I have a dell laptop, running XP. I also have the dreaded 100% CPU
utilisation problem.. This comes from the one of the svchost.exe,
(which I know is a legitimate process), taking all of the
CPU and murdering the PC performance. (It seems to come in conjunction
with the lsass.exe). When I stop the process, the system performs
normally.
I have checked my PC with any number of virus checkers (including the
installed Norton) and it has not helped. Same for spyware checkers
like spybot.
In short, it is very frustrating as it requires me to ctrl-alt-delete
everytime I start and I believe the virus has also disabled the
windows firewall & system restore.
Can anyone help here. I see that I am not alone with the issue, but no
one has offered any conclusive answers. I also hope that no responses
recommend that I update Windows or Norton as I have done this a number
of times.
All the best,
S. |
Request for Question Clarification by
hummer-ga
on
23 Apr 2004 11:42 PDT
Hi irishbigboy,
First, please do a virus scan using HouseCall - it is a very thorough,
free, online scan and catches things when others fail.
http://housecall.trendmicro.com/
Next, have a look at this article:
A Description of Svchost.exe in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314056
Run regedit and navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
View what local services are running.
See if lsass.exe (or whatever it is that you are turning off whenever
you start your computer) is listed as a local service.
If it is, go to Control Panel / Administrative Tools / Services and turn it off.
If it isn't, it may be a matter of a process of elimination, one at a
time, to figure out which one is causing you problems - possibly one
called SSDPSRV.
Whether the above has helped or not, I would suggest downloading and
running the following programs (update them first), just to be sure.
CWShredder:
http://www.spychecker.com/program/coolwebshredder.html
Adaware:
http://www.spychecker.com/program/adaware.html
HijackThis:
http://www.spychecker.com/program/hijackthis.html
Post your HijackThis log on this forum:
Spyware and Hijackware Removal Support:
http://www.spywareinfo.com/forums/
Please let us know how that goes.
Good luck,
hummer
|
Clarification of Question by
irishbigboy-ga
on
26 Apr 2004 05:10 PDT
Dear Hummer,
I tried what you suggested and I am still suffering from the same problem.
Basically svchost.exe + lsass.exe always takes 100% utilisation. I
cannot switch off lsass, so I switch off the offending svchost.exe and
then performance goes to normal.
I have also tried to switch off the services, but nothing is happening.
I have tried the trend micro product before and now again and it finds
nothing. I did take your advice and placed my log file on spyware info
and will see what happens.
Regards,
ibb
|
Request for Question Clarification by
hummer-ga
on
26 Apr 2004 05:35 PDT
Hi ibb, thanks for the update. I'll be anxious to hear what the good
people at the spyware forum have to say - let me know one way or the
other, ok? In the meantime, I'm going to try and see if I can come up
with any other ideas - I hear your frustration. Good luck with the
log, hummer
|
Clarification of Question by
irishbigboy-ga
on
28 Apr 2004 00:47 PDT
There has been no posting of interest on spywareinfo.com site. One
person recommended that I use another virus checker, but the link they
provided didn't work. I have also confirmed that it is svchost.exe and
not scv...
I have downloaded 'process explorer' from sysinternals freeware and
this lets me look at the svchost.exe and what it is doing. It also
explains that once it is killed it will effect system restore,
firewall & audio. This has happened in reality.
In essence I have no idea why it is doing this & why it acts the same
whether connected to the web or not.. Perhaps time to reload the whole
thing..
|
Request for Question Clarification by
hummer-ga
on
28 Apr 2004 07:36 PDT
Hi ibb,
Oh, I'm sorry to hear that. Here are some notes I copied from forums -
Technical Questions & Help / How to remove svchost.exe?
1) Start your computer in "SAFE MODE".
2) Verify the CPU usage.
3) If it is normal (less than 10%) then keep going.
4) Delete the file EXPLORE.EXE (check the spelling without the final
"R") in the directory C:\windows\system32\explore.exe
5) Erase any reference to the EXPLORE.EXE file in your registry.
6) Start you computer in "NORMAL MODE".
http://forum.pcvsconsole.com/viewthread.php?tid=8191&page=3
hi, guys ... i had the same problem (svchost.exe eating 100% of the
cpu power), i`ve tryied every advice from here ... nothing worked
until i`ve found this DCOMbobulator fix, many thanks to Steve Gibson
from Gibson Research Corporation.
here is the link
http://grc.com/dcom/intro.htm
http://forum.pcvsconsole.com/viewthread.php?tid=8191&page=4
Troj/Tofger-B:
http://www.sophos.com/virusinfo/analyses/trojtofgerb.html
Uninstall your firewall and see if that fixes it.
Troj/Manifest-A
http://www.sophos.com/virusinfo/analyses/trojmanifesta.html
I fixed the problem by deleting the registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"Microsoft Config Loader"="msconfig32.exe"
http://forum.pcvsconsole.com/viewthread.php?tid=8191&page=9
W32/Jeefo
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100277
Okay, this post has been very informative and helpful. I've tried
everything this post has said and I think I finally got this worm
taken care of.
http://forum.pcvsconsole.com/viewthread.php?tid=8191&page=11
hummer
|
Clarification of Question by
irishbigboy-ga
on
30 Apr 2004 01:04 PDT
Dear Hummer, I have now tried these new postings you found. Nothing
seems to be working, in fact the registry keys that are mentioned in
one, I cannot find...
I was wondering, would it make any sense to remove the registry key
that I find in svchost.exe that refers to ssdpsrv? While it doesn't
matter if I switch off the service, perhaps it could work that way?
By the way I am backing up all my files, as I think I need to do the
full re-install of my system... That sucks, but this has been going on
too long...
Thanks for your help so far.
Cheers,
IBB
|
Request for Question Clarification by
hummer-ga
on
30 Apr 2004 07:03 PDT
Hi IBB,
I agree, looks like it's time to call it a day and reinstall (sounds
like a good weekend project). I suppose it wouldn't hurt, though, to
try deleting the ssdpsrv after you have backed up everything and you
are all set for the reinstall. One last idea from me... try posting
your HijackThis log to this forum:
Wilders Security Forums:
"adware, spyware & hijack cleaning"
http://www.wilderssecurity.com/
If you think of it, drop me a note when you're finished reinstalling
and let me know that all is well. I'm sorry we weren't able to help
you out - don't forget to run the Windows Update immediately after
installing Windows, you don't want to run the risk of picking up the
same problem again!
Sincerely,
hummer
|
Clarification of Question by
irishbigboy-ga
on
04 May 2004 04:48 PDT
As I tried everything and there was no change, I decided to do a fresh
install. Thank you for comments, they did give some hope when I was v.
frustrated...
Thanks especially, Hummer, for wisdom and research time you put in.
S.
|
