How to remove svchost.exe?
January 2, 2004, 1:52 PM CST by Trunks007
my pc was infected by w32.blaster worm and has now created a memory process svchost.exe, my OS is win2000 prof.edition, the worm was completely remove from the boot record after i run a worm removal kit(stinger), however the removal kit does'nt recognize the svchost.exe so it was bypassed and now resides in the memory, the svchost will automatically run itself after a few minutes of connecting to intrnet. i also got a message "access denied" evrytime i attempt to end the svchost process in the memory using the task manager. what should i do? how can i prevent it from slowing down my PC? thanks...
January 2, 2004, 1:59 PM CST by Encryptedmind to Trunks007
svchost is supposed to be on there, I have like 5 or 6 svchost files funning on my machine... That isn't a virus...
January 3, 2004, 10:45 PM CST by Google to Trunks007
Thats the welcha worm virus you got there, if your SVCHOST is using all your processing power. Download the patch and there is also a symantec fix for it too which will remove it. Download both the patch and fix files, disconnect from internet, run the fix then patch.

Edit: find the fix here http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
and patch here: http://www.rcub.bg.ac.yu/Antivirus/Q815021_WXP_SP2_x86_ENU.exe
January 3, 2004, 11:52 PM CST by Encryptedmind to Google
Sorry I ran the worm finder, there is no worm on here.. And I already have the update you posted..

I do keep McAfee Anti-virus on here, which ratings wise finds more viruses than Norton.. I use to use Norton Anti-Virus, until I saw those reviews...
January 3, 2004, 11:55 PM CST by Encryptedmind
Here is a description of svchost.exe, it is not a virus..
SUMMARY
This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
MORE INFORMATION
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

To view the list of services that are running in Svchost:
Click Start on the Windows taskbar, and then click Run.
In the Open box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)

The following example of Tasklist output shows two instances of Svchost.exe that are running. Image Name PID Services
=====
System Process 0 N/A
System 8 N/A
Smss.exe 132 N/A
Csrss.exe 160 N/A
Winlogon.exe 180 N/A
Services.exe 208 AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
Eventlog,LanmanServer,LanmanWorkstation,
LmHosts,Messenger,PlugPlay,ProtectedStorage,
Seclogon,TrkWks,W32Time,Wmi
Lsass.exe 220 Netlogon,PolicyAgent,SamSs
Svchost.exe 404 RpcSs
Spoolsv.exe 452 Spooler
Cisvc.exe 544 Cisvc
Svchost.exe 556 EventSystem,Netman,NtmsSvc,RasMan,
SENS,TapiSrv
Regsvc.exe 580 RemoteRegistry
Mstask.exe 596 Schedule
Snmp.exe 660 SNMP
Winmgmt.exe 728 WinMgmt
Explorer.exe 812 N/A
Cmd.exe 1300 N/A
Tasklist.exe 1144 N/A

The registry setting for the two groupings for this example are as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
Netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
RApcss :Reg_Multi_SZ: RpcSs
January 4, 2004, 12:07 AM CST by Google to Encryptedmind
Your not the one with the problem Trunks007 is, thats why I aimed my post at him. My svchost.exe was using all my processor and discovered that the welchia worm makes a copy of svchost.exe which uses all the processors power and slows your computer to almost a halt.
The copy of svchost.exe which isnt the real thing(and a copy of dllhost.exe) can be found in c:\windows\system32\wins these can be deleted, if removing the welchia worm manualy, just make sure to disable system restore beforehand. Some reg keys need to be deleted too Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter, In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>
In the left panel, delete the subkeys:
RpcPatch
RpcTftpd
Now install the patch

Edit:
How Does the Welchia Worm Infect My Computer?

Copies itself to the Wins directory in the System or System32 folder in Windows usually

C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000

There is a legitimate file called Dllhost.exe (about 5-6K) in the System32 directory.

Makes a copy of the TFTP server (TFTPD.exe) from the Dllcache directory to the following directories.

C:\Windows\System32\Wins\svchost.exe for Windows XP or
C:\WinNT\System32\Wins\svchost.exe for Windows NT/2000

NOTE: Svchost.exe is a legitimate program, which is not malicious, found in the System32 directory

Creates the following services:

Service Name: RpcTftpd
Display Name: Network Connections Sharing
File: %System%\wins\svchost.exe

This service will be set to start manually.

Service Name: RpcPatch
Display Name: WINS Client
File: %System%\wins\dllhost.exe

This service will be set to start automatically.


Ends the process, MSBLAST, and delete the file %System%\msblast.exe which is dropped by the worm, MSBlast.A. First, it checks the operating system version, then it downloads the appropriate patch from the designated Microsoft Web site. After executing the patch, it reboots the system.
Some of the patches it downloads into the system are as follows:

http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe
http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe
http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9125-6858b759e977/Windows2000-KB823980-x86-CHS.exe
http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe
http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8d48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
The downloaded patch has the file name, RpcServicePack.exe. This worm deletes this file after it is run.

Before downloading or installing the patch on the system, this worm first checks if the system has been previously patched by checking for specific registry keys to make sure the patch hasnt been installed.

The worm travels through a computer network or local area network looking for unpatched and vulnerable machines. The worm will use a ping to determine if the active machine is on a network.Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.

Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.

Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.
January 4, 2004, 12:14 AM CST by Encryptedmind to Google
Sorry for aiming it at you, but he needs to know that the svchost.exe is a normal process..
January 12, 2004, 5:12 PM CST by xposhaa
Hi,
I have had the same problem. I recently re-installed XP, but since doing this my CPU has been working at 100% all the time. I tried the welcha fix and patch you gave, but even though it detected and deleted the worm it is still using exactly the same amount of CPU.

Any ideas?

Thanks guys.
January 13, 2004, 12:07 AM CST by Google to xposhaa
Try following the manual way of removing the welchia worm, which I described above. To disable system restore before removing possible virus, go to: 'Start', right click 'My Computer', 'Properties' and in the heading click on 'System Restore' check the box labeled 'Turn off system restore for all drives' now you can follow the guide above.
January 13, 2004, 9:56 AM CST by xposhaa
Hi google,
I followed your instructions to the letter, however i found that there was nothing inside c:\windows\system32\wins to be deleted and when i tried to find RpcPatch and RpcTftpd, neither of these were here.
Do you think that it is possible that the Welchia worm has been deleted (by those links you gave)and that it is something else causing the CPU usage to skyrocket?
After i had replied last night, i looked at my network connections and disabled the local network icon. This worked on the net and off the net, yet i have just switched on my pc and although the CPU usage is low off-line, it has gone back too 100% on-line. I have done more Spyware scans, and while it found and deleted one, it seems too have made no impact on the CPU usage while on-line.
This is really bugging me. Any more ideas?
January 13, 2004, 12:46 PM CST by Frenchie
The least painful way to remove that worm among one other that enters your system upon updating it is get an antivirus that actually works. Norton, Symantec, Panda, etc, are complete crap and don't ever find anything on my system. The one to use that will remove the worm you are having trouble with is called Avast Antivirus. It is free for like 60 days or something.

http://www.avast.com/
January 13, 2004, 12:54 PM CST by Encryptedmind to Frenchie
Yeah but if you can afford to pay for Anti-Virus, McAfee has the highest ratings for finding the most viruses... Plus it comes with a firewall..
January 13, 2004, 4:44 PM CST by xposhaa to Frenchie
i have avast but it found nothing.
January 14, 2004, 1:46 AM CST by bearbear
If you look in your running processes and you see svchost.exe, it's normal
now if it shows SVCHOST.EXE it a virus.
January 14, 2004, 1:58 AM CST by Encryptedmind to bearbear
Did you not read my quote? Here it is again.. SVCHOST.EXE, or it could be svchost.exe, doesn't matter how it is in there, it is supposed to be in your processes, but only in Win2000 and Winxp..


Yes a virus can add more of them to your processes.. If you think you have a virus, run the fix.. If it doesn't find any, then leave the svchost, or the SVCHOST alone..
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

To view the list of services that are running in Svchost:
Click Start on the Windows taskbar, and then click Run.
In the Open box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)

The following example of Tasklist output shows two instances of Svchost.exe that are running. Image Name PID Services
========================================================================
System Process 0 N/A
System 8 N/A
Smss.exe 132 N/A
Csrss.exe 160 N/A
Winlogon.exe 180 N/A
Services.exe 208 AppMgmt,Browser,Dhcp,Dmserver,Dnscache,
Eventlog,LanmanServer,LanmanWorkstation,
LmHosts,Messenger,PlugPlay,ProtectedStorage,
Seclogon,TrkWks,W32Time,Wmi
Lsass.exe 220 Netlogon,PolicyAgent,SamSs
Svchost.exe 404 RpcSs
Spoolsv.exe 452 Spooler
Cisvc.exe 544 Cisvc
Svchost.exe 556 EventSystem,Netman,NtmsSvc,RasMan,
SENS,TapiSrv
Regsvc.exe 580 RemoteRegistry
Mstask.exe 596 Schedule
Snmp.exe 660 SNMP
Winmgmt.exe 728 WinMgmt
Explorer.exe 812 N/A
Cmd.exe 1300 N/A
Tasklist.exe 1144 N/A
January 14, 2004, 2:19 AM CST by bearbear to Encryptedmind
The virus is made to disguise itself as SVCHOST.EXE some systems do have SVCHOST.EXE but only a handfull
January 15, 2004, 3:49 PM CST by philbennett to bearbear
I have exactly the same problem:
No sign of a virus or worm but after boot-up (XP) when I connect to the internet an svchost process starts which eats 99% of the cpu. There is then next to no traffic, either way.
There must (?) be a common cause.
Help.
January 15, 2004, 3:52 PM CST by Encryptedmind to bearbear
some systems do have SVCHOST.EXE but only a handfull
Every Winxp, and Win2k system I have seen has atleast 2 svchost.exe's running on them.. Now win9x, and winme you won't see that..
January 15, 2004, 3:53 PM CST by Encryptedmind to philbennett
You might need to download adaware and check for spyware..
http://www.lavasoftusa.com/
January 21, 2004, 3:14 AM CST by joerpaul to Google
I noticed i have several instances of the svchost process running on my computer and that led me to research the possibility of it being a virus. I ran the fix and it said my computer is not infected. Then i read on some Iother site that the worm creates its own files named svchost.exe and dllhost.exe in the windows\system32\wins\ directory. Those files didn't exist on my system. It just had one copy of each in the windows\system32\ directory. I also read that it creates certain registry entries which didn't exist on my computer.

My point in all this is that svchost still runs 4 or so instances and, with all the above in consideration, I was wondering if my computer could still be infected with some sort of virus, or is it normal to run 4 instances?
January 21, 2004, 12:46 PM CST by Encryptedmind to joerpaul
Yes its normal, I have 5 svchost.exe's running on mine, and I don't have any worm.. I keep my anti-virus up to date, and my firewall up to date, and I run virus scans like every week or so..

If you computer starts acting funny, like restarting for no reason, then you might have the worm.. But if it seems to be working fine, then there is nothing to worry about..
January 21, 2004, 4:59 PM CST by redstinger
Hi Guys,

I had the same problem in a laptop.

Symptoms: 100% CPU usage, very slow performance very evident with my screen saver, Norton Antivirus and F-Prot useful, Spybot and Ad-aware useful, 4 svchost.exe processes running, when the laptop was offline it asked several times to get inline to link to a .biz site, and one curious thing is that I couldn't open a zip file by double clicking on it but I can opening with the explorer.

Solution: Use the life update of Norton Antivirus. Reboot the laptop. suddenly it detectected a worm called "W32.HLLW.Gaobot.gen" in the file C:\windows\system32\explore.exe. I checked at Symantec's site the procedure go get rid of the worm. I started the laptop in safe mode and delete the file manually and modify the register as it says and now the laptop is fine.

By the way, when I started in safe mode I checked the cpu usage and it was in a normal level. It is curious that the Norton Antivirus can't get rid of the worm in first place. I personally think that this is a variation between the "evolution" of "ZIP worm" (another worm around with similar behaviour) and the "W32.HLLW.Gaobot.gen" due to the particular symptoms and the way you can get rid of it by deleting "explore.exe"

Hope this can help you.

RedStinger
January 22, 2004, 6:02 AM CST by GosthMan to Encryptedmind
Encryptedmind i have read all the posts from this theread and u say that in winxp ... is normal to have svchost.exe but i'm using win98 and i have that svchost.exe and i don't think that is normal to have it cause i didn't had a couple of weeks ago
what shall i doo
January 22, 2004, 9:47 AM CST by redstinger
Hi Guys,

Just for the forum records. Did my solution work fine for you?

RedStinger
January 22, 2004, 11:45 AM CST by JumpinJack to redstinger
Hey guys,

I seem to be having a similar problem with my computer. I have two instances of svchost.exe running on Windows 2000. One of the svchost.exe processes is eating up all the CPU, along with the system process. I've tried both the Welchia and the Gaobot worm removal tools... no success. It acts this way as soon as you boot it up, not even using the internet. Any help would be greatly appreciated!!

-JJ
January 22, 2004, 12:10 PM CST by Bochur
I have two computers networked to each other. THey both seem to have the same problem - possibly for the same reason. Their CPU sage is at 100%. It seems to be caused by a number (primarily one) copy(s) of svchost.exe and lsas.exe
One coputer is running on Windows 2000 while the other is on XP prof.
If anyone got some solution on how to rectify (I've got no other computers to back up upon).
January 22, 2004, 12:59 PM CST by Bochur
I've got 2 computers: one with 200 and the other with XP. CPU is at 100% and based on the flow of conversation here I have confirmed my hunch that the problem is with regards to svchost.exe and lsas.exe

I've got 4 to 5 runnig where one is for sure hogigng at least 70% of the cpu.

I checked all of the advise but nothing works or is in the locations mentioned. I did however notice that in win32, i had a 2 or 3 svchost.exe and only one was dated a long while back (confirming the comment that a bug transforms into the svchost.exe

Both my computers are at a standstill. At small intervals it will partially come back to life, but that is still with the cpu at 100%.

Three words: HELP IS APPRECIATED!
January 22, 2004, 1:01 PM CST by Bochur
Is 'Google' still around? Maybe y'a found out some new stuff?
January 22, 2004, 5:08 PM CST by redstinger to JumpinJack
JJ this procedure worked fine for me

1) Start your computer in "SAFE MODE".
2) Verify the CPU usage.
3) If it is normal (less than 10%) then keep going.
4) Delete the file EXPLORE.EXE (check the spelling without the final "R") in the directory C:\windows\system32\explore.exe
5) Erase any reference to the EXPLORE.EXE file in your registry.
6) Start you computer in "NORMAL MODE".

Please let me know if this worked for you.

RedStinger
January 23, 2004, 2:34 PM CST by Google to xposhaa
Oops, I forgot about this thread :)

Have you got a virus scanning program? have you done a full system scan with latest virus definitions?

You mention spyware, which program do you use to kill spyware? do you use a program to block spyware from even getting on your PC?

The best spyware program out there is 'spybot search and destroy' if you decide to get and use this program use it in 'easy mode' unless you realy know what your doing. This program is very thourough and could damage your operating system using it in 'advanced mode'

Another good program for blocking spyware is 'spywareblaster' this will stop spyware from getting on your PC.

Both 'Spyware search & destroy' and 'spywareblaster' are free and regular updates are free, all the developers ask is if you would like to contribute something for their work.
January 23, 2004, 3:06 PM CST by Google
To solve the problem the easy way in WinXP go to 'START' 'RUN' and type in 'MSCONFIG' in the header click on 'services' and uncheck 'svchost.exe' and click apply.
January 23, 2004, 3:14 PM CST by Encryptedmind to Google
How many times do I have to tell you people.. IT IS PART OF WINXP.. Certain programs NEED IT to RUN... Yes there can be a virus on your machine, and it can make it self look like svchost.exe.. But just because you have it DOESN'T mean you have a virus.. EVERY MACHINE running winxp WILL HAVE svchost.exe... Most will have 4 or 5 copies of it running..

The only people that don't want to see svchost.exe running, is win9x people..

Its funny one person mentions having a viurs, and mentions svchost.exe, now everyone that sees svchost.exe thinks its a virus.. Run the program to check, if it doesn't find it, then there isn't a virus.. geese..

And also for spyware, adaware is a great program to use.. Lots of good ratings..
January 23, 2004, 3:21 PM CST by Google to Encryptedmind
Yes I think we all know its a legit file, but when svchost is using all the processors performance dont you think that is odd? closing svchost wont harm anything and the way I just described will close them permanantly so they dont come back unless needed.

