1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Svhost.exe using 100% Processor on XP Professional

Discussion in 'Windows XP' started by Bob, Jul 14, 2010.

  1. Bob

    Bob Flightless Bird

    I have one desktop that is running XP Professional SP3 on a server 2003
    Domain, all security patches are up to date, all systems run Symentec
    Endpoint Protection 11.0.5.

    This one system starting using 100% processor for svhost.exe when the system
    boots up a few days ago, we go to task manager see the svhost.exe that is
    using all of the processor, end that task, and the user is back in business.

    I saw some information on the net that is may be a virus --- I boot the
    machine up in safe mode, with system restore off, ran a full scan and no
    threats, also ran a full scan while not in safe mode and still all clear.
    There are a lot of ideas on the net as to how to fix this ---- just wondering
    if anyone ran into this problem and if successfully resolved. Any assistance
    would be appreciated.

    Thanks,
    Bob
     
  2. Unknown

    Unknown Flightless Bird

    Google for Svhost. Also try the system with Symantec disabled.
    "Bob" <Bob@discussions.microsoft.com> wrote in message
    news:95A5D342-1128-4532-B412-E4B5ADF3DE8F@microsoft.com...
    >
    > I have one desktop that is running XP Professional SP3 on a server 2003
    > Domain, all security patches are up to date, all systems run Symentec
    > Endpoint Protection 11.0.5.
    >
    > This one system starting using 100% processor for svhost.exe when the
    > system
    > boots up a few days ago, we go to task manager see the svhost.exe that is
    > using all of the processor, end that task, and the user is back in
    > business.
    >
    > I saw some information on the net that is may be a virus --- I boot the
    > machine up in safe mode, with system restore off, ran a full scan and no
    > threats, also ran a full scan while not in safe mode and still all clear.
    > There are a lot of ideas on the net as to how to fix this ---- just
    > wondering
    > if anyone ran into this problem and if successfully resolved. Any
    > assistance
    > would be appreciated.
    >
    > Thanks,
    > Bob
    >
     
  3. Jose

    Jose Flightless Bird

    On Jul 14, 4:38 pm, Bob <B...@discussions.microsoft.com> wrote:
    > I have one desktop that is running XP Professional SP3 on a server 2003
    > Domain, all security patches are up to date, all systems run Symentec
    > Endpoint Protection 11.0.5.
    >
    > This one system starting using 100% processor for svhost.exe when the system
    > boots up a few days ago, we go to task manager see the svhost.exe that is
    > using all of the processor, end that task, and the user is back in business.
    >
    > I saw some information on the net that is may be a virus --- I boot the
    > machine up in safe mode, with system restore off, ran a full scan and no
    > threats, also ran a full scan while not in safe mode and still all clear.
    > There are a lot of ideas on the net as to how to fix this ---- just wondering
    > if anyone ran into this problem and if successfully resolved. Any assistance
    > would be appreciated.
    >
    > Thanks,
    > Bob


    Did any of those ideas have a happy ending?

    You should normally see several svchost,exe in Task Manager (if that
    is where you are looking). If you are curious why that is, read this
    article:

    http://www.bleepingcomputer.com/tutorials/tutorial129.html

    Malicious software will sometimes hide underneath or hijack a
    legitimate XP svchost.exe process. Sometimes malicious software will
    run using a Process Image Name that looks like a legitimate process in
    order to fool you. If you really see svhost.exe, that sounds
    suspicious.

    I would not put all your malicious software detection eggs in the
    Symantec basket.

    Perform some scans for malicious software, then fix any remaining
    issues:

    Download, install, update and do a full scan with these free malware
    detection programs:

    Malwarebytes (MBAM): http://malwarebytes.org/
    SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

    They can be uninstalled later if desired.

    If you have the same problem, we can then figure it out and fix it
    (not try things).
     
  4. Al

    Al Flightless Bird

    Bob - svchost functions as a "host container" for threads being executed -
    several will be "running". Usually malware will have names similar to
    system files. Is the title you posted "svhost" correct? If so it is
    likely malware. or did you intend to mean "svchost"?

