Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe now always runs at 100%


  • Please log in to reply
7 replies to this topic

#1 Pulsar100

Pulsar100

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 18 June 2010 - 10:14 AM

Hello Supporter,

one of the svchost.exe is now running always at 95-100%.

So i tried some tips with the windows automatic update option like turning it off, do regsvr32 wups2.dll and press ok, and turn windows automatic update option on again...but it didn't help :thumbsup:

I have 9 svchost.exes running, one of them at 99% CPU right now.
So what can i do?

Posted Image

Edited by hamluis, 18 June 2010 - 11:15 AM.
Moved to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:13 AM

Posted 18 June 2010 - 10:30 AM

You can read up...

What is svchost.exe And Why Is It Running the How-To Geek - http://www.howtogeek.com/howto/windows-vis...-is-it-running/

Before becoming concerned with such...I would take a look at what these processes might be.

How to determine what services are running under a SVCHOST.EXE process - http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchost.exe-process/

...and remember, the possibility of malware is a constant. That's why it's wise to look before deciding that you have a problem.

Louis

#3 Pulsar100

Pulsar100
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 18 June 2010 - 10:33 AM

I did look with Process Explorer.
And now? :thumbsup:

Here in addition my mbam log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

18.06.2010 17:02:04
mbam-log-2010-06-18 (17-02-04).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 123854
Laufzeit: 10 Minute(n), 24 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 6
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 6
Infizierte Dateien: 15

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\TypeLib\{01bcb858-2f62-4f06-a8f4-48f927c15333} (Adware.PredictAd) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c9ae652b-8c99-4ac2-b556-8b501182874e} (Adware.PredictAd) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0fb6a909-6086-458f-bd92-1f8ee10042a0} (Adware.PredictAd) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0fb6a909-6086-458f-bd92-1f8ee10042a0} (Adware.PredictAd) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0fb6a909-6086-458f-bd92-1f8ee10042a0} (Adware.PredictAd) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\AutocompletePro.DLL (Adware.PredictAd) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\support@predictad.com (Adware.PredictAd) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
C:\Programme\AutocompletePro (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com\chrome (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com\chrome\content (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com\defaults (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com\defaults\preferences (Adware.PredictAd) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Programme\AutocompletePro\AcRemoteUpdate.exe (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\AutocompletePro.dll (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\InstTracker.exe (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\TaskScheduler.dll (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\unins000.dat (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\unins000.exe (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com\chrome.manifest (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com\install.rdf (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com\chrome\content\browserOverlay.xul (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com\chrome\content\options.js (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com\chrome\content\options.xul (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com\chrome\content\utils.js (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\Programme\AutocompletePro\support@predictad.com\defaults\preferences\predictad.js (Adware.PredictAd) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Autostart\ntuser_mssec.exe (Trojan.VirTool) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Boris\Anwendungsdaten\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

Edited by Pulsar100, 18 June 2010 - 10:38 AM.


#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:13 AM

Posted 18 June 2010 - 10:38 AM

Well...did you see any process running via svchost...that doesn't look as if it belongs there?

Did you look up the processes/programs listed...to see if you want them running or not?

Some programs run routine things like updating...via svchost.exe. I would not find that alarming.

Louis

#5 Pulsar100

Pulsar100
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 18 June 2010 - 10:40 AM

Well...did you see any process running via svchost...that doesn't look as if it belongs there?

Did you look up the processes/programs listed...to see if you want them running or not?

Some programs run routine things like updating...via svchost.exe. I would not find that alarming.

Louis


What can i screenshot you for further information beyond what i already did with the Process Exlorer shot above?
My CPU is almost at 100% all the time because of this svchost...i find that alarming.


The shown service for this svchost.exe process is a termsrv.dll which is for remote desktops / Concurrent remote desktop
I see this very alarming!

Edited by Pulsar100, 18 June 2010 - 10:52 AM.


#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:13 AM

Posted 18 June 2010 - 11:01 AM

I don't know what language that is that you keep posting...I guess that you did not get the bulletin.

Some of us are not multilingual and don't get anything out of postings in an unknown language :thumbsup:.

Posting a bunch of different characters...may appear as a useful step to you...but you know what language it is and you can read/understand it.

I know that it's easy to forget that the Web is a world-wide phenomenon...but part of delivering a speech or communication of any sort...is remember who the target audience is.

FWIW: Posting a Malwarebytes log is essentially pointless. If you think you have malware, all you have to do is say so and/or request that this thread be moved to a malware forum. The XP forum is not the place to solve malware issues...we can move you to the appropriate forum, if that's what you want...anytime you ask.

FWIW: Adware is probably on every system that is connected to the Internet and active. A good program to round up such is SUPERAntispyware, far superior to any AV program.

Louis

#7 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:13 AM

Posted 18 June 2010 - 11:14 AM

Sorry but I'm a slow reader :thumbsup:.

Terminal services (termsrv.dll) is a perfectly legitimate Microsoft networking function...but, like anything else, malware can mimic it.

Some data re TS: http://www.theeldergeek.com/terminal_services.htm

I would think that...the activity of this service depends on what software you have installed/active on your system. I believe that those who download torrents...routinely may install legit and bootleg copies of this file and thereby provide access to other users, knowingly and unknowingly.

Louis

#8 Pulsar100

Pulsar100
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 18 June 2010 - 11:15 AM

I don't know what language that is that you keep posting...I guess that you did not get the bulletin.

Some of us are not multilingual and don't get anything out of postings in an unknown language :thumbsup:.

Posting a bunch of different characters...may appear as a useful step to you...but you know what language it is and you can read/understand it.

I know that it's easy to forget that the Web is a world-wide phenomenon...but part of delivering a speech or communication of any sort...is remember who the target audience is.

FWIW: Posting a Malwarebytes log is essentially pointless. If you think you have malware, all you have to do is say so and/or request that this thread be moved to a malware forum. The XP forum is not the place to solve malware issues...we can move you to the appropriate forum, if that's what you want...anytime you ask.

FWIW: Adware is probably on every system that is connected to the Internet and active. A good program to round up such is SUPERAntispyware, far superior to any AV program.

Louis


Listen, i already posted in a long thread in this forum, and never anyone complained about my language.
Instead, they helped me with my computer problem.
What did you do for me now, besides:
1. beeing arrogant and playing disgusted about my language
2. telling me that YOU would not be alarmed
3. telling me not to be concerned while you're not getting that my CPU is always running at 100% right now
4. asking ME what to do, and if it would be right for me to move my thread in appropriate forum

So please tell me, what is your right to exist on this forum?

Edited by Pulsar100, 18 June 2010 - 11:43 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users