Adaware might be good, but not good enough, run Adaware, then run spybot search and destroy to see all the spyware missed by adaware.
January 23, 2004, 4:53 PM CST by GosthMan to Encryptedmind
The only people that don't want to see svchost.exe running, is win9x people..

i am one of the so what i have to do ???
January 23, 2004, 5:11 PM CST by Encryptedmind to GosthMan
Have you tried some of the things that are listed in this thread? I haven't had the problem with the virus, and haven't needed to remove them.. But it looks like some people have removed it from their win9x and it worked..
January 24, 2004, 12:49 AM CST by GosthMan to Encryptedmind
yes but no efect
now i'm trying with that ad-aware
January 24, 2004, 2:34 AM CST by Google to GosthMan
If you have svchost running in winME delete it, its not a part of winME
do a system search for the file. I just checked my version of ME, ir doesnt exist in any directories.

Edit: just noticed you said your using win98 the above still applies.
January 24, 2004, 8:35 AM CST by weepingdarkness
I am truly not as computer oriented as all of you seem to be, but a problem has arisen that I just can't solve. Upon starting my computer I can press Control Alt Delete to get that menu to open. In the Applications tab, there are two SvcHosts running. In the processes, there are five. I can shut down the two that are in the application without problem, but they link back to processes. I believe they are Aim32.com and something like with "win" and "32" in the title. All over my computer, zip files pop up that are said to originate from svchost.exe. Upone searching for this program and finding it, I can't delete it. I haven't the slightest clue what is going on with the computer and any help that you all could offer to solve this problem would be appreciated. I'm tired of having to delete these annoying zip files everytime a problem arises.
January 24, 2004, 12:03 PM CST by GosthMan to weepingdarkness
for the users with windows 98 check this out

Virus name: Win32:Jeefo
File name: c:\windows\svchost.exe

dam i'm good
10 for the advice to everione especialy the one ho indicated avast!
January 25, 2004, 1:54 AM CST by xr1140
hi, guys ... i had the same problem (svchost.exe eating 100% of the cpu power), i`ve tryied every advice from here ... nothing worked until i`ve found this DCOMbobulator fix, many thanks to Steve Gibson from Gibson Research Corporation.


here is the link
http://grc.com/dcom/intro.htm
January 25, 2004, 12:24 PM CST by KaruQ16335
Hey... alright i stumbled accross this site in my attempt to doctor my own pc after an accidental worm install from "buffy vampire slayer movie.exe"

first let me give you some background information on my pc... it is formerly a win98 OS with roughly 20gig hd, p3 and about 550meg of ram.. BLAH BLAH BLAH.

once i caught the Blaster virus there. but of coarse it was unable to do the full extent of damage because 98 doesnt have a DCOm/Rpc to exploit... However... 98 dosent have the SVCHOST.EXE process in its processes. ANYWHERE... i had noticed that when the pc would boot up... and i was not connected to the net... SCVHOST.EXE wasnt running. but, as soon as i connected to the Net... SCVHOST was right there. causing a definate lag. it was also attempting to access my Floppy Drive.

Now... i have upgraded to windowsXP professional and when i upgraded, i looked at my Process panel and familiarized myself with the Computers standard processes.. scvhost, and SVCHOST were not listed. even after connection to the internet.

As of a Few days ago the process had found its way into my PC thanks to the Buffy executable file. which by the way is a common file found on Filesharing networks and works as a sort of Host to other Virus'

yes. svchost is a Normal function on select pc's...

also on the first day of my upgrade i got myself the Free Firewall Sygate Personal firewall. which is a Greet firewall. its free, and is hardly noticeable save for the promt to accept or deny a connection. and the task Icon. Now because of the promts i was aware of all incoming andoutgoing processes on my PC... Immediately after teh Buffy inffection..SVCHOST attempted to connect to the Exploitive IRC channel that it is set up to connect too...

Personally Encryptedmind. i do not think you are very Knowledgeable in your Virus information.. Yes, svchost is a typical process that is hardly used. and almost never required...However you fail to notice that Virus's often delete a process and replace them with their own Versions to give the full effect of the attack on the pc...

anyone who comes in contact with the MSBlast and LoveSan virus's i would reccomend getting the DCOMbobulator first to turn off the RPC port so you do not get reset like the virus loves to do...

As for Virus Scanning softwares that suck... Crapaffe, er Mcaffer, Norton, Bullguard, Avast ((who could only find the virus but not heal it and is known to delete required programs on your pc)) Sophos, and Klapersky all suck. they are laggy filled with processes that can be obtained elsewhere with better software and take up alot of Ram on the machine...

Panda Titanium is a Great Anti Viral , as well as its Sister Panda Platinum...

I even Recommend Bitdefender for a preliminary sweep of the system, its does an indepth sweep.

also install yourself Adawar from lavasoft. Great program to have around.
Bazooka is good as well it has an extensive Library on how to remove Malware, Adware, Spyware and the likes. ((see links at end of the post))

Do not put down a Virus Software on the basis of not finding a Trojan or Worm... Most of them cant.


Now my Reccomendation for an Antivirus... panda, and AVG

Panda: www.pandasoftware.com/
Adaware: www.lavasoftusa.com/
AVG: www.lavasoftusa.com/
Bazooka: www.kephyr.com/spywarescanner/
Bitdefender: www.bitdefender.com/
Dcombobulator: http://grc.com/dcom/intro.htm
January 25, 2004, 5:20 PM CST by Encryptedmind to KaruQ16335
Personally Encryptedmind. i do not think you are very Knowledgeable in your Virus information..
Yes I am, I have been dealing with viruses since my first one, called the michaelangelo virus, I got it back in like 93.. Ever since, I have watched out for what I download, and run.. Like for one, I would NEVER run a movie with a .exe format, unless I knew for a fact it were legit.. The only movies I have ever watched with .exe format are the half-life 2 trailers.. Most movies are .mpg, .mov, .wmv, and so forth.. And no svchost is not for SELECT pc's as you say, it is for software.. Since this thread started I have looked at around 15 different machines running winxp, and all of them had svchost.exe atleast 3 to 5 times on them.. It is a normal process, you should only worry, IF your computer is acting funny.. People that have read this thread, think HOLY SHIT, I have svchost.exe running on my winxp, or win2k machine, I have a virus.. Which is total bullshit..

Svchost.exe has nothing to do with your computer, or hardware, it is a process for running programs.. And yes I know what a damn virus is.. See I don't try to download BS movies and BS software, that is how ALOT of people get their viruses.. Stupid people that download a .exe thinking its some kind of cool porn, and BAM a virus..

For one, if you dumb enough to search the internet, and aren't running anti-virus software, then you deserver to get a virus.. Or if you run anti-virus software, and don't update it, then you deserve to get one.. Just like people that have unprotected sex, knowing damn good and well about AIDS and other STD's, but they still do it.. And I don't mean some cheap, free anti-virus software either.. A good one, like McAfee, or Norton..

Since the Michaelango virus in 93 I haven't had a virus since, cause I dont' download BS files, and I keep my AV software updated.. I have had my software warn me that a temp file from the internet is infected, and it deletes it..

Now about this svchost.exe... If you run win9x and you have this process running, there is a problem.. If you run Win2k or XP, and you have this running, and your computer is running fine, there is no problem.. If your somputer is lagging down REALLY bad, then you might have a problem.. After you install a few things into Win2k or XP, it is normal for this to show up..

As for you saying
As for Virus Scanning softwares that suck... Crapaffe, er Mcaffer, Norton, Bullguard, Avast ((who could only find the virus but not heal it and is known to delete required programs on your pc)) Sophos, and Klapersky all suck. they are laggy filled with processes that can be obtained elsewhere with better software and take up alot of Ram on the machine...
McAfee is rated the best anti-viral software on the market.. I use to use Norton till I saw a review where McAfee found 100% of the viruses they ran on it, and Norton only found 98% of them.. Even all the companys computers that I have worked on had either Norton, or McAfee on them, and I have worked on ALOT of machines..

As for Firewalls, Norton has great ratings.. As for the free stuff, well you get what you pay for.. You really think a company is going to care how good their software works if they offer it for free?
Panda Titanium is a Great Anti Viral , as well as its Sister Panda Platinum...

I even Recommend Bitdefender for a preliminary sweep of the system, its does an indepth sweep.
If these are so GOOD like you say, how come I have never once in my life heard of them, or seen them anywhere?
However you fail to notice that Virus's often delete a process and replace them with their own Versions to give the full effect of the attack on the pc...
No shit, but why trip out about svchost? If your going to do that, then there is also IEXPLORE.exe, holy shit, I must have a virus, since this is in my process.. Holy shit, I have winlogon.exe, damn that must be a virus too, Man, my computer must be completly infected with viruses..

The only thing you listed that I agree with is Adaware..
January 26, 2004, 8:14 AM CST by ephedrine
most helpful thread i've found!

Same problem - win XP svchost chewing up my cpu. I can simply end process, and continue, but its really getting to me - I've scanned with norton, avast, and two other virus programs, (non of them can find a virus)run dcombobulator, applied the patch, the norton msblaster fix, and welch fix. went into the windows/sys32/wins and deleted the scvhost there, went into the registry but couldn't find the entries discussed above. and what I want to know is WHY DOES SVCHOST CHEW UP MY CPU WHEN I CONNECT? AND HOW THE HELL CAN I FRY ITS ABHORRENT BEHAVIOUR?? If anyone with a little more experince has had any experience with this little bugger, i would REALLY appreciate any advice! I've tried everything on this thread, and still it lingers like a foul smell.
January 26, 2004, 10:07 AM CST by KaruQ16335
Dude, you completely missed my point. i didnt TRY to download the meaningless movie. i was attempting to find a pdf file for a friend of mine and happened to notice it snuck in. I think you need to read my post again before you fly off the handle.

i am not even going to bother with a counterarguement cause your a thick skulled neanderthal!
January 26, 2004, 10:08 AM CST by KaruQ16335
and as somone who happens to Be HIV positive and did wear Protection. i think you need to changer your metaphore asshole.
January 26, 2004, 10:12 AM CST by KaruQ16335
strange youve never Heard of Panda and Bitdefender if youve worked on alot of PC's.

Panda is the #1 competator to Norton and Craffee. opps i mean Mcaffee
January 26, 2004, 1:36 PM CST by Encryptedmind to KaruQ16335
and as somone who happens to Be HIV positive and did wear Protection. i think you need to changer your metaphore asshole.
Thats asshat, get it right.. And deoe it really take 3 posts to reply to my one? Whats wrong, is that too much to compute, that you have to break your reply up into little posts?
January 29, 2004, 5:48 PM CST by Google
Just installed winXP on new system, run into processor being eaten up again, only this time Welchia worm or blaster worm wasnt found. I run a virus checker on my system, had to run it from winME as XP wouldnt let me run anything for more than 10seconds without shutting it down. There were 2 files that were infected in my newly installed XP partition, and the file mentioned earlier EXPLORE.EXE. Explore.exe as far as I can see connects to the net to retrieve the files that screw with your PC. Boot into safe mode and delete anything with the name Explore.exe

Edit: The other 2 files are SVCHOS1.EXE and winhlpp32.exe both these files will be found in D:\windows\system32 folder, both files need deleting.

Look closely its SVCHOS1 not SVCHOST

BTW, I still applied the welchia and blaster worm patches
January 31, 2004, 12:51 PM CST by universe to Google
Well hi guys.Few days now I have some problems with task manager and drivers at start up,and some unusual system behavior.For example suddently I could not load my favorite theme,and something change the sound adjustments .Norton after great delay found that there was a trojan called MWNDTEZ.exe.I deleted the exe file and the keys in registry.After that only task manager is ok.The same problems with themes,same with the others.I used some virus removal tools of synemantec,but they found it clean.The svchost.exe has 4 entrys in processes.I dont know what else to do.Any ideas guys?Thanx anyway for the help:-)
January 31, 2004, 4:46 PM CST by Richard_Kid to universe
Here is my 2 cents on the matter. Maybe I can provide some hints to some anti-viru master to help solve this problem.

1) It is true that SVCHOST.EXE is a normal Win2K/XP process, but it is not so if you are running Win9x/ME.
2) Remember the movie Contact? Jody Foster did not believe God exists unless if she could see Him and see some proofs? At the end, she could not provide any proofs on what she experienced during the missing time when she was dropped throught the sphere. What I am saying is if you don't see or experience something, that does not mean it doesn't exists. We are only human ;-) Hope I did not piss you guys off.
3) Here is my hands on experience with the problem:
A) I have tried applying all the MS patches, reg updates and still could not get rid of it. (I am running Win2K)
B) I notice that if I disconnect the network cable and reboot the PC, everything comes up normal. svchost.exe behaves good, very low CPU usage.
C) I connect the network cable back, everyting works just great. I could surf everywhere and even download the patches, etc. (This would be a temporary work around, but I hate to keep on pulling and pluggin in the network cable each time.) :-(
D) If I leave the network cable in and restart, or if I disable the network then re-enable it, one instance of the svchost.exe shoots through the roof! This continues even if I disable or disocnnect the network.

Here is my question: It seems that when the network starts, it will wake up scvhost.exe to do something, and that is the trigger causing it to use up CPU time. Any body knows what goes on there? Maybe this will give us a hint to stop this problem. One more point, I am using hardcoded IP address to my router, so DHCP should not be a problem. I am also running IPX/SPX just FYI.

BTW, I have the latest Norton and Adaware 6 Pro. None of these picked up anything. The free Avast! cleaner did not turn out anything either.

TIA
January 31, 2004, 4:59 PM CST by Google to Richard_Kid
1) It is true that SVCHOST.EXE is a normal Win2K/XP process, but it is not so if you are running Win9x/ME.
And it is not so if its in your 'wins' directory in XP/2000
January 31, 2004, 5:16 PM CST by Google
To remove the Code Blue worm from your computer:

1. Using Regedit, find the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
registry key.
2. Find and delete the registry entry for C:\svchost.exe.
3. Delete the file C:\svchost.exe.
4. Delete the file C:\d.vbs, if it remains on your system.
5. Restart your computer.

Additional Information:
Internet Security Systems Security Alert, "Serious flaw in Microsoft IIS
Unicode translation" (describing the Microsoft IIS Web Server Folder
Traversal vulnerability):
http://www.iss.net/security_center/alerts/advise68.php

Microsoft Security Bulletin MS00-078, "Patch Available for 'Web Server
Folder Traversal' Vulnerability":
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
http://xforce.iss.net/xforce/alerts/id/advise96
February 2, 2004, 4:40 PM CST by aline_oliveira
Hi! I have a windows 2000 professional and every time I acess the internet, after a few minutes, appears a message sayin that there is a fatal error in svchost.exe, anda afther that, starts a lot of problems. The icon of the internet acess no longer work, i canīt disconect my computer, only by restarting it (no even in the ctrl+alt+del window), the copy and paste comands donīt work anymore, and the internet pages canīt be printed or saved.

Iīve already tried all the tips I saw here, but none of then worked. I donīt have the svchost in the places you sad it shouldnīt be, but i found it at:
HKEY_LOCAL-MACHINE\SOFTWARE\MICROSOF\windows NR\CurrentVersion\Svchost

Can I delete it? Othewise what should I do?

Thanks for your help.

Aline
February 2, 2004, 5:04 PM CST by Google to aline_oliveira
I think the best solution for everyone having problems, would be to backup your files, do a fresh install. On your first boot into WinXP/Win2k make sure you are not connected to the net, apply both welchia & blaster worm patches and install/enable a firewall then restart PC with internet access, this should solve everyones problems.
February 3, 2004, 11:45 AM CST by akosgmbh
I found that the svchost processes that eat up CPU can be stopped by stopping and starting certain services. For instance it works on my computer if I stop and restart the DHCP service, or the ISIS daemon service(probable nobody of you will have ISIS installed).

I have no idea what causes the behaviour.
February 3, 2004, 5:00 PM CST by Google to akosgmbh
All your doing is causing the service thats causing problems to stop temporaraly, and opening a service that isnt needed by doing what you are doing, yes it will fix the problem at hand, but the next time you re-boot, the problem is back to haunt.
February 3, 2004, 11:21 PM CST by wtmpls to Google
svchost got running on my little used XP/Home HP laptop last month.
Don't remember if it was my firewall or the system that asked to allow a connection from something to the internet connection.
It WAS persistant and used the svchost process.
After poking around I found the worm LSAS.EXE was the bug. LSAS.exe is definately NOT supposed to be on your system.
WORM_AGOBOT or W32/Gaobot are some AV handles for the thing.