    There are several utilities - "process monitor" in particular - at
    Sysinternals site that will permit pinpointing the problem.
     
  5. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    Nevertheless, there is a very good chance that you are seeing the effects of
    a hijackware infection!

    NB: If you had no anti-virus application installed or the subscription had
    expired *when the machine first got infected* and/or your subscription has
    since expired and/or the machine's not been kept fully-patched at Windows
    Update, don't waste your time with any of the below: Format & reinstall
    Windows. A Repair Install will NOT help!

    Microsoft PCSafety provides home users (only) with no-charge support in
    dealing with malware infections such as viruses, spyware (including unwanted
    software), and adware.
    https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

    Also available via the Consumer Security Support home page:
    https://consumersecuritysupport.microsoft.com/

    Otherwise...

    1. See if you can download/run the MSRT manually:
    http://www.microsoft.com/security/malwareremove/default.mspx

    NB: Run the FULL scan, not the QUICK scan! You may need to download the
    MSRT on a non-infected machine, then transfer MRT.EXE to the infected
    machine and rename it to SCAN.EXE before running it.

    2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
    in Safe Mode with Networking, if need be:
    http://onecare.live.com/site/en-us/center/howsafe.htm

    2b. Vista or Win7=> Run this scan instead:
    http://onecare.live.com/site/en-us/center/whatsnew.htm

    3. Now post the requested logs in an appropriate forum for assistance by an
    expert in such matters. DO NOT SKIP THIS STEP!!

    I can recommend the expert assistance offered in these forums:
    http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
    http://www.spywarewarrior.com/viewforum.php?f=5,
    http://www.dslreports.com/forum/cleanup,
    http://www.bluetack.co.uk/forums/index.php, and
    http://aumha.net/viewforum.php?f=30

    If these procedures look too complex - and there is no shame in admitting
    this isn't your cup of tea - take the machine to a local, reputable and
    independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

    Bob wrote:
    > I have one desktop that is running XP Professional SP3 on a server 2003
    > Domain, all security patches are up to date, all systems run Symentec
    > Endpoint Protection 11.0.5.
    >
    > This one system starting using 100% processor for svhost.exe when the
    > system
    > boots up a few days ago, we go to task manager see the svhost.exe that is
    > using all of the processor, end that task, and the user is back in
    > business.
    >
    > I saw some information on the net that is may be a virus --- I boot the
    > machine up in safe mode, with system restore off, ran a full scan and no
    > threats, also ran a full scan while not in safe mode and still all clear.
    > There are a lot of ideas on the net as to how to fix this ---- just
    > wondering if anyone ran into this problem and if successfully resolved.
    > Any
    > assistance would be appreciated.
    >
    > Thanks,
    > Bob
     
  6. Bob

    Bob Flightless Bird

    "PA Bear [MS MVP]" wrote:

    > Nevertheless, there is a very good chance that you are seeing the effects of
    > a hijackware infection!
    >
    > NB: If you had no anti-virus application installed or the subscription had
    > expired *when the machine first got infected* and/or your subscription has
    > since expired and/or the machine's not been kept fully-patched at Windows
    > Update, don't waste your time with any of the below: Format & reinstall
    > Windows. A Repair Install will NOT help!
    >
    > Microsoft PCSafety provides home users (only) with no-charge support in
    > dealing with malware infections such as viruses, spyware (including unwanted
    > software), and adware.
    > https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1
    >
    > Also available via the Consumer Security Support home page:
    > https://consumersecuritysupport.microsoft.com/
    >
    > Otherwise...
    >
    > 1. See if you can download/run the MSRT manually:
    > http://www.microsoft.com/security/malwareremove/default.mspx
    >
    > NB: Run the FULL scan, not the QUICK scan! You may need to download the
    > MSRT on a non-infected machine, then transfer MRT.EXE to the infected
    > machine and rename it to SCAN.EXE before running it.
    >
    > 2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
    > in Safe Mode with Networking, if need be:
    > http://onecare.live.com/site/en-us/center/howsafe.htm
    >
    > 2b. Vista or Win7=> Run this scan instead:
    > http://onecare.live.com/site/en-us/center/whatsnew.htm
    >
    > 3. Now post the requested logs in an appropriate forum for assistance by an
    > expert in such matters. DO NOT SKIP THIS STEP!!
    >
    > I can recommend the expert assistance offered in these forums:
    > http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
    > http://www.spywarewarrior.com/viewforum.php?f=5,
    > http://www.dslreports.com/forum/cleanup,
    > http://www.bluetack.co.uk/forums/index.php, and
    > http://aumha.net/viewforum.php?f=30
    >
    > If these procedures look too complex - and there is no shame in admitting
    > this isn't your cup of tea - take the machine to a local, reputable and
    > independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
    >
    > Bob wrote:
    > > I have one desktop that is running XP Professional SP3 on a server 2003
    > > Domain, all security patches are up to date, all systems run Symentec
    > > Endpoint Protection 11.0.5.
    > >
    > > This one system starting using 100% processor for svhost.exe when the
    > > system
    > > boots up a few days ago, we go to task manager see the svhost.exe that is
    > > using all of the processor, end that task, and the user is back in
    > > business.
    > >
    > > I saw some information on the net that is may be a virus --- I boot the
    > > machine up in safe mode, with system restore off, ran a full scan and no
    > > threats, also ran a full scan while not in safe mode and still all clear.
    > > There are a lot of ideas on the net as to how to fix this ---- just
    > > wondering if anyone ran into this problem and if successfully resolved.
    > > Any
    > > assistance would be appreciated.
    > >
    > > Thanks,
    > > Bob

    >
    > .
    >

    Thank you for the replies all ----

    I did spell the name wrong, the Process that we end in Task manager is
    spelled ------ svchost.exe

    Concerning the Symantec software --- it does have Antivus and Antispyware
    protection, the corporate subscription is up to date, the definitions are up
    to date daily, and I apply all MS patches via WSUS.

    Now this morning --- the user did not have any problems with it robbing
    their processor. I will download/run the mentioned scans to see if anything
    found on the system.

    Bob
     
  7. Jose

    Jose Flightless Bird

    On Jul 15, 1:38 pm, Bob <B...@discussions.microsoft.com> wrote:
    > "PA Bear [MS MVP]" wrote:
    >
    >
    >
    > > Nevertheless, there is a very good chance that you are seeing the effects of
    > > a hijackware infection!

    >
    > > NB: If you had no anti-virus application installed or the subscription had
    > > expired *when the machine first got infected* and/or your subscription has
    > > since expired and/or the machine's not been kept fully-patched at Windows
    > > Update, don't waste your time with any of the below: Format & reinstall
    > > Windows.  A Repair Install will NOT help!

    >
    > > Microsoft PCSafety provides home users (only) with no-charge support in
    > > dealing with malware infections such as viruses, spyware (including unwanted
    > > software), and adware.
    > >https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

    >
    > > Also available via the Consumer Security Support home page:
    > >https://consumersecuritysupport.microsoft.com/

    >
    > > Otherwise...

    >
    > > 1. See if you can download/run the MSRT manually:
    > >http://www.microsoft.com/security/malwareremove/default.mspx

    >
    > > NB: Run the FULL scan, not the QUICK scan!  You may need to download the
    > > MSRT on a non-infected machine, then transfer MRT.EXE to the infected
    > > machine and rename it to SCAN.EXE before running it.

    >
    > > 2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
    > > in Safe Mode with Networking, if need be:
    > >http://onecare.live.com/site/en-us/center/howsafe.htm

    >
    > > 2b. Vista or Win7=> Run this scan instead:
    > >http://onecare.live.com/site/en-us/center/whatsnew.htm

    >
    > > 3. Now post the requested logs in an appropriate forum for assistance by an
    > > expert in such matters. DO NOT SKIP THIS STEP!!

