, thanks.

Collapse -
No need to purchase anything...
by John.Wilkinson / August 14, 2006 1:17 PM PDT

In short, you've been infected by adware/spyware, at the very least by a malware package from a company by the name Gator. At this point your first step is to run the scans, including your antivirus and antispyware. Some suggestions, all of which are free, include AVG antivirus, Avast antivirus, Ewido anti-malware, Spybot S&D, AdAware, and Windows Defender. You can find all of those easily by using Google or the search engine of your choice. Run them and remove what they find, starting with Ewido.

Now, unless you're using Terminal Services for some reason you can disable it by going Start->Run, typing in msconfig, and unchecking Terminal Services under the Services tab. Depending on your setup there are other services you can safely (and even advisably) disable, but we can go into that if you wish after we clear up the malware problem.

John

Collapse -
Spybot and Adaware were clear
by unomix / August 14, 2006 1:53 PM PDT

I do not know how this computer got infected in 36 hours but I will do as you suggest and report back as to my progress.
Avg and Kaspersky scans were all clear as well and the Gain infection should not be able to report back with Zonealarm running but I will check into everything I can. Thanks for your help and I will be back

Collapse -
My mistake...
by John.Wilkinson / August 15, 2006 5:49 AM PDT

When I saw dmserver I thought of the process dmserver.exe, which is adware/spyware. That is actually a reference to dmserver.dll, which is the Logical Disk Manager service, a part of Windows and completely normal. I apologize for the confusion.

This may not help, but when it happens open Task Manager and sort the processes by name, then write down which svchost.exe is the offender (the number in order listed) and the amount memory it is using.

Aside from that, you are running the Wireless Zero service and have networking software installed. Try disconnecting from the wireless network and then disabling that service as well as Windows Time (Start->Run->MSConfig). One of those may prove to be the culprit.

John

Collapse -
The results of my followup are
by unomix / August 14, 2006 3:51 PM PDT

Did a Bit defender free scan and it found no problems and the Ewido scan only found 8 med risk cookies in total.
Did another AdAware, Spybot and a Kapersky free scan and all came up as OK.
I checked in the msconfig/services and there is no service listed that says terminal . There are several services listed which will take a while to write out for your inspection so perhaps an email would be better for this.
I am not sure what is going on but the problems the "Tasklist /SVC" command brought up don't seem to be here.
I noticed that Firefox was also taking a lot of CPU use as well and stopped using it in favour of Internet Explorer and so far the percentage is quite a bit less. The svchost.exe problem has disappeared for now but will likely re-appear when I reboot which I will do right after I send this note.

Collapse -
Gator, terminal services are stopped now?
by R. Proffitt Forum moderator / August 14, 2006 3:52 PM PDT

I'd take the pre-emptive strike at these since they are known issues and entry points for malware.

Bob

Collapse -
Where do I go to find out if these things are still going
by unomix / August 14, 2006 4:00 PM PDT

Can you steer me in the direction of finding out more of these known issues and how to dispense with them?

Collapse -
In the Sevices control panel.
by R. Proffitt Forum moderator / August 14, 2006 4:04 PM PDT
Collapse -
Terminal services is now listed where I could not find
by unomix / August 14, 2006 4:11 PM PDT

it before. If I take the check mark out of the box beside it do I reboot to make the terminal services from running?

Collapse -
I stop it, then I set it to disabled.
by R. Proffitt Forum moderator / August 14, 2006 4:23 PM PDT

On google.com you could type XP SERVICES and see if a tutorial is out there.

I'll check in tomorrow or in about 1/2 a day.

Bob

Collapse -
services
by unomix / August 14, 2006 9:56 PM PDT

*start/run/msconfig/services tab* gives you a different screen than *start/run/services.msc* and the confusion I was having about turning off or even seeing all the services and in particular the *terminal* service. I was using the first one which is quite small and it does not seem to include all services and seems to change and does not give you the options of auto/manual/disable and only has boxes with or without check-marks in them to the left of each service. Now that I have gone to XP services on google as suggested I have learned of the second method and it explains my confusion at least to myself.
I now have terminal services set to disable.

Collapse -
Terminal Services are now stopped
by unomix / August 14, 2006 4:22 PM PDT

I rebooted after removing the check mark from terminal services
I am trying to understand the "Hijack This" info you linked me to and will try it as soon as soon as I can.
I am going to go for now though being as it is 2:20 am here and I do need some rest so I can think.
Thanks for all the help everyone
I will be back.