Still working on svchost using too much cpu time. Busted lsas though.
February 5, 2004, 6:08 PM CST by BehindBlueI
IS SVCHOSTC.EXE TROJAN VIRUS???

Troj/Tofger-B is a multi-component Trojan which consists of a main dropper, a backdoor Trojan component and keylogging component.
The main dropper is called MSTASKS.EXE which may be downloaded and executed on the victim's computer if certain infected HTML or PHP pages are accessed (these scripts are detected as VBS/Tofger-B).

MSTASKS.EXE drops the files:

C:\<Windows>\MSTO32.DLL
C:\<Windows>\SYSTEM.EXE
C:\<Windows>\SYSINI.INI
C:\<Windows system>\SVCHOSTC.EXE
C:\<Windows system>\SVCHOSTS.EXE

and executes C:\<Windows>\SYSTEM.EXE.

MSTASKS.EXE also adds the following entry to the registry to run SYSTEM.EXE on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Online Service
= C:\<Windows>\SYSTEM.EXE

SYSTEM.EXE runs in the background as a service process, opens port 10002 and listens for backdoor commands from a remote intruder.

MSTO32.DLL is the keylogging component of the Trojan and is invoked by SYSTEM.EXE.

SYSTEM.EXE also executes the files SVCHOSTC.EXE and SVCHOSTS.EXE which are legitmate freeware proxy HTTP and socket servers.

SYSTEM.EXE may also open a window which masquerades as the logon page for an internet bank account.

Text entered into the fake logon page and any keylogged information may be emailed to an external email address via SMTP.

The Trojan may also communicate with a remote website.

Troj/Tofger-B may attempt to download and execute EXE files from the internet.

MORE INFO.. VISIT http://www.sophos.com/virusinfo/analyses/trojtofgerb.html
February 6, 2004, 7:07 AM CST by ghost123uk to BehindBlueI
@ BehindBlueI
Well I can't wait to get home and check your solution.

New to this forum, this is the best info on this I have found so far !!!

I am an IT engineer working for an ex-lease re-furb Co.
This issue is causing headaches for many, including me.
Trouble is all the searches seem to point to out of date Blaster info.
I even found a site that has been specially set up re this issue as =
http://www.huguesjohnson.com/svchost.html

For the record this is my setup / history on this .....
error message reads =

svchost.exe - application error
the instruction at 0x..... referenced memory at 0x..... . The memory could not be "wrtten".

Then no right click, no cut and paste, no mutiple windows, control panel icons appearing in a left hand pane, etc etc.

As I have spare hard drives I have re-built my machine about 4 or 5 times on a spare drives.

My Windows 2000 disk has SP4 pre-installed so I can't not use it.

Std W2K build on my machine (Dell GX150 - PIII-1gig etc) with all up to date drives from the Dell site.

W2K bang up to date according to mickysofts update site.
Adaware with latest ref files.
SpyBot with latest ref files.
McAfee AV with latest engine and dat files.
McAfee Firewall with latest updates.
Been to "housecall" online AV scanner.
Been to various malware scanners.
Tried with no LAN and re-run all as above.

If I install this very basic build, the problem occurs within minutes of connecting to the net (BT Broadband - Alcatel "frog" with latest drivers) !!

I have the error logs from APP log and EVENT log but won't bore all with them @ present !

Will try some of what is on here and report back.....
Won't it be nice when I have a definate solution !!!

JB - N.W. - UK
February 6, 2004, 2:27 PM CST by Wolf
hey guys (and gals i dono) anyways i was having alot of the same problems yall were and without alot of luck, well i figured out what was wrong with my box so i thought id pass it on.

first here are the symptoms:
1 svchost locking up my cpu at 100%
2 try to run norton and it gets shut down
3 try to open msconfig again it gets shut down
4 try to open regedit and again it gets shut down
5 end task on the svchost that was eatting up my machine and it would reboot my machine


i could get norton to run in safemode but it wouldnt come up with anything

my solution was to go onto mcafee.com and used thier free online virus scanner

it ended up finding i was infected with the gaobot.worm which is a real pain since you cant get rid of it manualy very easily

*** use the online scan because it seems to be good at hiding on your machine when you use a local scanner***

if you find that you have it goto the norton website and do a search for gaobot and download the removal tool

download the blaster patch from microsoft

unplug your machine from the internet (yeah i know thats hard to do for some of us, ya know connection withdraws) and run the removal tool then run the blaster patch

reason some of you (like me) might have gotten this is because if your like me and you reloaded windows while connected to the internet you are no longer protected from the blaster type worms that are out there and it just slips right in.

i hope that this helps some of you out there but im sure if you goto the online scan from mcafee it will find something and you can easily get free removal tools from the norton wesite

Wolf
February 6, 2004, 5:02 PM CST by one_grim_reaper to Wolf
my solution was to go onto mcafee.com and used thier free online virus scanner
They also do stingers which look for current/bad virus's and remove them, much faster than a virus scan.
February 6, 2004, 5:53 PM CST by Wolf
thats kew man ill keep that in mind next time, i just posted what worked for me but thanks for the advice
Wolf
February 8, 2004, 8:52 AM CST by Larry to Trunks007
svchost.exe is protected by SFC, cannot be removed.
February 9, 2004, 12:39 AM CST by Bochur
Took a while to respond, but my comp. is working albeit better - found the gaobot virus in one comp. that was networked. It slowly left from all.
Thanks!
February 9, 2004, 12:55 AM CST by Encryptedmind
Why do you have so many viruses? Have you ever heard of running anti-virus software? Its funny, all you guys that are having problems with the svchost.exe virus.. If you were keeping your anti-virus up to date, and not downloading, bunk files, like movies, that are illegal.. You would have no problem...
February 9, 2004, 9:31 AM CST by one_grim_reaper to Encryptedmind
I like you have no problems with viruses, but the thing that does get me is spy-ware. You dont even know it is installing itself and then you start to get pop-ups every page you go to.

Virus scanners have to be run to find it also, macaffe and norton should get the on access scans to look for spy ware as well as viruses as i dont alway see it until i do a full system scan.
February 9, 2004, 9:38 AM CST by ghost123uk to Encryptedmind
Well Encryptedmind, I can't speak for the others but I keep my Legal copy of McAfee smack bang up to date. I download and execute the DAT files as soon as they become available.
I run AdAware and SpyBot almost every day.
I use online AV if I think there may be a problem.
I have never, so far, been infected with a virus, tho many have been blocked by McAfee !!
Still got this problem tho, and from the hits this subject is getting on many forums I visit, so have many many others.
JB - N.W. - UK
February 9, 2004, 2:51 PM CST by Encryptedmind to ghost123uk
There are also alot of people in here that think, just cause svchost.exe running in thier winxp or win2000 system, that they have a virus.. Yes some might, but alot think, just cause its there its a virus..

I don't know what you were getting at, but my copy of McAfee 7.03 is a leget copy.. When it comes to anti-virus software, I dont' want no hacked up version of it..
February 10, 2004, 4:46 AM CST by ghost123uk
Hey Encryptedmind I Certainly agree, AV is something I won't compromise on either.
Have you seen how many hits this topic has - it's over 33K !!!
Whoever sorts this out is going to be one popular dude.
Shame it's not possible to change the subject line tho :-)

My latest attempts =
I tried the recommendation to kill the SEN's service - still got the problem.
Shut down DCOM and port135 ( a little prog called "dcombobulate_me" )
Ran various AV in normal & safe mode.
Ran SpyBot and AdAware in normal & safe mode.
Re-applied 823980 blaster (patch and others).
Closed down all processes that are not essential.

Non of the above worked..... :-(

Getting daft this !!!

JB - N.W. - UK
February 10, 2004, 6:13 AM CST by ghost123uk
Couldn't be anything to do with AdAware removing the "spyware" bits of Media Player 9 could it ?
Will try that tonight.....
JB - N.W. - UK
February 10, 2004, 6:24 AM CST by sonubest85
My friend just screwed his PC while trying to removing svchost.esxe he had like 5 to 8 running(by Network Service,SYSTEM,LOCAL SERVICE around 4 were running under the user SYSTEM). He tried to delete all the regestries for it & his PC got screwed! He lost all his data & had to reinstall by formatting because Windows would not even start in safe mode. HE tried repairing it but it didnt work. Windows would just come up to the welcome Screen & nothing would show up.
Bottom Line if you don't have a anti-virus software then first, Enable your firewall if you have Win-XP & never put it down. Secondly run periodically online Free-Scan from Mcafee.com & remove the viruses by following instructions. It is simple don't screw with "svchost" if you are not having any problems even if 10 are running at the same time!
February 11, 2004, 6:34 PM CST by beansoup to sonubest85
Hi y'all
New here:-)
Great posts..My 2 cents may add a little light..

SCVHOST.exe (NOTE THE SPELLING)

You have the Backdoor.Sdbot.N virus, or one of the Gaobot viruses, or one of the many other viruses which drop SCVHOST.EXE (not to be confused with SVCHOST (SVCHOST.EXE)
Svchos1.exe

You have the W32.HLLW.Gaobot.DK virus.
-----------------------------------------
Svch0st.exe

Note : the letter between the "h" and the "s" in the name of the file is a zero, not the letter "o".

You have one of the Backdoor.Graybird viruses.
-------------------------------
Svchost32.exe

You have a virus. It may be one of the following viruses : Backdoor.IRC.Zcrew, W32.HLLW.Deborms.C, W32.Mimail.J@mm, or the W32.Paylap.@mm virus which mimics a PayPal account renewal screen. Note that there are other lesser known, or newer (!!) viruses which also show as a program called SVCHOST32.EXE.

Seems spelling was over looked in the past posts...It may help to check the spelling, in winXP,2000...

Just a thought

beansoup
February 12, 2004, 5:18 AM CST by ghost123uk
Thanks for the input beansoup.
I have printed your post and will check when I get home.
I did another online AV scan last night courtesy of McAfee - no result.
Also got the latest (2 day old) ref file for AdAware - no result.
Many other forums also have this topic running - though this is the best one :-)
This really is getting tedious !
JB
February 12, 2004, 12:07 PM CST by secondsysop to xposhaa
Regarding error message "fatal error in svchost.exe". When the Welchia virus attempts to spread, it sends out two files. The first for Windows 2000 computers and the second for Windows XP computers. If your computer displays this error message, it just got the wrong file for your computer.

One other note: Important! You also need to install any Windows Critical Updates to your computer to close the security holes in the operating system. The Welchia worm uses a (RPC) Remote Procedure Call to infect other computers. This is what is taking up most of your processing time and ties up your internet connection.

See Microsoft Knowledgebase article (support.microsoft.com/default.aspx?scid=kb;en-us;824146) This MS Patch can be downloaded on another computer, burned to a CD, then executed on the problem computer if internet access is very slow.


Hope this helps...
February 14, 2004, 3:20 PM CST by RaceKitty to xposhaa
I recently had the problem of the svchost.exe, after reformatting and re installing windows, the extra svchost was running at increasing speeds causing my usage to run at near 100% constantly. I also did the search for the Welchia virus/worm. Neither worked.., I then called Dell Tech and was advised about a free online virus scan at http://housecall.trendmicro.com/ there i use the free scan and had another type of worm.., i deleted the file restarted my PC , and after that the problem was eliminated. I will also note that after running msconfig there was a process in the startup called svchos1.exe ( like svchost.exe but with the number 1 instead of the "t"), The technician told me that was the worm the free virus scan would find. The extra svchost was removed and my PC retained its usage and the pc worked 100% better.
February 17, 2004, 6:31 AM CST by kasami to RaceKitty
Heya kids, I'm 19 and taking a computer class, therefore, I RULE! Svchost can be a variety of things for the CPU usage =) Even a corrupted profile. Try to make a new one, but DON'T DELETE THE OLD ONE until the new one works fine. Ie; Normal CPU usage for WinXP. Lsass.exe and svchost sometimes behave irregularly, as I have discovered last night after restarting my computer.. When I end Svchost, it *Shock* Doesn't shut my computer off in 60 seconds. Sounds fishy. 5 running, WinXP professional. NAV2k4 installed (Nav owns mcaffee.. Mcaffee posts about viruses that aren't even real. It's an image thing.) Well anyway, Hope you luck with your problem. =)
February 17, 2004, 6:52 AM CST by one_grim_reaper to kasami
Nav owns mcaffee.
I disagree, Virus Scan 7 finds things that NAV doesn't. This includes spyware and adware, Mcafee picks it straight up NAV doesn't.
February 17, 2004, 7:28 AM CST by kasami to one_grim_reaper
Think what you want. I'm a NAV fan! Know what's wrong with my lsass.exe? If I end Svchost, everythings fine, but uh.. Won't let people use my printer, get into network etc.. My hijack this log shows uh.. This


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
D:\NCDSTART.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Opera7\opera.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\Tiffany\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton SystemWorks\Norton Antivirus\BootWarn.exe /a
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - HKCU\..\RunOnce: [NSWCfg.exe] "C:\Program Files\Norton SystemWorks\NSWCfg.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37977.736875
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
February 17, 2004, 7:47 AM CST by one_grim_reaper to kasami
just found this.
# Svchost.exe (Generic Host Process for Win32 Services) = integral part of XP OS, mandatory to run at all times, it canNOT be stopped or (re)started manually, loads/unloads/manages internal/external 32-bit DLLs/other services, and in normal conditions more than one Svchost.exe instance/thread will always be open
It seems other services have dependancies on the svchost service, when you shut off svchost something else is being shut off with it.
February 17, 2004, 9:29 AM CST by ghost123uk
Well at last SUCCESS for me at least.
Removed MaCafee fire wall and used Kerios instead - problem gone !!
Check my posts on here re what my problems where tho as others seemn to have been getting slightly different symptoms.

JB - N.W. - UK
February 20, 2004, 9:53 AM CST by entropie to ghost123uk
Hi y'all,

I had the same problems as above mentioned on my w2k computer, updated my Antivir Software and downloaded the correct patch from mircrosoft.
So far so good, it worked out(found blasterA resp. lovesan, removed it) and the svchost.exe popup problem was gone.

BUT since then i can't connect to the internet at all with that computer. All the conections in the network manager are gone and if i try to create a new one i only produce errors. The underlying problem seems to be that the services 'rasman' and 'remoteaccess' (named like this in the registry) can't be started anymore. Neither manually nor autmatically, therefore the whole connection manager and so on don't work anymore.
Has anyone ANY clue what could be going on??

THX in advance

FYI: In my case blasterA produced the ilegitamate processes 'mslaugh' and 'enbiei'... maybe the ones of you that can't find svchost in the system32/wins directory should look for them in your task manager...
February 20, 2004, 10:47 AM CST by one_grim_reaper to entropie
A lot of services rely on Svchost and RASman could be one of them. RASman is the remote access service manager and sorts out all of your remote connections. remote access has a dependency on RASman so unless RASman starts remote access wont.

In the past when i have seen Ras failing it was because of a reinstall of winXP that had not been updated to SP1, have you got SP1 on your system as this fixed it.
February 20, 2004, 12:13 PM CST by entropie to one_grim_reaper
Well i ain't got Xp so that doesn't applie for me. I've got w2k with service pack 4. by now if got the rasman to work (you're right it depends on svchost.exe, i looked it up in the registry) but that didn't help as well.by now i'm using the task manager all the time to kill all those application that have busted themselves.
Maybe i should put a fresh installation of w2k over the old one..?
February 23, 2004, 7:16 PM CST by cyrus104 to entropie
Hey this is my first post. I have the answer to some of your problems. I first looked at this board when I too was having problems with the damn svchost.exe. Well after looking through every forum and board I could find I could not get it fixed. I started to look through all of the files on my computer in the windows folder. I noticed a file name that looked weird. The file way explorer.exe.manifest there was also a regular explorer.exe, I looked at the code for the explorer.exe and there was nothing abnormal other then the name it had the icon of a dll or service. I delete the file named explorer.exe and renamed the explorer.exe.manifest to explorer.exe and then my computer went back to normal. Then when I started up kazaa the cpu pegged again. so I decided what the hell and look in the kazaa folder and 5 files had the manifest on the end. So I renamed them all and it works fine now. After doing some looking on the what it does to the files I found out that the TROJAN is called Manifest-A. I did run a cleaner from sophos and it detected it. the website is:
www.sophos.com/virusinfo/analyses/trojmanifesta.html
if that is not right then it is close sorry I did not copy and paste. Please email me at derek-murphy@utulsa.edu and tell me if that helped you. The address in my info is wrong because it does not accept "-". I hope this helps.
Derek
February 23, 2004, 11:46 PM CST by aggie05
Howdy,

I am running win XP and had some of the problems mentioned in the earlier posts. One of my instances of svchost.exe was using ~70% cpu and system was using ~30%. Also msconfig, regedit, and norton would exit unexpectedly shortly after opening them.

