Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


svchost.exe(netsvcs) using 90%-100% of CPU

  • This topic is locked This topic is locked
5 replies to this topic

#1 fmedwards3


  • Members
  • 52 posts
  • Local time:03:55 PM

Posted 19 August 2016 - 07:59 PM

Task Monitor shows svchost.exe(netsvcs) using 90%-100% of CPU
Restarts if killed.
No new programs installed.
Win7 64bit SP1

Farbar Service Scanner
Malwarebytes Anti-Malware
Malwarebytes Anti-Rootkit
Temp File Cleaner
Junkware Removal Tool
Sophos Free Virus Removal Tool
Process Explorer
Farber Recovery Scan Tool (log files attached)

The above tools were all run and logs reported at the following lonk:

For whatever reason, I booted into safe mode to type this and killed svchost.exe(netsvcs) -- and CPU usage is back to normal and svchost.exe(netsvcs)did not restart.

Attached Files

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 40,730 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:55 PM

Posted 21 August 2016 - 10:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShortcutTarget: Dropbox.lnk -> C:\Users\fme\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
BHO-x32: No Name -> {963C8283-AE7F-4AA6-9B3B-847A8FC62C5E} -> No File
Toolbar: HKLM-x32 - VIPRE Search Guard Toolbar - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} -  No File
Toolbar: HKU\S-1-5-21-963752047-1521292436-1757112234-1006 -> No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
Handler: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\fme\AppData\Local\Google\Chrome\User Data\WidevineCDM\\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Extension: (Hover Hound) - C:\Users\fme\AppData\Local\Google\Chrome\User Data\Default\Extensions\dogmhlelnjpjgahofccgbfnmojkmlfep [2016-08-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\fme\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\Dr.Fone for Android\DriverInstall.exe" [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
C:\Users\fme\AppData\Local\Google\Chrome\User Data\Default\Extensions\dogmhlelnjpjgahofccgbfnmojkmlfep
C:\Users\fme\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
AlternateDataStreams: C:\Users\fme\Downloads\brilliantdb_server.exe:BDU [0]
AlternateDataStreams: C:\Users\fme\Downloads\brilliantdb_server_beta.exe:BDU [0]
AlternateDataStreams: C:\Users\fme\Downloads\EchoLinkSetup_2_0_908 (1).exe:BDU [0]
AlternateDataStreams: C:\Users\fme\Downloads\EchoLinkSetup_2_0_908 (2).exe:BDU [0]
AlternateDataStreams: C:\Users\fme\Downloads\EchoLinkSetup_2_0_908.exe:BDU [0]
AlternateDataStreams: C:\Users\fme\Downloads\googlewebdesigner_win.exe:BDU [0]
AlternateDataStreams: C:\Users\fme\Downloads\rdbsetup.exe:BDU [0]
AlternateDataStreams: C:\Users\fme\Downloads\setup-vipre-internet-security.exe:BDU [0]

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.

Be careful not to install malware posing as Java update!
Important read this blog.

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:

How to disable Java in your browsers

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 7 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
Java™ 6 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416045FF}) (Version: 6.0.450 - Oracle)


Please post the log and let me know of any persistiing problems.

#3 fmedwards3

  • Topic Starter

  • Members
  • 52 posts
  • Local time:03:55 PM

Posted 21 August 2016 - 10:41 AM

Thanks for the reply.
While awaiting a response, I turned off Windows Update (to 'Never check for updates') and the problem appears to be solved. Should I still follow your instructions above?

#4 nasdaq


  • Malware Response Team
  • 40,730 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:55 PM

Posted 22 August 2016 - 06:12 AM

Nothing malicious found on your logs. The fix I suggested is just a clean up of empty registry entries.
Your Call.

I would update the Java your version is vulnerable.

When all is done.

Check for the Microsoft updates on occasion.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.

#5 fmedwards3

  • Topic Starter

  • Members
  • 52 posts
  • Local time:03:55 PM

Posted 22 August 2016 - 11:24 AM

Thanks.  I consider this case resolved.

#6 nasdaq


  • Malware Response Team
  • 40,730 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:55 PM

Posted 23 August 2016 - 07:35 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users