    >
    > > I can recommend the expert assistance offered in these forums:
    > >http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
    > >http://www.spywarewarrior.com/viewforum.php?f=5,
    > >http://www.dslreports.com/forum/cleanup,
    > >http://www.bluetack.co.uk/forums/index.php, and
    > >http://aumha.net/viewforum.php?f=30

    >
    > > If these procedures look too complex - and there is no shame in admitting
    > > this isn't your cup of tea - take the machine to a local, reputable and
    > > independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

    >
    > > Bob wrote:
    > > > I have one desktop that is running XP Professional SP3 on a server 2003
    > > > Domain, all security patches are up to date, all systems run Symentec
    > > > Endpoint Protection 11.0.5.

    >
    > > > This one system starting using 100% processor for svhost.exe when the
    > > > system
    > > > boots up a few days ago, we go to task manager see the svhost.exe that is
    > > > using all of the processor, end that task, and the user is back in
    > > > business.

    >
    > > > I saw some information on the net that is may be a virus --- I boot the
    > > > machine up in safe mode, with system restore off, ran a full scan andno
    > > > threats, also ran a full scan while not in safe mode and still all clear.
    > > > There are a lot of ideas on the net as to how to fix this ---- just
    > > > wondering if anyone ran into this problem and if successfully resolved.
    > > > Any
    > > > assistance would be appreciated.

    >
    > > > Thanks,
    > > > Bob

    >
    > > .

    >
    > Thank you for the replies all ----
    >
    > I did spell the name wrong, the Process that we end in Task manager is
    > spelled ------  svchost.exe
    >
    > Concerning the Symantec software ---  it does have Antivus and Antispyware
    > protection, the corporate subscription is up to date, the definitions areup
    > to date daily, and I apply all MS patches via WSUS.
    >
    > Now this morning --- the user did not have any problems with it robbing
    > their processor. I will download/run the mentioned scans to see if anything
    > found on the system.
    >
    > Bob


    See all the rookus caused by your typo?!

    Just kidding... we have almost all seen (and fixed) a system that has
    a runaway svchost.exe. It is always explainable.

    After scanning with MBAM and SAS, if you still have the issues:

    ....you should get Process Explorer so you can see what is "really"
    running, especially behind those multiple svchosts you see running in
    Task Manager. You'll like PE when you get the hang of it. PE is the
    Windows Task manager on steroids. PE installs nothing, and only runs
    on demand. It looks a little intimidating, but you will start to like
    the way it works.

    http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

    Using PE and the info from the other link I sent will help you see
    what is going on and then you can fix it instead of trying things.
     
  8. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    Bob wrote:
    >> Nevertheless, there is a very good chance that you are seeing the effects
    >> of a hijackware infection!

    <snip>
    > I did spell the name wrong, the Process that we end in Task manager is
    > spelled ------ svchost.exe


    I assumed such was the case.
     
  9. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    Jose wrote:
    <SNIP>
    > See all the rookus caused by your typo?!


    Ur spiel chukkers broke.
     
  10. Jose

    Jose Flightless Bird

    On Jul 15, 3:08 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
    > Jose wrote:
    >
    > <SNIP>
    >
    > > See all the rookus caused by your typo?!

    >
    > Ur spiel chukkers broke.


    That is Festus Haggen speak. S'way we tawk out cheer in Dodge.
     
  11. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    Jose wrote:
    > On Jul 15, 3:08 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
    >> Jose wrote:
    >>
    >> <SNIP>
    >>
    >>> See all the rookus caused by your typo?!

    >>
    >> Ur spiel chukkers broke.

    >
    > That is Festus Haggen speak. S'way we tawk out cheer in Dodge.


    Did Matt ever find Miss Kitty's lost pussy?
     
  12. Jose

    Jose Flightless Bird

    On Jul 15, 6:02 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
    > Jose wrote:
    > > On Jul 15, 3:08 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
    > >> Jose wrote:

    >
    > >> <SNIP>

    >
    > >>> See all the rookus caused by your typo?!

    >
    > >> Ur spiel chukkers broke.

    >
    > > That is Festus Haggen speak.  S'way we tawk out cheer in Dodge.

    >
    > Did Matt ever find Miss Kitty's lost pussy?


    Look, Bear... It's almost 6:30. By midnight, I want you to ride
    down that street and out of town. And if you come back, you're going
    to jail.
     
  13. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    Jose wrote:
    >>>>> See all the rookus caused by your typo?!