I fixed the problem by deleting the registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"Microsoft Config Loader"="msconfig32.exe" This was a little tricky to do because of regedit unexpectiedly terminating after a short time. In msconfig under the services tab I unchecked the "Microsoft Config Loader". I was suspicous of this because it remained with the "Hide all Microsoft Services" check box checked. In msconfig under the startup tab I used the "Disable All" button. After doing this I rebooted and svchost and system were no longer using huge amounts of cpu time. Regedit, msconfig, and norton no longer exited unexpectedly. I ran a scan with norton and it found 3 infected files in /windows/system32/ msconfig32.exe, msconfig32.exe.poly, and winhlpp32.exe. All of these files were infected with W32.HLLW.Gaobot.gen.
February 24, 2004, 12:09 AM CST by computer_base
I get the same problem with the svchost.exe. Sometimes, I would get 5 svchost instead of 4. Whenever I try to stop the process, a windows will appear telling me that the computer needs to be shut down due the RPC...
Also, one thing I notice is that almost all my files in the computer have two different file size. A normal txt file with size of 1 KB will have a file size ondisk of approx. 8KB.
The icons are 'torn apart' too. Some icons are invisible.
Could anyone help? Much appreciate.
February 25, 2004, 3:00 AM CST by mack99
hi all,
I like to point out that sometimes it may not be the svchost. My pc is sending out packets more than it receives. it just keep increasing 3 packets at a time even when I am not doing anything! its true there are 4 svchost process running, but I've run all kinds of anti virus, anti spyware, anti hijack but found nothing. After installing Sygate firewall, it says it block SNMP from sending outgoing packets. I only remember it was from a process call "ferrete" something. I know it is still there, it just being blocked by the firewall. If anybody has any info on this "ferrete" something process, very much appreciate it!
thanks in advance,
mack
February 25, 2004, 5:36 AM CST by devilry to mack99
I got the same problem as all of you guys. Stupid svchost.exe in the task manager is eating up all the cpu usage at 100% or whatever. I have read this ENTIRE thread and nothing has worked. I have also come to a conclusion and agree with the guys who say that svchost.exe IS apart of windows XP and that it is in everyones computer. And its also NOT a virus or a worm. Its something else that i cannot figure out, and i am hoping someone out their in internetland can help us out with.

We just want to get our normal CPU usage back!!!

The only way that i can fix this problem is by taking out the internet plug and plugging it back in. Then my cpu usage is back to normal, under 10% again. But, once i restart...i get screwed again.

For the people who want to know how i got this problem onto my comp, i seriously DIDNT DO ANYTHING AT ALL!

I simple, formatted my computer, i installed XP again, i made sure my internet plug was out, so i know that no virus can leak in. I installed norton anit-virus 2004. I put my firewall on. THEN i hooked up my internet.
Out of nowhere, the stupid problem arises and my cpu usage is up at 100%.

So, i just want to know how i can get my cpu usage back to normal. That is my question.

Thank you and goodbye.
February 25, 2004, 5:38 AM CST by one_grim_reaper to devilry
I found the SVCHOST virus on a computer with McAfee after Norton did not pick it up, try using mcafee's free online scan.
February 25, 2004, 10:43 AM CST by devilry to one_grim_reaper
Nah man, i've already tried that. No virus scan can find anything. This is not a virus or a worm or whatever. Something else is making it use up all the cpu usage. Hopefully someone knows.
February 25, 2004, 10:38 PM CST by mack99 to devilry
thanks for the info, lets compare more notes:
I used to have CPU usage problem but it was solved after clearing out hijack spywares. Now it is a steady 3 packets a time outgoing traffic, even when IE is not open. Sygate firewall can block it but stupid me, I didn't write down the name of the program that was sending out the packets, only that it ends with 'ferrete'.
I know its a very advanced trojan, bcoz the firewall now says it block incoming traffic and always from the same IP, my pc used to send packets to this IP until firewall block it.
If possible could u download free sygate firewall and see if u can capture the name of the program that is doing this. then we can search the web for more info.

thanks,
February 26, 2004, 5:42 AM CST by ghost123uk to devilry
As a matter of interest, have you patched your XP at all ?
And have you got IE6 service pack 1 installed ?

I have found many folks who only got this problem after putting IE6 SP1 on.....

Mine stopped miss-behaving when I got rid of my McAfee firewall and used Kerios instead but I reckon that did not really find the problem, just cured it by a fluke :(

JB N.W. - Uk
March 1, 2004, 12:29 AM CST by ihatemycomp
whenever i open up the regedit, it closes almost immediately so i cannont delete the files i need to in it
March 1, 2004, 3:22 PM CST by alshac to ihatemycomp
I had all the previous symptoms and the cause was a variant of the agobot virus.

to open regedit you call copy it to a different name (eg. reg.exe) then type "reg" in the run box and it wont be closed.

hope this helps someone

http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_AGOBOT.UX
March 3, 2004, 1:23 AM CST by ihatemycomp to alshac
"to open regedit you call copy it to a different name (eg. reg.exe) then type "reg" in the run box and it wont be closed."

Sorry but i dont understand what you mean.
March 5, 2004, 6:51 AM CST by clotterfromp to Encryptedmind
I have been recently experiencing problems with what seems to be a virus infecting svchost.exe. The process appears normal on winXP (pro) bootup. There are five of them, with one eating cpu % at a time. Having completely failed to remove it using many "fix" techniques on the web and also online scans + Avast, Norton, McAfee etc. I couldn't run a command prompt, regedit or any windows updates - they all quit after a few seconds or fail to install (for the latter). I get the RPC service failing, resulting in a reset. This reset action I've turned off using RPC's services panel.

In the end, I've had to re-install XP, with the firewall and virus checker on before plugging into broadband (doh). I wasn't sure whether the vulnerability was down to windows updates, so I installed as many as possible before going on-line. (copied from c:\WUtemp folder).

No problems this time, except spybot S&D disabling my internet access, which I put down to a conflict with zonealarm - yet to be resolved.

My question is - how can this "virus" be eliminated, when regedit, command prompts and updates all fail to work? My friend has a PC where a re-install is not such an easy option.

thanks in advance
March 6, 2004, 1:33 PM CST by waxdj to Encryptedmind
<< Encryptedmind wrote >>svchost is supposed to be on there, I have like 5 or 6 svchost files running on my machine... That isn't a virus...

I had to register to this site just to post "Encryptedmind is an idiot!!" Why would you, or anyone else, want more than one of the same process running on their computer. Everyone here, expect for you, understands svchost.exe is not a virus or a worm, but a process that's initiated (or called) by a virus, worm, or normal program. You should never want mutliple processes, performing the same job, running on your PC, Jackass!!. So fix your own machince before you post garbage.

<< Encryptedmind wrote >>Why do you have so many viruses? Have you ever heard of running anti-virus software? Its funny, all you guys that are having problems with the svchost.exe virus.. If you were keeping your anti-virus up to date, and not downloading, bunk files, like movies, that are illegal.. You would have no problem...

I don't care how updated your virus software is, what you download, or what sites you visit, as long as you're on the internet, running Microsoft products, or ActiveX controller, YOU WILL attract viruses. The important part is we all know how to protect our machines and remove any viruses or processes that screw with your PCs preformance. Sorry, I'm normally not a bad person, I just can't let assholes (or stupid assholes) go unchecked.
March 7, 2004, 1:25 PM CST by Jay_85
Howdy Fellow bleemers!! :)
About this svchost crap just fromat your damn PC!!
Oh & if its branded pay some $$ to your manufacturer & get it repaired.
My stupid bleeming PC was infected 3 months ago with that bleeming blast virus. I backed-up all my data & formatted it.
Yeah you bleemers i use file-sharing all the time but i use sensible file sharing programs like "Ares Galaxy" {spread the word download it!!}. Its spyware free, well almost you can un-select spyware when installing it.
Also i have no updates installed in my PC & I mean not even "1" bleeming update! & my Win-XP version is also way too old(Launch Version). I just have the XP firewall on & have no viruses or worms or trojans or any bleeming shit in my PC for the past 3 months & i visit all crap sites too & i have 10GB of songs & 20GB of Porn & many other files.. so just keep on backing up your data on cheap CD's.
So just do this & RELAX, TAKE IT SLOW & LET THE GOOD bleemING TIMES ROLL BABY..!!!
March 7, 2004, 4:14 PM CST by Encryptedmind to waxdj
had to register to this site just to post "Encryptedmind is an idiot!!" Why would you, or anyone else, want more than one of the same process running on their computer. Everyone here, expect for you, understands svchost.exe is not a virus or a worm, but a process that's initiated (or called) by a virus, worm, or normal program. You should never want mutliple processes, performing the same job, running on your PC, Jackass!!. So fix your own machince before you post garbage.
Before you go flamming someone and showing how bleeming stupid you are, you might want to go to MICROSOFTS site, where I got this, and read IT IS NORMAL TO HAVE MORE THAN 1 SCVHOST.EXE RUNNING... IT IS PART OF bleemING WINDOWS...
SUMMARY
This article describes Svchost.exe and its functions. Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs).
MORE INFORMATION
The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

To view the list of services that are running in Svchost:
Click Start on the Windows taskbar, and then click Run.
In the Open box, type CMD, and then press ENTER.
Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)
So bleem you, and learn how to quote dipshit..
March 8, 2004, 7:48 AM CST by waxdj to Encryptedmind
<< Encryptedmind wrote >>Before you go flamming someone and showing how bleeming stupid you are, you might want to go to MICROSOFTS site, where I got this, and read IT IS NORMAL TO HAVE MORE THAN 1 SCVHOST.EXE RUNNING... IT IS PART OF bleemING WINDOWS...

"You have so much to learn, Grasshopper" - Waxdj
Microsoft only tells you half the story, never admits to wrong doing, and never admits to producing shit for software.

Virus Characteristics-------------------------------------

This is a parasitic 32-bit file infecting virus that infects Windows PE files on the victim machine.

When an infected file is run on the victim machine, the file SVCHOST.EXE (36,352 bytes) is dropped in %WinDir%. The file is set with the system attribute set. On Windows 9x machines, the following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\RunServices
"PowerManager" = %WinDir%\SVCHOST.EXE

On Windows NT/2000/XP machines, the dropped file is installed as a service, with the following characteristics:

Description: Manages the power save features of the computer
Display Name: Power Manager
Start Type: Automatic
Account: Local system

Once running in memory, the virus periodically attempts to infect PE files on the victim machine.

Indications of Infection------------------------------------

Existence of SVCHOST.EXE (36,362 bytes) in %WinDir%. The file has the system attribute set. NB: a legitimate system file of the same name is typically within %SysDir%, eg. C:\WINDOWS\SYSTEM\SVCHOST.EXE.
Infected files increase in size by +36,352 bytes

Method of Infection-------------------------------------

This parasitic infector encrpyts the host file, appending the encrpyted data to the infected file.

Once a machine is infected, the dropped SVCHOST.EXE (running as a service on NT/2k) periodically infects executables on the machine.

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100277
March 8, 2004, 10:16 AM CST by Encryptedmind to waxdj
Yes I know, that, but just because you have the processes running doesn't mean you have a virus.. I have done clean installs on many of my friends computers, and families.. And they all have a few instances of svchost.exe running.. None are infected with anything..

Yes some people can have a virus.. But just cause there is 1 or more than one running, doesn't mean there is..

I am tired of arguring with everyone.. If you want to fight, and fight to keep the svchost.exe's off your machine more power to ya.. I don't really care.. I am sick of people freaking out on here just cause they notice there is more than 1 svchost.exe running on their win2k/xp machine.. Unless your computer is acting up, restarting for no reason, or running like total crap, then don't mess with it..
March 11, 2004, 5:55 PM CST by Deconstructor
guy's I have had the gaobot worm and i think i succsessfully remove it 'couse i've scaned my harddrive with 4 or 5 different antivirus programs and they didn't find anything... but yet the svchost is consuming my CPU and i just can't help it... and yes it is normal to have 4 or 5 svchosts on your machine esspecialy if you are under XP or 2000 but yet it is not normal some of them to consume your CPU... If somebody comes with a conclusion please post it until then I just, might change my OS
March 13, 2004, 9:52 AM CST by grommet to Deconstructor
ok.
i have decided not to remove svchost.exe but i would like to tell you guys something incase i have to do it again i can be sure of not getting infected again.

I completely restored my computer to factory settings only to find out that just after i got online, there was the W32.Blaster.Worm again. Where the heck did it come from?!!! Everything on my hard drive was erased during the restore. I have a PC whose OS is XP
March 13, 2004, 10:21 AM CST by Encryptedmind to grommet
I completely restored my computer to factory settings only to find out that just after i got online, there was the W32.Blaster.Worm again.
You say restored.. Do you mean, like a Compaq, or HP restore? Cause if you ran a restore from a store bought computer, yes, it did wipe out your main drive, but they keep all the backup files on a 2nd drive, which could be infected with the virus..
March 13, 2004, 1:27 PM CST by Anacrothe
Okay, this post has been very informative and helpful. I've tried everything this post has said and I think I finally got this worm taken care of. As of right now, svchost.exe on my Win XP system is no longer utilizing 60-70% of my processor. I have NAV on my system and MS Blast was still able to shred through it. However, I ran the Symantec fixes for MS Blast, Welchia, and Gaobot. That didnt fully take care of the problem. I also deleted the files that the previous posts said in the Registry. The files were under the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Run, and HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\RunOnce keys.

Even after deleting these files, my processor would still be 60-70% utilized, but only when I connected to the Internet (because thats what the worm is instructed to do). The next step I took was eliminating a few things at startup. I just went into msconfig --> startup and disabled both instances of rundll32 and RUNDLL32. After I did that, on the next restart, I connected to the Internet and everything seems fine so far. The svchosts exe's are no longer taking up ANY processor time.

I still have 5 svchost running on startup...three are in use by the System, one for network service, and one for local service. I'm not sure if the worm is completely gone, but I know my system is running great again. The only thing that worries me are the 3 svchosts that are in use by the system. One is using about 3.2K of memory, one is using about 2.8K of memory, and the other is using about 17.2K of memory. I'm not sure exactly how to track which programs are actually using these svchosts, but right now, my systems appears to be fixed.

I hope this helps anyone who has encountered this problem and thanks to the help of the previous posts too...especially google, and encryptedmind.
March 13, 2004, 3:54 PM CST by Zhimin to Encryptedmind
I tried this but it can't find any worm pleaz help!!! It's taking all the CPU. PLEAZ HELP!!! I CAN"T REMOVE IT!!!
March 13, 2004, 3:57 PM CST by Zhimin to Google
Hi Google
I tried this but it can't find any worm pleaz help!!!I tried this but it can't find any worm pleaz help!!! It's taking all the CPU.I tried this but it can't find any worm pleaz help!!! It's taking all the CPU. PLEAZ HELP!!! I CAN"T REMOVE IT!!!
March 14, 2004, 7:19 AM CST by sld27
Hi all,
had this problem 4 about a week myself (on total fresh install of xp) but didn't have time to concentrate on it, however sat down 2day to tackle it. quickly found this thread on google after presuming the problem was virus related but not found by ANY antivirus prog's/web services (ie.stinger,housecall etc) There are so many viruses/worms around at the moment masquerading as legitimate system files/services that I read up on many different possible 1's before getting some luck. it came from looking @ it from a different view. unfortunately the most vocal voice on this thread so far hasn't! the problem that people are having isn't determining whether or not svchost.exe is a legitimate file/service!

ANYONE who can not keep core components like regedit or command prompt open have got major problems! these symptoms luckily I haven't had, but it screams virus 2 me! if a virus' activity can be tracked to "a" svchost then "a" svchost OR a service that is HOSTED by "a" svchost is probably infected or is itself a virus/trojan!