Collapse -
re ..Hijack This
by unomix / August 14, 2006 10:37 PM PDT

I followed the instructions regarding setting up and running *Hijack This* ran my scan went to and got registered at Castlecorps and am now lost as I have no idea where to go on their site to post my scan. I find the site very confusing and finally gave up.
My Hijack scan actually looks pretty plain and nothing jumps out at me as being a threat but I have no experience in this department so who knows.
How does one post your scan once registered at castlecorps, is there an obvious way that escaped me?
Update with this 100% cpu lockup/svchost problem seems to have gone away again at least for now.
For some reason not using Firefox has freed-up cpu resources quite a lot as well, any idea why. Internet Explorer appears to use less cpu and ram to operate than firefox and I wonder is this unusual?

Collapse -
Guidelines here...
by MarkFlax Forum moderator / August 14, 2006 10:50 PM PDT
In reply to: re ..Hijack This
http://www.castlecops.com/t102301-Hijackthis_Guidelines_Read_Before_Posting.html

But I agree it is confusing. The instructions and guides are in the section under the heading, ''Hijackthis Guidelines - Read Before Posting''.

It starts, ''If you are coming to this forum to post your HJT log, please note that we now have a Malware Removal and Prevention...........''.

If you then decide to post your HJT log, you will need to return to the main HJT Forum listing here;
http://www.castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html
and click the ''New Posting'' button.

I hope this helps and good luck.

Mark
Collapse -
stuck in Hijacks site (Castlecorps)
by unomix / August 15, 2006 4:04 AM PDT
In reply to: Guidelines here...

I have been bouncing around in that web site for 30 min plus twice now and can not find a New Posting button. I end up with about 5 or more similar windows open and seem to get in a big loop trying to find and read these non existent instructions
I did see a repeated reference about completing a MRP first and I can't find what that is either.
I get so frustrated I have to quit. I will see if I can find another site to post to with my report.

Collapse -
It's the "NewTopic" button...
by John.Wilkinson / August 15, 2006 4:45 AM PDT

Under the title of the forum but above the beginning of the list of threads/discussions you'll find a "NewTopic" button. Alternatively, click here to log in and create a new thread.

You can also send the log to me if you wish...click here and then click the "E-mail this User" button. Just copy and paste the text of the log...hopefully it won't exceed the 6,000 character limit set on PMs.

John

Collapse -
thanks John...I did see the new topic button
by unomix / August 15, 2006 5:13 AM PDT

But I thought it was for discussion of matters related to problems found.
I took advantage of your offer and sent the HIJACK THIS log to your email address and as you can tell is not very large.
I provided my email address for your convenience but posting back here would be good as well, which ever you prefer.
Thanks for the assist.

Collapse -
It looks fine to me...
by John.Wilkinson / August 15, 2006 5:32 AM PDT

You can still post to CastleCops if you like but I don't see anything sticking out in the log file. Since the scans and HJT were clean a malware infection is unlikely.

John

Collapse -
Timidly I state '' problem seems to have disappeared ''
by unomix / August 15, 2006 7:46 AM PDT
In reply to: It looks fine to me...

With all of the scans, the disabling of the terminal services and many reboots the problem appears to have disappeared again.
This Gain malware that showed up is now gone as far as I can tell, so while touching wood I am saying that maybe the computer is now hopefully repaired.
I think that while the multiple scans did not show a problem they may have found and disposed of it with out notification. (Is this a possibility Robert?)
So thanks to Robert, John and Mark for all of your help and with any luck no one will ever hear from me again.
I will test this unit a little longer before returning it to my friend and with some very strong suggestions and advice to be followed if she ever wants me to ever look at it again. I have decided I will not assist someone who is bound to expose themselves to infection. I am getting mean as this is a lot of work which started as a small favour.
Just venting!
Thanks again

Collapse -
Just back and caught up on the saga.
by R. Proffitt Forum moderator / August 15, 2006 8:12 AM PDT

I know what you mean. "I have this small problem with my PC" often burns up 1/2 a day.

Bob

Collapse -
(NT) (NT) Glad you got it sorted m8
by MarkFlax Forum moderator / August 15, 2006 7:34 PM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?