    >>
    >>>> Ur spiel chukkers broke.

    >>
    >>> That is Festus Haggen speak. S'way we tawk out cheer in Dodge.

    >>
    >> Did Matt ever find Miss Kitty's lost pussy?

    >
    > Look, Bear... It's almost 6:30. By midnight, I want you to ride
    > down that street and out of town. And if you come back, you're going
    > to jail.


    Buy me a <hic> drink and a bar girl then we'll talk...
     
  14. Robert Macy

    Robert Macy Flightless Bird

    On Jul 14, 1:38 pm, Bob <B...@discussions.microsoft.com> wrote:
    > I have one desktop that is running XP Professional SP3 on a server 2003
    > Domain, all security patches are up to date, all systems run Symentec
    > Endpoint Protection 11.0.5.
    >
    > This one system starting using 100% processor for svhost.exe when the system
    > boots up a few days ago, we go to task manager see the svhost.exe that is
    > using all of the processor, end that task, and the user is back in business.
    >
    > I saw some information on the net that is may be a virus --- I boot the
    > machine up in safe mode, with system restore off, ran a full scan and no
    > threats, also ran a full scan while not in safe mode and still all clear.
    > There are a lot of ideas on the net as to how to fix this ---- just wondering
    > if anyone ran into this problem and if successfully resolved. Any assistance
    > would be appreciated.
    >
    > Thanks,
    > Bob


    I had the EXACT same problem with my WinXP system, got no help here -
    only told it was likely a malware, or such, infection, jumped through
    many,many hoops looking and searching for an infection, and found
    none, but problem continued.

    The Windows98 group helped me by telling me it had something to do
    with the system legitmately looking everywhere for a driver, or
    something. After I disabled the software that asked for that search,
    all the svchost.exe CPU hogging problems magically went away!
     
  15. Jose

    Jose Flightless Bird

    On Jul 15, 8:37 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
    > Jose wrote:
    > >>>>> See all the rookus caused by your typo?!

    >
    > >>>> Ur spiel chukkers broke.

    >
    > >>> That is Festus Haggen speak. S'way we tawk out cheer in Dodge.

    >
    > >> Did Matt ever find Miss Kitty's lost pussy?

    >
    > > Look, Bear...  It's almost 6:30.   By midnight, I want you to ride
    > > down that street and out of town. And if you come back, you're going
    > > to jail.

    >
    > Buy me a <hic> drink and a bar girl then we'll talk...


    Miss Kitty, bring me a bottle of Kessler and half a dozen of yo'
    finest females.
     
  16. sean nathan bean

    sean nathan bean Flightless Bird

    On 7/16/2010 10:58 AM, Robert Macy wrote:
    > On Jul 14, 1:38 pm, Bob<B...@discussions.microsoft.com> wrote:
    >> I have one desktop that is running XP Professional SP3 on a server 2003
    >> Domain, all security patches are up to date, all systems run Symentec
    >> Endpoint Protection 11.0.5.
    >>
    >> This one system starting using 100% processor for svhost.exe when the system
    >> boots up a few days ago, we go to task manager see the svhost.exe that is
    >> using all of the processor, end that task, and the user is back in business.
    >>
    >> I saw some information on the net that is may be a virus --- I boot the
    >> machine up in safe mode, with system restore off, ran a full scan and no
    >> threats, also ran a full scan while not in safe mode and still all clear.
    >> There are a lot of ideas on the net as to how to fix this ---- just wondering
    >> if anyone ran into this problem and if successfully resolved. Any assistance
    >> would be appreciated.
    >>
    >> Thanks,
    >> Bob

    >
    > I had the EXACT same problem with my WinXP system, got no help here -
    > only told it was likely a malware, or such, infection, jumped through
    > many,many hoops looking and searching for an infection, and found
    > none, but problem continued.
    >
    > The Windows98 group helped me by telling me it had something to do
    > with the system legitmately looking everywhere for a driver, or
    > something. After I disabled the software that asked for that search,
    > all the svchost.exe CPU hogging problems magically went away!


    interesting... care to share how you figured out which software was
    doing all the calling?

    sean
     

Share This Page