On the other hand, many people including myself have symptoms of svchost host absolutely burning cpu resources and no matter how many anti-viral services are used it doesn't get picked up as a virus. so logical jump #1: it ain't a virus we're suffering (...maybe! lol). So logical jump #2: lets look @ svchost and what it does. first step i took was 2 look @ http://www.huguesjohnson.com/svchost.html
which was linked by someone earlier in this thread. (kudos to them) there i saw a link 2 a m$ knowledge base article about svchost in w2k, linked from that document to the xp version @ http://support.microsoft.com/default.aspx?scid=kb;EN-US;314056
YES you might remember seeing parts of that document earlier, "encryptedmind" quoted from it 2 prove his rather ineffectual point that svchost was legit. had he been less ignorant about the problems being faced by all of the other people on this thread then he could have helped. the answer 2 mine and maybe many others problem lies in that very document.

logical jump #3 READ the EFFing thing!
quote 1:
"Svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs)" so ok svchost is only what it sounds: A HOST FOR OTHER SERVICES.
quote 2:
"Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging"

ok, more than 1 instance of svchost depending on how and where the services that use svchost start using it. (booey 4 u "encrytedmind", point proved... but you stopped being helpful the first time you proved the useless point, and didn't try to help on any other level. FOOL!) The most important thing is 2 understand is why 4 instances (in my case) of svchost and which is causing the problem of excessive cpu usage. In my Case it was the one labeled Local Service.

Quote 3:
"Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names"
so whatever it is that is causing this problem can be found lurking in this registry key, listed under the particular svchost instance. another way to find out is listed after this part of the article. namely,
Quote 4: To view the list of services that are running in Svchost:

1. Click Start on the Windows taskbar, and then click Run.
2. In the Open box, type CMD, and then press ENTER.
3. Type Tasklist /SVC, and then press ENTER.

Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For further information about a process, type the following command, and then press ENTER:

Tasklist /FI "PID eq processID" (with the quotation marks)

logical jump 4: have a look at what services are using svchost Local Service (in my case) run regedit and navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

actually found 6 listings, under local service listed were alerter, webclient, lmhosts, remoteregistry, upnphost, and SSDPSRV. next step was to find out which of these services aren't needed. to do that open SERVICES in ADMINISTRATIVE TOOLS in CONTROL PANEL. when i was doing this i was online and svchost local service was draining between 65 and 85 percent cpu. 1 by 1 i stopped the services (in SERVICES not task manager) that weren't needed and once i stopped SSDPSRV which "Enables discovery of UPnP devices on your home network." the cpu has gone back to well under 10% and svchost's combined are registering 0%, once in a while 2% for a second. set the services that i know i don't need to disabled, no problems any more.

now what caused the problem for me in the first place? well first off the pc having the problems is the ICS Host on my home network running zone alarm & norton AV. could be something in that after reading about problems with mcafee firewall earlier? But i think it has something solely to do with UPnP. don't mistake UPnP for basic PnP (Plug and Play that installs hardware for you automatically) UPnP is a newish protocol dealing with ip technology and routing which isn't really all that important yet because it is only slowly being adopted. certain programs apparently utilise it, MSN Messenger is the only 1 that i know of yet, and newer dsl modems/routers are being released with support for it. however it isn't important enough for me yet to accept 85% cpu drain to accomodate it. one thing that i installed with the fresh install, along with all the other windows updates, was the "Advanced Networking Pack." This pack is mainly concerned with the new IPv6 technologies, again, things which are only slowly being adopted. UPnP is a major component of the "Advanced Networking Pack." Maybe it was though this installation that svchost started to run in a problematic way, draining all of the cpu's resources. So if a large number of you having problems with svchost, who can, and have, ruled out any viral or trojan activities also installed the "Advanced Networking Pack" from windows update, then this is probably the cause of all our worries. if not try the fix and disable services which you know you don't need, you might find your problem any way. if you know you've got a virus from the way things happen get stinger or whatever and pray (ps. if you get messages that svchost has crashed, apparently it is a definate virus). just nobody tell everyone once again that svchost is a legit service, we know already.
March 14, 2004, 8:29 AM CST by sm284614
Okay, I'm not sure if this is a big stupid joke, but here goes:

svchost.exe is kind of an integral part of Windows; it's responsible for running background services. If you want to see exactly what each instance of svchost.exe is doing, go into the command prompt and type:

tasklist /svc

This will show you the services svchost is running. if you want it to use less memory, go to Control Panel>Administrator Tools>Services and match what you see in the command prompt task list (under the various svchost processes) and disable them.

I'd recommend not doing this unless you know what each service does; you WILL break Windows if you don't know what your'e doing.
March 14, 2004, 1:51 PM CST by Zhimin
I finally found a way to close svchost, here is how u could do it.

When ever I end process svchost the computer will shutdown in 1 minuet, so I went to control panel, Administrative Tools, Services, after u go to service find RPC(remote procedure call) then go to properties by right click. When u get to it change it from restart to do nothing, then u could close svchost. Tell me if this worked for u.

And I don't think it's a worm, it's some thing u did with ur computer.
March 17, 2004, 7:22 AM CST by ghost123uk to sld27
Hi sld27 and all

Wow this one just runs and runs - I think it said 67,000 hits to date on this thread - Wow...

Very good info sld27 - tho it seems a shame many on here are not heeding some of the more sensible posts ( like ours :)) - BTW it was I who linked the hughesjohnson site.

I have printed your post out and stuck it in our I.T. common room as this has been a big topic recently.

I have to admit, my removing McAfee firewall was a "workaround" and I think examining what your post says will give a better insight into this problem.

Cheers
JB - N.W. - UK
March 18, 2004, 1:39 PM CST by benzo to ghost123uk
Update for all of you.

mysysinf.exe was downloaded into my c:/windows/java folder. That seemes to install and that spawned a new svchost.exe file into c:/windows, both files were created on the same day.

Additionally, since then, I have not been able to run oulook or outlook express. I am scanning drives like crazy!

Any help would be much appreciated.
March 22, 2004, 11:40 AM CST by thetwinsrk
Hi Everybody

I am Kamran.I have win 2000.I am facing svchost.exe error for the last 20 days.Due to this my many online programm time script is not working , get paid to read email programms.

Plz help me to fing out some patch which remove it.
March 22, 2004, 11:50 AM CST by masyauefa
It's the blaster! I thought that everybody know it 'till now...
Anyway if you want help in removing it you can check Nortons site.
I can try to help you if you'll have problems.
March 23, 2004, 1:22 AM CST by jabba to benzo
I have just been reading the millions of threads and came across two handy ones. I have just been relived of the scvhostage (my name of the bleemen shitty syndrome) which was using roughly %70 of my CPU and being a pentium 3 667.. i'm alread behind the eight ball before the bleemen shit started.

I simply went into Administration -> Services and here i found a service whith no description. It was called 'windows debugger' and i got a little suspicious of it when i tried to end the service and it returned a peculiar error. I then changed the properties of the service to 'disable' and restarted my comp. And no more svchostage! scvhost's are running.. but so is my computer now.. :)

from all the mayhem out there i do reacon there are other bugs or whatever so this may/may not help.. but it fixed mine.. cheers.
March 27, 2004, 3:44 PM CST by Cockeyed to sld27
hello-
This has been quite an education, reading this post. I've had some similar problems and am not sure I have licked them.

How does an intelligent person get a virus? How about trusting your laptop to a "professional" when you upgrade from Windows 98 to XP. He sold me & installed what turned out to be an old OEM version and failed to add two years' worth of security patches etc. I took it home, went to check my email and blam! I had up-to-date Norton but somehow in the update the email scanning stopped working. I had to reinstall, then go back online to use LiveUpdate to get it up to date...more vulnerability.
Svchost.exe was one of the various infected files. I have run several Symantec worm tools, and McAffee's Stinger, and may have gotten rid of it all.
Except... when I try to do a full system scan using Nortin, it quits after half an hour and says there was a "critical error" so it can't finish. And everything seems to be very slow. I don't know how to check what is using the CPU, would appreciate a tip on how to do that.

Also, along the way in the two days I've wasted on this, I used mscofig to see what was starting up. One of the things that I unchecked is
msblast msblast.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I suspect of course that this has something to do with the blaster worm. But I've run all the tools that are supposed to remove it, and searched for the file under that name but not found it. Is it possible it's no longer there, and if I uncheck it it will go away?

Thanks for any input any of you very knowledgeable crowd might have.
--Jim
March 31, 2004, 2:50 PM CST by pammienyx to sld27
Thank you! I've tried most everything mentioned in this forum and others to get rid of this problem, and turning off that service did the trick!
April 1, 2004, 5:26 PM CST by Zildjian to pammienyx
Hi everyone. I have been reading your posts and i have been having some bad problems with my PC :(

2 months ago my PC suddendly wouldn't open any programs it said "This programme cannot be opened in MS-DOS mode" it could'nt even open any settings, So i completely re-installed windows, i then got the W32.Blaster.B.Worm and W32.Welchia.B.Worm, And my norton internet security 2004 said it had been tampered with, and it had an internal error, i now cannot re-install norton because it closes itself before i can click install!, so i have now installed Panda Internet Security. When i got the virus's i downloaded both removel tools and it said this both virus's were successfully repaired and deleted, since the day i got those virus's i have been very concerned because my CPU usage is always on 100%. I have found the file dllhost.exe in the System32 folder and when i try to delete the file it somehow comes back!!. I have also got 6 svchost's running in my prosess lists.
I have windows XP home edition,

How do i know which svchost.exe is bad?

How do i remove that dllhost.exe?

Why does my Norton Internet Security 2004 and some settings close a few seconds after being opend?

P.S I have been told that the reason for not being able to install Norton Internet Security 2004 could be a software or hardware problem.

Please Reply a.s.a.p

Thanks

Zildjian
April 2, 2004, 10:23 AM CST by PBEX
sld27,
I've been on this hunt for a few days now with a very similar issue - I was almost home, but your post cinched it. Disabling SSDPSRV ended the SVCHOST.EXE hogging of my CPU. Thanks!

For those that still face CPU usage issues from SCVHOST which are NOT caused by a virus here's some simple things to help diagnose your probs. Most of this has been suggested in various ways already, but there is some new stuff too that may be helpful.

Bear in mind that I am a computer idiot so my advise should be checked! Also this is for XP-Pro...I have no idea if any of this applies to other OS systems.

1. Dont bother attempting to remove SVCHOST, its a waste of time. As soon as you remove a legitimate SVCHOST.EXE entry on TaskMgr, another one hosting the same services will restart OR your computer will shut down and you'll have to reboot. Either way, SCVHOST.EXE is coming back and mutiple instances of it ARE NORMAL.
2. Open Task Manager (press CTRL/ALT/DEL once). Click on the "Processes" tab. Look for the column named "CPU" and click on the word "CPU" to sort by usage% (a second click will toggle between ascending and descending).
3. If SCHHOST.EXE entries are hogging resources,they will be at the top (or bottom depending on the sort)of the list. Make note of the "PID" number associated with the instances of SVCHOST entries having high CPU usage.
4. To find what services are associated with the particular instance of SVCHOST: Go to "Start" then "Run" then type "CMD" then at the DOS prompt type tasklist /svc . This will open a window showing what services are running behing the tasks. Look for the PID numbers associated with the high usage instances of SVCHOST.EXE. In the right column, you will see a list of services running on that instance of SVCHOST. NOTE: IF YOU HAVE DELETED AN INSTANCE OF SVCHOST, WHEN IT REPOPULATED, IT CAME WITH A NEW PID NUMBER IN TASK MANAGER. So make sure you are comparing apples to apples when you look at the PID numbers.
5. Now the hard part is determining which service(s) is the culprit and whether or not your system can survice without it if you disable it. On mine, the culprit was one instance of SVCHOST which was hosting RemoteRegistry and SSDPSRV. After researching to know what each was, I decided I could live without them. I went to Control Panel / Admin Tools / Services and scrolled to find each service. I double clicked, selected General Tab, then under Startup Type I selected "Disable" hit "Apply" then "OK." This shut them dowm which recovered all of the CPU resources that were being expended on that instance of SVCHOST.
6. Here is an EXCELLENT website tool: http://answersthatwork.com/ For free - Go here, click on "Task List" to find an alphabetic index of all those tasks in your Task Manager, with a definition of what they do and where there might be issues. Also, for $20 you can purchase from them a tool called "The Ultimate Troubleshooter" which will help sort out all the tasks and services running on your computer at any given time, tell you which ones are OK which ones aren't and which ones might be a problem. They also give suggestions for each instance where a problem is found.

Hope this is helpful info.....
April 2, 2004, 10:29 AM CST by PBEX
Can anyone explain this? In Task Manager, under "Proceses," "System Idle Process" is consistently running around 95% - 99% Yet my CPU Usage is simultaneously running from 55% to 65%. Shouldn't the total of all numbers in the CPU column equal 100?
April 3, 2004, 9:45 AM CST by Zildjian to PBEX
PBEX, here is what that programme is.

System Idle Process:
N/A

(Microsoft)
Windows NT4/2000/XP/2003 only. This is a process which runs on each CPU in your PC/Server and whose sole purpose is to total up the amount of time when the processor is not doing anything. In Task Manager (Task List) this process usually accounts for the majority of processor time.

Recommendation :
An integral part of the operating system, leave alone.

I am not really a computer expert so i don't kno weather SVCHOST.EXE is safe or not, i dont really understand the "Big" post about it. But my CPU had finally calmed down abit after doing a spyware detector, i blocked 505, and my CPU is not running at 100% all the time, BUT it seems to jump a bit. It goes from 2% to 100% and back to 2% and so on.
Does anyone kno why?

Also when i search my computer to find SVCHOST.EXE, it finds 1 and also find one called SVCHOST.EXE-3530F627.PF. Does anyone kno what that file is?

P.S when i play my games they are now jumpy :-(

Please reply

Zildjian
April 3, 2004, 11:13 PM CST by SK to Zildjian
*****
THE DAMN SOLUTION!
*****

OK listen everybody, i'm fed up with your bullshit. "svhost is a legal winxp app blabla etcetc" yeah no shit, sherlock! Of course it is! The deal is, people tell you they have SERIOUS problems happening to them, and you keep waving this shit at them you morons.
Now listen, here is your problem:
http://www.trojanhunter.com/papers/thvsbeast/

Read this, it is a very interesting article, and it explains what type of virus/worm/backdoor/whatever you call malicious software some people are facing.

TrojanHunter is the ONLY software that can help you, as no other software can remove this type of insane malicious software that takes over your (perfectly valid, legal, well known) windows processes. Hopefuly more software like this will be availible to people as soon as possible, and awareness raised, so that bullshit filled huge threads like this won't exist anymore.
Download Trojan Hunter, it's a completely functional trial, except one thing, you can't use the automatic update, but that's ok because you can manually update it using this: http://www.trojanhunter.com/trojanhunter/updating/

I hope this helps all of you who are having problems and going out of their minds. And I hope all of you who like to say bullshit and feel smart feel very stupid right now.

SK
April 12, 2004, 10:18 PM CST by sasam
Hi.
I'm kinda new to this :-)
Anyway, I don't know whether I have svchost problem or not, svchost's cpu usage isn't THAT high as others', but I have these problems: In performance tab (windows task manager - winXP) cpu usage is almost always 100. I can't start Norton antivirus at all, can't start msconfig (except in safe mode) but there I couldn't detect any abnormal svchost files. If I try to end svchost.exe computer shuts down in 60 secs. Computer is generally very slow, I tried Symantec's Blaster removal tool, it wasn't that... i tried other antivirus programs... nothing helps...
Any ideas?
Thanx.
April 13, 2004, 11:35 PM CST by nklslots
I'm a new member here I found you guys on a google search, this has been an interesting read for the most part with lots of good info, I just wanted to say thanx to comicrelif(?) for the post on the trojan hunter, excellent program, if any of ya'll don't have it you need to get it, also another good program is Clean My PC Registry Cleaner, I've had trojans and by the time I found them Clean my pc had already fixed the registry settings. Anyway just wanted to say thanx for all the good info.
nklslots
April 17, 2004, 11:56 AM CST by Judas
Friends,
I've had this problem for the last few days and finally got around to trying to find the cause/fix. I found this thread on Google and there's a wealth of knowledge and good advice to be found here. Unfortunately, I found that none of it applied to me. The dissertation by sld27 was extraordinarily useful. After stepping through and following his/her advice I still couldn't get to the bottom of the problem. It is obvious to me that there are many causes to this particular problem, what works for one person may not necessarily work for another. I tried all the trojan scanners/removers and spyware stuff many of you suggested and spent considerable time this morning searching through registry keys - does it get any better, I ask? I submit to you that it does not. That being said I stumbled upon my answer by accident. A few days ago I installed Steganos Internet Anonym Pro, but it was late so I didn't really have a chance to play around with it. I went to work the next day, at which my wife called me to ask why the web was so slow. I thought perhaps the anonymizing features were turned on by default so I directed her to check. Well, they weren't so I just thought it perhaps our ISP was having some problems and thought nothing of it. To make a long story short, after trying all the fixes I found here I uninstalled it at a whim. After uninstallation a slew of program errors popped up, ZA Pro even locked up. I'm definitely not an expert so I can only surmise that Steganos has conflicts with some other programs and this causes the problems. Maybe it's a poorly written program, I don't know. So you may want to take a look at new installations you've done recently. Hope this helps.
April 18, 2004, 2:13 AM CST by stuckmojo to RaceKitty
Thanks for your post RaceKitty. It was a big help.

Just for input sake, I had the same problems as mentioned.
I had a number of "svchost.exe" running, with one taking up 100% of the cpu processes. The only thing the solved it for me was to go to the site that RaceKitty mentioned (http://housecall.trendmicro.com/housecall/start_corp.asp) and use their free virus scanner. It picked up the infected files. In my case, they were:

winpw32.exe
winhlpp32.exe

I deleted those sons of bitches and the svchost issue was solved.
April 19, 2004, 6:04 AM CST by dofekus
Hi everybody.

I have got a W32.Blaster.F.Worm which caused some problems on my PC. I've managed to get out the worm - Norton AntiViurs 2000. However using a dial up connection I've got the following message error: Application popup: svchost.exe - Application error: The instructiin at "0xe0413a68" referenced memory at "0xe0413a68".The memory could not be read.

Could ypu help me, please?
April 19, 2004, 7:45 AM CST by masyauefa to dofekus
You still got the worm, use this removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
If you'll still have problems read this thread.
April 22, 2004, 2:07 PM CST by Hax0rzExWife
Quick question before I begin to apply the various steps listed here.

Being the ex of said type person as my nick references,[said ex then went on to run security for a major US firm (LOL)], can the svchost.exe file be used to open a remote back door and run such progs as wingrep or otherwise be used to search/utilize the system? CPU runs over 80% usage via svchost.exe but I don't see multiple events and explorer is slow if not entirely lacking in opening. MS Outlook is skittish and hangs. Task Manager darn near impossible for use to get a process stopped.

Task manager shows no remote users (I couldn't off the top of my head remember if the main account lists "console" or not, but logic says it would)

I don't utilize any filesharing programs, although I used kazaa over a year ago and this all just started happening within the last couple of days.

I have an encrypted router, then a firewall and show no unauthorized activity on the firewall. Netstat doesn't show any bizarre connections. scanning from outside my main box appears invisible, no open ports. I'm pretty sure that I changed all remote access proggy's built into XP home to manual settings (but I am at work and cannot verify.)

I do run a wireless network inside the apt with a coninuous laptop connection -AIM or MSN is usually open on that machine non-stop. I don't know if there are these types of virii that can enter a network machine and then infect the main system or not - I've never spent a lot of time studying these things.

So before I spend the next evening cleaning my system instead of catching a movie or going out dancing, which is more likely: a virus or a systemized and organized backdoor use of the system by a talented gentleman?

Thankz in advance for your time,

TheEx
April 22, 2004, 4:47 PM CST by Mqattoum to Encryptedmind
Hi Every body , i am suffering from the same problem , my CPU is 100% used and my pc is very slow , but what i found is when i connect to the internet the CPU is not 100% it is normal , on the other side when i disconnect from the internet then the CPU is 100% used , what is the solution , before 5 munites i run the adware and it found nothing.
April 24, 2004, 4:32 PM CST by sm284614
Listen to me all you slackers:

GO AND BUY A COPY OF NORTON INTERNET SECURITY.

You want your computer to work properly? Then look after it, stop filling it with crap, anddon't leave gaping security holes everywhere; the internet is not a safe place.

Some free solutions tools can be found at:

http://download.com.com/3150-2239-0-1-0.html?qt=&author=&titlename=&desc=&dlcount=&daysback=&swlink=&os=&li=49&dlsize=&ca=

http://download.com.com/3150-2092-0-1-0.html?qt=&author=&titlename=&desc=&dlcount=&daysback=&swlink=&os=&li=49&dlsize=&ca=

http://download.com.com/3150-8022-0-1-0.html?qt=&author=&titlename=&desc=&dlcount=&daysback=&swlink=&os=&li=49&dlsize=&ca=
April 25, 2004, 8:53 AM CST by MrFixIT to sm284614
Hi Everyone,

I did virus scans and trojan hunter with no improvement.

Thanks for all the suggestions but my System task taking 100% of my CPU was Windows Update related. The combination of HotFix KB837001, KB828741, & KB835732 caused two different Win2K machines to experiece this problem.
Looked like they introduced some type of device driver conflict.

The solution is to boot to Safe Mode and give every task possible High priority to keep things working. The system will be really slow but keep the Windows Task Manager -> Processes open to see new things being started.

Next go to Settings ->Control Panel -> Add/Remove Programs to start to get the list of installed programs. When clicking on Add/Remove Programs it starts a mshta.exe process. Immediately go to Task Manager -> Processes and highlight the mshta.exe process and right click Set Priority -> High to give this process more CPU.

After awhile the list of installed programs will come up and the Hotfix numbers will be displayed. Highlight these bad guys and remove them.

This whole process took me several hours but it worked.

Thanks for all the suggestions but it was Mr Bill that caused this problem with his wonderful Q/A & testing procedures. Buy LINUX stocks - Sell MSFT
April 28, 2004, 12:49 AM CST by AlexK
The first symptom of a problem here was a mouse cursor that did not response. This led to one of my SVCHOST.EXE processes eating all the CPU cycles. Which led me to this forum. While this discussion was interesting, the good news in my case was that there was no virus or other malicious daemon involved. My cause was a scanner with an unplugged power cord. A SVCHOST controlled process was looking for a scanner that was not there. Plugging the scanner back into the wall did the trick for me.
April 28, 2004, 7:04 PM CST by waxdj
Amen MrFixIT - Load Linux!!
April 30, 2004, 9:22 PM CST by DieHard
YO PPL!!!LISTEN UP!!! the problem isn't SVChost.exe but SCVhost.exe...got it??? While SVChost.exe is runned by the system SCVhost.exe is runned by Administrator...there are 5 SVChost.exe runned by system and just ONE SCVhost.exe runned by Administrator...just check out your taskmanager and u will see it 4 yourself...

Go to START and then MSCONFIG and click on BOOT(or SYSTEM BOOT) and unaply SCVhost.exe! Simple! :)
May 6, 2004, 1:44 PM CST by quadrixx to DieHard
Another thing ...

( i didnt read ALL of the posts but i guess i understand some of it )

svc - scvhost wathever ... it kills the cpu !!!

i noticed svclhost using 50 procent and a constant "ping" sound on my pc !!!

thus not scvhot or svchost but svclhost !!!
May 12, 2004, 11:26 PM CST by skipadis to sld27
SLD27 - thanks for distilling the (hit and miss) wisdom of the board into one post.

I caught the problem on a desktop XP Pro machine I had just enabled 1394 networking on (to dump 10GB of files from the desktop onto a new laptop). I was skeptical of the virus explanation b/c the timing was too perfect and I run ZA Pro and McAfee; update AV sigs and Windows patches religiously.

I ran Stinger et al and did not catch anything. Sure enough, disabling SSDP Discovery seems to have solved the problem. I think it was looking for some 1394 component that I was only trying to use as a one-time thing.

FWIW my symptoms were locked system tray and task bar, high CPU usage, and inability to get on the Internet. major drag. thanks again everyone for posting your experiences, you're saving a lot of people a lot of time.
May 13, 2004, 11:12 PM CST by VPU_99 to quadrixx
Ok, This is what I have found. I am running win98,on a file sharing program I picked up a file that looked to be a .Zip file but was an .Exe . Latter I noticed my computer slowing down,checked resorces and was down to 49%. I found 3 SVCHOSTs' running when I ctrl,alt,del. If I end task on them I get to 95%.

To find the culprit go to explorer,click windows, look through all of the files and you will find a file that has a .ZIP Icon. Right click the file and go to properties and you will find the real file name is "lorupscr", and its system name is SVCHOST. If you do a Google on the name "lorupscr" you will find that it is a worm called "Purola",named after a STD. If you try to delete the file it will not work, it comes right back.

Macafee found the infected files but called them "W32/winur.gen",did a google on that name and found nothing,also tried the Trojan hunter and it found nothing. Sophos found the files and knew that it was a Purola worm but could not get rid of them.

I have not yet found out how to destroy the worm but I am working on it.
May 16, 2004, 5:37 PM CST by Septfox to VPU_99
Umm, hi everyone...

Svchost.exe only causes me problems when it randomly crashes, for seemingly no reason at all. I'll be sitting here surfing the web, and it'll come up an error and close...taking away the ability to click links, and copy/paste (takes away keyboard functionality for copy/paste, too). Any way I can make the little bugger more stable?
May 16, 2004, 8:11 PM CST by barrydt to sld27
I've been trying to get this issue fixed for the past month - have tried several of the solutions mentioned in this thread, short of reinstalling the OS. I found sld27's post about checking for runaway services, and sure enough, I had SSDPSRV in constant 'starting' mode. (I'm assuming that it was taking up all my CPU trying to start without success.) When I disabled it, my CPU usage immediately went to near 0%, and nothing else has broken, so I think the problem is fixed. Thanks again for the post!!
May 28, 2004, 10:48 AM CST by clauslavi
Hi pple... I need help. The problem is when I visit some website and click on the links, my comp will get hanged. After I cancelled the operation, my comp just slowed down. And I found out that there is a high CPU usuage in svchost.exe at 99%. Can someone pls enlighten me?

Thank you
June 2, 2004, 1:46 PM CST by duque to clauslavi
Try to use this. It works for me. Dowload from www.lavasoftusa.com the software ad-aware install and run it. Don`t worry about the files you're going to delete, so far I been deleting all the files an my PC is OK.
Check for updates and run it as much as you surf on the internet
I hope this help you.
June 3, 2004, 10:59 PM CST by nellanayrb
I dunno if anyone else here has done this, but I just went through and uninstalled EVERYTHING on my computer that isnt necessary for transferring all my documents, etc. to cdrs, because I was going to format the f'er. I had tried every virus scan out there, multiple worm removal tools, trojan finders, adaware, spybot, spysweeper, and many other programs.... but I couldn't find ANY problems that I could fix, and yet I still had my cpu usage at 100% constantly. I used process explorer from sysinternals and I investigated through that, that svchost.exe was running a thread using rpctr4.dll (i think thats the spelling) that was responsible for killing the processor. To do this, download process explorer (do a google search for it), click the svchost.exe that is using 100%, goto properties, then threads, and you should see what thread is doing the 100%, and kill that thread. I also found that I could restart the computer with my ethernet cable removed and things were normal..... but these were both TEMPORARY fixes.... So I decided to uninstall everything like I said. Every game, every program, deleting every directory that uninstall programs missed. Then I restarted it because one of the uninstal programs required that.
And guess what?
No more 100% usage. Everything's fine.
I'm super confused about why... and afraid it may happen again sometime in the future.
The only thing I can figure out is that the last things I uninstalled were Shareaza (a bittorrent prog), Webhancer (some spyware that was installed without my permission), and Viewpoint media player (another program I assume windows media player installed or some game did).
Another tip I have is that I found on a site that the latest version of windows media player has a problem with svchost.exe with certain patches or plug-ins, and on microsofts site they talk about this, and how it causes 100% cpu usage. And on that microsoft site they had a patch. It may help for some people....it didnt for me though.
June 4, 2004, 2:57 PM CST by kenneth9265
Sypbot using the seek and destroy antivirus/spyware program did wonders for my laptop...

http://www.safer-networking.org/
June 7, 2004, 9:16 AM CST by IDunNoAnytin to kenneth9265
A lot of people on here need to sit down, talk to their bamboo plants, and relax. Don't freak out about some virus/trojan/worm/simple case of user failure/other that doesn't really seem to do much damage, other than make things slow.

Here's my situation. Wanted to run Adobe Premiere on my comp but I had Win2k. Installed WinXP over that, didn't want to have to make another backup. Had Ad-Aware for some time now, always updated before it's run. Just installed SpyBot-SD. McAfee is a recent purchase, but I got it up to date now too.

I'm having dificulty with "svchost.exe" (not scvhost, svch0st, SCVHOST, or any of that junk) since it's eating up my processor. I've looked in my registry for all the junk you've all suggested, scanned, did online scans, disabled services, DCOMbobulated and whatnot, nothing works. Been working on this for three days now, read this post front to back.

So I tried re-booting without my ethernet cable in. Works but it's a pain. My registry is bunk free except for WinTools (on my to-do list) and I'm fresh outta ideas.I don't have Gaobot, or Welchia, or Blaster. Ran a bunch of checks and I am G.W.B. Negative.

What is going on here, and no "svchost.exe is part of the system" BS. We know. And we're very happy you know too. We never said it wasn't. You assumed that we did and got all hissy fitty about it. Well I'm just here to say it's over. Now if it crosses your mind to even say it again, I suggest some meditation, maybe some yoga, and a nice pot of tea.

Note: This kinda reminds me of reading a book that had a whole bunch of cures for a hangover. They all sound good in theory, but nothing works too great.

Second Note: No one deserves a virus. Just because a few people try to take advantage of certain p2p programs to dl stuff doesn't make them evil or deserving of a virus. When you go to jail, do you not receive medical treatment?

Third Note: This isn't supposed to be directed at anyone in particular, just couldn't find the reply to thread button. Thats all.
June 8, 2004, 3:21 AM CST by svchostremoveit
I am soo sorry but this SVCHOIST.exe is really irritating my whole network and no one can find a solution on my LAN i need serious Help here i have this same error of RPC failure.. and then 1minute countdown begins n my computer restarts even my Run is not workin its on for only 5secs i dun even have the blaster worm but my cpu is always in use like 100% n then again 10% then again it rise upto 100 n then 10 its really buggin as please suggest me a proper solution i did all what u guys mentioned i downloaded Adware6.0pro,downloaded norton,then macfee, tried each n every manual way but its a serious problem b4 somedays it courrupted my norton too so my norton was disabled n cannot be again enabled... please suggest me some really good FIX WE ALL ARE FEDUP please gimme some professional FIX so its thgough thank you -----or mail me dharam_kapadia@hotmail.com
June 8, 2004, 3:59 AM CST by Google to svchostremoveit
Try the fix for this worm http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html This worm eats 100% processor and gives 1min count down to restart.
June 8, 2004, 5:45 AM CST by Lycantrophy to svchostremoveit
Wow...
can you really write all that without proper grammar and punctuation?

Download the Blaster and Sasser patches from Microsoft.
That should help you some more.
Also download ad-aware and delete everything it finds.
Then press ctrl+shift+esc for the taskmanager.
This should show you all the running processes at that moment.
Some of them should not be there.
There is also the place in the registry, but you should know what you are doing before deleting everything:
HKEY_Local_Machine/Software/Microsoft/Windows/CurrentVersion/Run
There should be some items that aren't supposed to be there.
Just copy the filename and paste them into google and press search.
Just check the internet if the files need to be there or not.

Good luck all.
Try this in safe mode, because you get the abillity to delete more that way. And most of the processes aren't running and windows doesn't complain about certain file.
June 8, 2004, 9:35 PM CST by IDunNoAnytin
Listen guys.
I have a problem with "svchost.exe"
It eats up 100% of my processor.
I run WinXP Pro.
I know svchost.exe is not a virus.
I know svchost.exe may be infected or a copy of the real one.
Nothing funny happens with regedit, command prompt, McAfee, SpyBot SD, AdAware, Trojan Hunter.
I don't have any error with RPC.
No 60 second to shutdown.
No blaster, welchia, gaobot, sasser.
Every scan turns up nothing.
My Registry is clean beside WinToolsA.
I got a LOT of AntiTrojan, AntiVirus, AntiSpyware stuff running.
I have a Clark Connect Fire Wall/Server set up.
I am totally clean as far as any program knows.
IS THIS A VIRUS/WORM/TROJAN?
Could it be a new type of malicious software?
What does this and how is it stopped?
Answers requested!
Don't try to circumvent my question!
THAT'S RUDE!

*By the way, I formatted so this problem doesn't really affect me anymore, but there are people who need answers, not quick temporary fixes. Besides, I'm curious. And yes, before anyone else can say it, I know "Curiosity killed the cat."
June 9, 2004, 2:26 AM CST by masyauefa to IDunNoAnytin
It seems very strange that problem of yours... there are few more things you didn't listed:
- Do you have the service pack and ALL updates ever released?
- Does your untivirus and other programs are updated todate?
- How do you know your registry is clean? Did you check ALL possible places?
- What other side effects you had? Maybe yo was unable to access antivirus sites, maybe you couldn't open your antivirus, maybe no access to registry?
And how about in safe mode?
- Do you have a network? Do you have passwords on the computers? If you have a network and no passwords on the computers you could get a virus from the other compter(s).
- Did you try Bazooka? You can find it on Download.com
June 9, 2004, 11:13 PM CST by ArabianHorse
visit this link:

http://support.microsoft.com/default.aspx?scid=kb;en-us;838884&Product=WinXP

also this link:
http://mvps.org/winhelp2002/unwanted.htm

if its not a spyware...its microzoft!
June 16, 2004, 6:05 AM CST by srf7
I have something similar but also have a problem with Norton AV, It will not start,
I think it is because the symantec event mgt or service control manager is not started, and CPU at 100%
OS isWinXPHome.
So I cannot start Norton to scan to see if there is a virus have ran some of the fixes but they say not found.....
started in safe mode Norton would not open. checked for following in system32 svchos1.exe services5.exe winhlpp32.exe duls.exe and cy32.exe - none are there (I read somewhere deleting those as a solution)
June 16, 2004, 11:22 AM CST by benkcbenkc
Well, I've read all 16 pages of very interesting info; I had same problem: a single thread WININET.dll in svchost process using 100% CPU. After 2 (read almost 48 hours) days of discussion with various Microsoft engineers-- you can safely stop svchost process and and usage drops to normal UNTIL reboot. Using System Configuration Utility MS suggested selective startup and remove all non-MS services and all startups. Since there was still 100% usage, we did Diagnostic Startup which leaves less MS services. This resolved the problem but one can then add back services incrementally. Unfotunately some services rely on others and this can get complicated.
I would be interested to hear comments.
June 19, 2004, 1:01 PM CST by jzhou168
Hi,

I had a similar problem with the memery consumption. Then I formated the hard disk and reinstall the Win2K. In the same time, I scan the disk and removed a malware virus. Atter reboot, it seems OK. But after I connect to internet, a error message appears saying svchost.exe error, window is closing the svchost.exe. Then the file search and Add/remove software are no longer working. I run a window repair, it works again. But once again, after I connect to the internet, the svchost error appear again and the file managment function is no longer working.

Any suggestion to fix the problem.
June 19, 2004, 4:21 PM CST by masyauefa to jzhou168
Don't you get it? You must have a firewall. Every time you connect to the internet you get the virus again. Also you should have all the updates and an antivirus.
June 20, 2004, 6:49 PM CST by gailw20
hi all,
i dunno if my problem is related to "svchost.exe", but i have 4 svchost.exe running at the same time and the CPU usage is 100%. im not able to dwnload the patch or do the virus update cuz the internet is not working at all and the computer is so slow that i cannot start any program(i.e. adaware). i tried to end the svchost process, but it says access denied. i also tried to run "MSCONFIG" in order to stop svchost.exe service, but it says "cannot find the file". i can hardly do any fix... wat else i can do? any help would be appreciated. thx.
June 20, 2004, 7:05 PM CST by sushified to gailw20
My suggestion is to flush your system.
June 20, 2004, 9:00 PM CST by gailw20 to sushified
any way other than flush my system?? that'd be the last thing i wanna do... :(
June 21, 2004, 9:54 PM CST by UltraMagnus to gailw20
Hey there,
just read [and eventually skimmed] through many pages on the enigma of svchost. I have a slightly different concern...

Does anyone one know what svchost.exe's dependencies are specifically? I have several running, no prob, and collectively they consume about 27,000k of ram [zero cpu load]. Im doing some more cpu intensive work, and it would be nice to get some of that ram back.
now, svchost is "required". however, updating my cpu's clock through the internet shouldnt be something that would cause my computer to shut down, if i were to terminate that process. terminating any svchost process does.
All the svchost processes are identical in task manager [meaning, they all read as "svchost.exe".
How could I go about finding what dependencies are running, and which, if any, arent truly necessary? For example, the host process to synchronise time through the net...I wouldnt have this running if I were never connected, so why should now, because I am connected? [btw, this can be disabled in some menu or other].

thanks for any clarification and insight.

also...get slackware!
v(*O*)v
June 22, 2004, 2:56 AM CST by masyauefa to gailw20
Restart in safe mode and scan the computer with an antivirus.
Then delete all the registry related to the virus.
Use another computer (or a friend) to fins out on the internet what regestry values to delete. Simply write down the virus'es name on google and it will fing many anti-virus sites.
June 22, 2004, 3:01 AM CST by Encryptedmind to UltraMagnus
Does anyone one know what svchost.exe's dependencies are specifically? I have several running, no prob, and collectively they consume about 27,000k of ram [zero cpu load]. Im doing some more cpu intensive work, and it would be nice to get some of that ram back.
I wouldn't worry with disabling them.. 27k of memory isn't nothing.. You would never notice the difference getting that little bit of memory back..
June 22, 2004, 11:04 AM CST by DodGe
just go to this site:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.g.html

and follow, 'how to remove'-steps. It's very easy and it worked fine..

(of course; if you have blaser virus, remove it first with program and patch;) )
June 25, 2004, 10:42 AM CST by usmc_1461
On this site, I found "sld27"'s post (#108) to be the most useful for resolving my problem with svchost.exe and lsass.exe on my XP Pro. What was NOT useful were the arrogant, contemptuous attitudes expressed by self-styled authorities on this matter, especially on the issues of viruses and etc.
My problem began to occur when I downloaded the most recent WM Player. I had just installed a SB Audigy card and I wanted to run the sound through a conventional program that online user's frequently use. The first unusual thing was that my clock was reset back to the time of the svchost.exe, over a year ago, sometime in March. I was clueless. Assuming that I had somehow gotten a virus or trojan (this was the reason, prior to installing my soundcard, that I refused to use either IE or WM Player: their past histories of vulnerabilities) via the WM Player, I ran a trojan check using A2, an ad-ware/spy-ware prog. I found a simple trojan "JavaByteVerify.exploit trojan" and deleted it. I've run into this one before and got rid of it. But, I began to get an error message that "framedyn.dll" was missing. I found it right where it should be, and I even tried, unsuccessfully, to re-register it. I then searched the internet and found someone attributing the "framedyn.dll" error to a pirated copy of XP. My XP Pro is registered.
I had also noticed that my computer would hang when I tried to log off. I would get error messages about ending programs. Another error message had to do with a "proxy desktop" and problems with a "DDE Server".
I then found other posts blaming trojans that exploit svchost.exe and lsass.exe. I checked my firewall log, and discovered that, indeed, there were two open ports: lsass.exe and svchost.exe. I downloaded and ran NetWatch. The log showed **services** "listening" and they were the two .exes. But I found no signs that any spam had been sent out (no "SYN_SENT", "TIME_WAIT" or "ESTABLISHED" entries in the "seccheck.log"). If you don't understand the process that MyNetwatchMan.com uses, but if you focus on the "listening" part of their log only, you may suspect that you do, indeed, have a virus or a trojan, at least. About this time, my whole system began to drag so terribly that I knew that something was definitely wrong. This had been going on for a day or so, and I assumed that the slow-down in the system was an idiosyncrasy that would disappear once I took out the soundcard, uninstalled WM Player, identified and deleted the virus/trojan. But, the slow-down showed up in my cpu usage -- up to 100% -- and I could open windows explorer only if I restarted the computer. There was a very unwise suggestion that I came across, about deleting these suspected virus files (with removal tools and etc.) but FIRST disabling system restore (this wipes out your system restore) because those viruses hide in the restore files. This may be true, assuming you have a virus. But, before you do this, investigate all other options because you cannot undo wiping out your system restore. Right towards the end, my computer was almost useless and I thought that I would have to reformat the HD and re-install everything. I couldn't even get back on the net to run it through the online virus scanners. Besides, some people on this topic had used these scanners but STILL had the problem even after no viruses had been found. Was this a "new" virus out in the wild? Or what?
I then read "sld27"'s post and I thought I'd give it a try. Sure enough. It did the trick. This had nothing whatsoever to do with a virus/trojan. It's MS. My cpu usage went from 100% down to 04%.
I would encourage people to look for virus/trojans first; then, if all else fails, follow the directions in "sld27"'s post, #108.
July 3, 2004, 6:04 PM CST by mudd
my pc is kinda screwy. symptoms include my home page being set to HOME SEARCH (res://xyjvi.dll/index.html#37049),my online gaming has become slow, virtual memory needs to increase from time to time. ive scanned and scanned and tried many of the solutions listed but no dice. ANY HELP WOULD BE APPRECIATED.
July 10, 2004, 8:52 PM CST by WarpeD to mudd
This is a long thread. Whew. But it helped me fix my problem on the very first day of discovering the CPU was whacked on one of my Win2k Pro systems.

My thread summary:

There are lots of things that can cause svchost.exe to go nutty, and with all the virii, trojans and MSHT security leaks, etc., it's hard to pin things down.

1. Use good AV
2. Use Trojan Hunter.
3. Use spyware scanners.

All good points, and if kept up to date, they will shield your system. A good firewall won't hurt.

After all this fails, dig into your admin tools and find what service is actually running rampant. I did this by **** EDUCATED **** trial and error, and looking for stuff that I found via this thread. Your mileage may vary!!! Use my example STRICTLY AT YOUR OWN RISK!!!

This applies to a Windows 2000 system, updated to service pack 3, more or less. It can't see the web at this point after a migration of my network to DSL, so no Windows Updates have been done in a while.

First, bring up the task manager, and minimize it so you can see the nice, bright green scale of your poor CPU being hammered to death in the Systray.

Go into the Control Panel > Administrative Tools > Component Services to have a look at everything that's running - click on Services (local). Using a bit of educated guessing, you can start stopping stuff by right clicking on the service and selecting STOP. Wheee! Not going to hurt anything AFAIK, except you might find yourself with an unexpected need to reboot! When you stop a service, note the effect on CPU usage in the Systray. If no joy, it wasn't that one!! Go on to the next guess. When you stop something that liberates the CPU, you got the bad boy! Make notes!!! Then figure out what service was supposed to be provided - usually by looking at the service properties. This will give you all sorts of good poop in the various sub tabs, and it's how you figure out whether or not you should permanently disable the service. In my case, it was the RIP listener - and since this was something that only listened for router updates, it wasn't needed. In the Log On tab of the service, I was able to select disable. When the system was rebooted, this service was not available, and remote access was disabled in turn. No biggie.

And CPU usage was NORMAL!!!

Thanks to all that helped me wander my way through this problem. You rock.
July 22, 2004, 9:42 AM CST by bigc27
i am on xp. i have noticed svchost on my computer and i do have a few of them running, my cpu usuage is quite low but reccently on start up i have been getting a message telling me svc has expired and that i must either register or remove it. can sumone please tell me how i register and if it costs anything.

thanks for anyone who replys to this
August 4, 2004, 1:34 PM CST by Slimchandi
I have been all over th net for a solution, resorted to the method of removing services one by one.

Removing the "DNS Client" service killed the bugger for me. Hope this can be of some help for others.
September 2, 2004, 1:16 PM CST by lulluby_99
hey fellas.. i ve got svhost issue on my pc too. i ve solved the problem of pc usage when i used DCOMbolator but now this shetty svhost is trying to establish a phone connection with some location in the web.. any suggestions how to disable this attempt coz when it happens my actul connecion fails .. any help would be highly appreciated thank you
September 15, 2004, 3:48 PM CST by TopSpeeD
ermm im using the TrojanHunter program now..hope that helps...can someone PLZ PLZ PLZ post a guide how to remove this because theres like 17 pages and there are so many ppl whos trying to help but i dunno who to listen too, thx!
September 19, 2004, 8:12 AM CST by TopSpeeD to sld27
I want to thank sld27 for providing the solution
thank u thank u thank u!
everybody that has this problem do as he said on page 11
September 19, 2004, 9:49 AM CST by DAISHI
Holy crap, after all of this fuss in this thread it would take less time to reformat lol! I use Norton Internet Security and update Windows when needed. Never had a virus/worm that was of any great problem. (I can count on one hand the number of times Norton actually found one and deleted it.) If it ever does get that bad that you can't get rid of one, just reformat! (and of course the first thing you do is reinstall norton and windows updates)
October 3, 2004, 1:38 AM CST by Goater to Trunks007
I had the svchost problem with Windows 2000 and resolved it. I used the disk and patches from http://website.lineone.net/~ejthompson/ .It was good to have everything on one CD that has been created solely to sort out this svchost problem for Win 2000.
October 3, 2004, 3:10 AM CST by David_South
Yesterday I had the mother of all mal/adware attacks.

I downloaded a 20 megabyte "registry program" that was being spoofed.
This package unleased armageddon me.

It took a solid 4 hours of scans and manual extraction to get the bugger out. Abates MoeMoneyForU or something like that was the most persistant one. All the others were taken care of in safe mode.

All I can say is thank God for Spybot spy sweeper. It stopped the brood from infection of all my start up and registry listings. God this bugger were malicious as hell. I got a full report on each one and hwat they do. 20 of them download more viruses. 80 of them were adware and tracking. In the first sweep 98 were caught but the rest loaded themselves to apps in RAM and could not be shut down. I started a full shut down and rebooted in safe mode.

F8 is the most beautiful boot key on any problem.

Even using Registry Mechanic 4j wasn't getting it all. After numerous reboots I was fundng hidden programs and file sources everywhere. Windows XP didn't even show these add remove programs in normal mode. I would reboot in safe mode and they would sort of blink into existance while examining (highlighting) each program in the list. Search became my greatest and most paitent ally. I performed the maximum search for ever hint of a program name I could find.

All is good now. No tears and minimal stress. More of a bleemed up expidition than anything. But that was an interesting experience.

The lesson.
Never open a file that is not titled the same as the trial program you are downloading.
If you have antivirus software perform virus scans on files not directly from the source.
October 26, 2004, 3:38 AM CST by SkyChief
What a freakin' thread... This thing is evil...

I had been having the svchost.exe CPU drain for a few weeks now and decided to look into what might be causing the problem. I suspect, as someone else on the thread noted, that there are various causes and solutions.

There's a lot of good info on this thread - just takes a while to read it all :) The most useful postings I'd read, like sld27, helped me to solve the problem. Unlike sld27, it was not SSDPSRV that caused my problem. I decided to take a simpler approach to identifying the culprit. The CPU drain would happen everytime I'd log into Windows XP (Home edition) - By the way, since I don't have Professional, I don't have the Tasklist prog (although you can download it). Anywho, since this problem occurred when logging in, I decided to examine the length of time it took to put each icon on the system tray while watching the svchost eat the CPU in Task Manager. My thought was that the last icon that appeared on the system tray after the CPU drain dropped off was probably the culprit. Sure enough, it was "Windows Messenger". After using it to hook up with a friend, it had been starting everytime I logged in. I disabled it at startup with msconfig and life is good.

Just thought I'd share that tidbit in hopes that someone else might benefit.

My first post here, but like most forums, I can already see that this one seems to have it's share of animosity. So I'll put in my plea... CAN'T WE ALL JUST GET ALONG!! Have a good one people and play nice out there!!
December 13, 2004, 7:14 PM CST by tameanaka
Ok i'm not computer oriented or anything, but I looked at the tasklist for my svchost and I'm not sure if they are normal or not, so could you tell me. First I have 5 instances running and they gave me this:

1. DcomLaunch
2. RpcSs
3. AudioSrv, CryptSvc, Dhcp, EventSystem, lanmanserver, lanmanworkstation, Netman, Nla, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, TrkWks, winmgmt, mscsvc
4. Dnscache
5. LmHosts

Are these normal? Why does more than one instance nee to run in the first place? Why couldn't all those serviecs be run under one instance?
December 15, 2004, 1:20 AM CST by Google to tameanaka
They look normal to me, you only have to worry about an svchost instance, that showa up using alot of processing power. I have 5 good svchost instances running in my task manager too.
December 15, 2004, 11:07 PM CST by greggyp
hi everyone, i have been reading up on the possiblity of my laptop being infected wiht the welcha worm running as a svchost.exe. all the information has been very helpful and i ran through a majority of the solutions presented including updating my antivirus software, however i still seem to have a problem that is different. instead of putting my cpu usage up to 100%, as soon as i connect to the internet my laptop makes an oscillating humming noise. im not sure if this is connected to this worm, or if its a normal process(it never did this before) or what, but its fairly annoying and the noise stops as soon as i go into task manager and end the only svchost.exe using any cpu(only about 2%). has this ever happened before? does anyone think its related? any info would be appreciated, thanks....
December 16, 2004, 11:07 AM CST by greggyp
and just to clarify the noise, its a regularily oscillating low pitch tone that is on for about 4 secs and then off for 2 secs before starting again, i cant figure it out but i think it may be related to the windows service pack i downloaded recently. any info or thoughts would be appreciated thanks...
January 13, 2005, 2:50 AM CST by ExecutoR
Ok got a problem with my comp,
svchost.exe runs at 99%
my taskbar/startmenu is frozen.

they are my symptoms

i am running windowsXP

have downloaded lastest virus defs, scanned no problem, even thinking it was the Welch virus, dloaded the fix for that and it didnt find anything...

PLEASE HELP!!!
January 13, 2005, 8:10 AM CST by Google
Doesnt XP now come with the latest service pack 2 on same disk, when you buy it? if it does then people shouldnt still be suffering this problem, even if you only have a copy with service pack 1 on it.

ExecutoR:
Did you recently just re-install winXP? cos ya need to patch XP before going online, with welchia, sasser and blaster worm patches, then install a firewall before going online and go to windows update for all available critical updates and service packs.
January 16, 2005, 1:53 AM CST by pkngu
OK, ive read this whole thread and tried alot of things to solve my svchost but none work.. i am running on Windows 2k pro

-These are my symptoms-

~computer running EXTREMELY slowley (svchost.exe using up 99-100% of CPU)

~internet also running slow (takes about 3 mins to load each page lol).

~cant copy/paste at all which is quite annoying.

~cant go to certain sites eg. "microsoft.com" (when i hit enter it comes up in the adress bar as something like "http:///%$20www.microsoft.com" and comes up with cannot find page screen) this maby so i cant find any support on this problem.

~frequent "Windows Messenger" popups which inform me of virus infection; then lead me to some site where i have to pay about $39.95 for it to fix my PC (dont know if these sights are legit..) these popups CANNOT be removed with adaware or spybot search and destroy.

~whenever i go to do something which requires alot of memory (like playing games) it often comes up with a message which says "Windows Virtual Memory paging file to small" and then says its incresing it and some memory requests may be denied while its doing this... so i say ok... and i wait about 10 mins and nothing has happened. this error just adds to the constant lagging.

~my PC (i have a laptop) makes constant whining grones which go at about 5 second intervals and last for a few seconds, (this never happened before)

~the connect to the internet icon on my desktop dosent connect after the first time i connect (infact none of these problems happen before i connect)

there is probibly more things but i just have forgot

-these are the things i have tried-

~spybot search and destroy (fully updated)

~adaware pro (fully updated)

~Norton antivirus

~i actually did reformat my PC about a month ago because of this problem.. it worked fine for awhile then it returned im just wondering if i do have to reformat it again i would know how to prevent it

ok is there anything i can do to fix it or am i going to have to buy a new computer or reformat if i do please post any precautions to stop this.
January 17, 2005, 5:02 AM CST by Tweekyoligist
i beem sitting here bored and was reading this discussion, i have 4 instances of the svchost/svchost.exe running on my system as well as one lsass.exe, that said (worm/virus) is supposed to control and my cpu ussage is currently 1% .. one question, when you bring up your task manager what % of cpu does each of the scvhost's show it using, if it is less then 5 i wouldnt consider this the problem, my for example flashes from 00 to 01 will follow this disscussion a few more days to see how things work out or for possible help Good Luck
January 21, 2005, 9:56 PM CST by NotAGeek to Tweekyoligist
I think that there is a worm that uses this svchost process to upload information from machines that is either a "back door" worm (bigbrother) or a worm that is not being identified by the antivirus manufacturers for some reason. The fix is simple. If you are not using a firewall, then download Sygate Personal Firewall (free). Then add a rule denying svchost.exe permission to access any network. It worked for me! :)
January 22, 2005, 9:24 AM CST by Neo_X to pkngu
I`m agree with NotAGeek`s solution, install a firewall and restrict the permission to svchost.exe to access any network, i had the same problems you have with all this stuff installed (spybot search&destroy, adaware, NAV), and just solved when installed a Firewall (Zone Alarm have a freeware version and it works fine). So if you could, reformat your PC like you did a month ago (to eliminate any other problem you may have), install both AV & Spyware detectors AND a Firewall, or just install the Firewall and see how it works for you... Good Luck! :)
January 30, 2005, 12:53 PM CST by martin_abc
HI, I have also the problem of svchost.exe running on my system and slowing down my CPU operation. I am using W2K prof. When I use computer to connect to internet, it would be slowed down gradually and then "down".

I have handled this problem around half day before & maybe I have no this problem at present.

I hope to share my experience to help everyone who are in this trouble.
-
-

1) I use the following Trend Micro online virus scaning my computer.

http://housecall.trendmicro.com/housecall/start_corp.asp

I find out WORM_NETSKY.B, WORM_BAGLE.J , these two worms in my computer.

I think such two worms generate the problem of svchost.exe / services.exe eating the CPU operation.
-
-

2) Then, it is about to delete the virus. However the above link could only detect the worm but could not delete them.

a. Then, I use the following link to delete WORM_NETSKY.B,

http://www.antivirusworld.com/articles/virus/i-worm.netsky.b.php
download (BitDefender) --- "Download removal tool from BitDefender.com" to delete WORM_NETSKY.B

b. Then, I use the following link to delete WORM_BAGLE.J,

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html
download (FxBeagle.exe) -- "1. Download the FxBeagle.exe file from: http://securityresponse.symantec.com/avcenter/FxBeagle.exe. "
to delete WORM_BAGLE.J
-
-

3) Operation of the above two programmes, the worm had already been deleted. If you search and define another virus/worm during Trend Micro scaning, just find some online worm-delete programme to delete them.

Then, I download the firewall software, Zonealarm (I recommended this software, since I use it for a long time.) . You can try the free version

http://www.zonelabs.com OR
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

Then, I install the zonealarm accordingly following the procedure.
Then, restart the computer. The zonealarm was set running when window start. During connecting to the internet, the Zonealarm can block the connection of the svchost.exe / services.exe to internet by just pressing "denying". Since such .exe cannot connect to internet, I think the computer can run smoothly then before.
-
-

I am not a programmer, or experienced computer user.

I am not trying to delete the svchost.exe / services.exe but preventing them to connect to internet by using Zonealarm. PS: if there is a worm like WORM_NETSKY.B in the computer, it will affect the Zonealarm programme. That means the Zonealarm programme could not be run, if worm present.

The above is my little bit method for me to handle this problem. I hope my method can help everyone with this trouble to solve this problem.

If you have any problem about my above method, just reply me.

If it is work for your computer, please also leave down a reply to everyone of your method used.

regards,
February 22, 2005, 2:59 PM CST by trueblues to Encryptedmind
Man, you are really wasting all our time. Here we are finding ways to fix the problem and you are trying to create destructive comments to show off your "knowledge". From the 5000+ posts you made i can see that you are just a crap talker. If you cannt help, please go away, we dun need you.
March 12, 2005, 11:27 AM CST by rox731
I am running WindowsXP Home Edition, on a Dell that I got back at Christmas 2002. I looked in my Winows/System32 folder and there is nothing in there at all. However, when I go into a folder called I/386 there is a windows folder with the svchost.exe file in it. I used a transfere program that Christmas to transfere all my files over to this new computer. I'm reading that this file should be in my windows/system32 folder, but there is nothing in there. I went to Iamnotageek.com and they say that if I don't have it in there I should download it and put it in there. However, if you have the professional edition you should all ready have it and don't need to do it.

Should this be in my I/386 folder? And did it come from my old computer. By the way my cpu is working just fine. But this file doesn't seem to be where it should be

Rox
March 16, 2005, 1:57 PM CST by chanpreetanand
yeah i too have this svchost.exe on my comp... tried removing it with the fix symantec provided but didn't work. i have win 2000 and since past cuple of days my network connection shows huge amoutns of uploads even when my system is idle... have tried norton and stinger but to no avail... does anybody have a solution....
March 26, 2005, 2:12 PM CST by lokissonne to chanpreetanand
Well, I had the same problem as you guys but the way i fixed it was going into McAfee Firewall and blocked Svchost.exe from connecting to the internet and my PC usage went down to 0%-5%
March 27, 2005, 12:59 AM CST by PBEX to lokissonne
If you've scrubbed your system and are pretty certain you DO NOT HAVE A VIRUS, but you still have CPU usage issues from SCVHOST, then this post might help. There is a way to find out what services are running behind an instance of SVCHOST.EXE. If you identify them and research what they do, and if they are not critical, you can disable them which may as it did in my case, slay the SVCHOST.EXE usage monster permanently.

This is for XP-Pro... and I have no idea if any of this applies to other OS systems.

1. First, don't worry that there are multiple instances of SVCHOST showing up on the processes tab in TaskMgr - you are supposed to; right now I have 7 running at the same time. Don't go into TaskMgr and try to remove one or more instances of SVCHOST, its supposed to be there. Though viruses can hide under this diguise remember, the assumption here is that you don't have a virus and if you have one parading here, deleting it in TaskMgr will not likely get rid of it. And, if you have deleted one or more instances of SVCHOST.EXE you haven't hurt anything - it will either repopulate itself immediately as it is supposed to OR your computer will shut down,you'll have to reboot and THEN it will repopulate itself. Either way, SCVHOST.EXE is coming back and mutiple instances of it ARE NORMAL.
2. Open Task Manager (press CTRL/ALT/DEL once). Click on the "Processes" tab. Look for the column named "CPU" and click on the word "CPU" to sort by usage percentage (another click will toggle between ascending and descending).
3. SCHHOST.EXE entries that are hogging resources will be at the top (or bottom depending on the sort)of the list. Look for a column named "PID" - this means Process IDentification. Write down the "PID" number associated with the instances of SVCHOST entry(s)which has the high CPU usage. NOTE - if you delete an instance of SVCHOST.EXE and it repopulates - it will come back with a different PID #. You may also get new PID numbers every time you reboot. So if you leave this exercise and come back to it you may need to confirm the right "PID" again before you proceed.
4. Now, to find what services are associated with the particular instance of SVCHOST whose PID you've recorded you have to go to the command (or DOS)prompt: Go to "Start" then "Run" then type "CMD" select"OK" then at the DOS prompt type "tasklist /svc" . This will open a window showing what services are running behing the tasks, by PID #. Look for the PID number(s) associated with the high usage instance(s) of SVCHOST.EXE. In the right column, you will see a list of services running on that instance of SVCHOST.
5. Now the hard part is determining which service(s) is eating up your CPU and whether or not your system can survice without it if you disable it. On mine, the culprit was one instance of SVCHOST which was hosting RemoteRegistry and SSDPSRV. SSDPSRV was somehow stuck in a llop or something and was not correctable by simply rebooting. After Googling these two services to research what each was, I decided I could live without both of them. To kill a service, go to Control Panel / Admin Tools / Services and scroll to find each service. Double click, select General Tab, then under Startup Type select "Disable" hit "Apply" then "OK." This should shut the service down. In my case it immediately recovered all of the CPU resources that were being expended on that instance of SVCHOST.
6. Here is an EXCELLENT website tool: http://answersthatwork.com/ For free - Go here, click on "Task List" to find an alphabetic index of all those tasks in your Task Manager, with a definition of what they do and where there might be issues. Also, for $20 you can purchase from them a tool called "The Ultimate Troubleshooter" which will help sort out all the tasks and services running on your computer at any given time, tell you which ones are OK which ones aren't and which ones might be a problem. They also give suggestions for each instance where a problem is found.

Hope this helps.....
Remember the reason we celebrate Easter!
July 9, 2005, 1:47 PM CST by valentinovalo to martin_abc
HELLO EVERYONE, This message means a lot to me, please I need serious help. I have faced a problem in my pc since I downloaded from hotmail an attach file sent by my friend. It was something about Cool Cartoon.exe something like that.. It was zipped, I accepted it and saved it, when I ran the .exe file, nothing openned but Microsoft Anti Spyware has detected a file that wants to run always on startup, so I knew that would be a virus. The filename was "SVCHOST.exe" so it seems the file is disguised in SVCHOST.exe while it's a worm. I didn't allow microsoft anti spyware to run it always on startup, I asked the program to "BLOCK" it and "keep blocking" it.. When I did that, nothing important hapenned but I noticed that Microsoft AntiSpyware is loading on startup then closing by itself each time I restart my PC, why? maybe because I blocked the virus with it.. I tried uninstalling it, and Installing back, nothing working. I downloaded several Applications that tries to fix it such as Stinger, and many other apps nothing seems to be working. I checked my task Manager, I got 6 SVCHOST.exe files, but of course all of them are natural but one of them is using 58% of computer memory usage. The file is 14000K something arround that.. I tried removing again Microsoft AntiSpyware and installing it, the installation isn't openning even. I guess the virus is blocking it. I even tried also Ad-Aware personnal, The installation works perfectly, when it comes to open the program to make a full scan, it doesnt open. One last thing, I noticed that from time to time, the MSN is closing tell me there is an error in the application 1% something like that. I really dont know what's hapenning, I never encountered this problem, until I got this damn file through hotmail.
NB: My friend told me that he didnt uploaded and sent me the file, the file was sent through his mail by ITSELF to my email. Very weird indeed!
What do you think the problem is guys?! do I have to format?! Is it possible to fix it without formatting?!
Please I need informations about that problem. Each help would be more then accepted. Thanks
July 9, 2005, 1:47 PM CST by valentinovalo
HELLO EVERYONE, This message means a lot to me, please I need serious help. I have faced a problem in my pc since I downloaded from hotmail an attach file sent by my friend. It was something about Cool Cartoon.exe something like that.. It was zipped, I accepted it and saved it, when I ran the .exe file, nothing openned but Microsoft Anti Spyware has detected a file that wants to run always on startup, so I knew that would be a virus. The filename was "SVCHOST.exe" so it seems the file is disguised in SVCHOST.exe while it's a worm. I didn't allow microsoft anti spyware to run it always on startup, I asked the program to "BLOCK" it and "keep blocking" it.. When I did that, nothing important hapenned but I noticed that Microsoft AntiSpyware is loading on startup then closing by itself each time I restart my PC, why? maybe because I blocked the virus with it.. I tried uninstalling it, and Installing back, nothing working. I downloaded several Applications that tries to fix it such as Stinger, and many other apps nothing seems to be working. I checked my task Manager, I got 6 SVCHOST.exe files, but of course all of them are natural but one of them is using 58% of computer memory usage. The file is 14000K something arround that.. I tried removing again Microsoft AntiSpyware and installing it, the installation isn't openning even. I guess the virus is blocking it. I even tried also Ad-Aware personnal, The installation works perfectly, when it comes to open the program to make a full scan, it doesnt open. One last thing, I noticed that from time to time, the MSN is closing tell me there is an error in the application 1% something like that. I really dont know what's hapenning, I never encountered this problem, until I got this damn file through hotmail.
NB: My friend told me that he didnt uploaded and sent me the file, the file was sent through his mail by ITSELF to my email. Very weird indeed!
What do you think the problem is guys?! do I have to format?! Is it possible to fix it without formatting?!
Please I need informations about that problem. Each help would be more then accepted. Thanks
July 9, 2005, 5:57 PM CST by Cray_x1 to valentinovalo
Hmm, have you tried booting into safe mode, then installing the virus scan and running it? As safe mode uses only windows drivers an no extra files, you should be able to access the infected file, and delete it withought any trouble
July 10, 2005, 8:02 AM CST by valentinovalo to Cray_x1
Hello, I think it worked a bit, I've entered to safe mode, I was able to find in the msconfig a file called "SVCHOST.exe" that is running from C:\Programs Files\SVCHOST.exe so I unchecked it from the startup... Now it seems to be working just fine, but neutralising it isn't enough. I want to delete it, and I dont know what am I supposed to delete because I dont know what are the files corrupted, what is the virus's name or any other informations. I just know that i've been infected from an attach file from my email. that's it, if you may tell me what anti virus should I use and what anti spyware. I'd be grateful.
NB: I'm using Avast! Full updated anti virus, and Microsoft AntiSpyware.
What do you think?!
July 14, 2005, 5:29 PM CST by Google to valentinovalo
Try running hijackthis, and post the logfile of the report it gives you, I should be able to tell you what you need to check and fix in the report.
July 14, 2005, 7:45 PM CST by sgross2006
Ok i've read that some symptoms of svchost.exe are things like running slow and taking up most of your memory and stuff like that. Well see i aint really got any of these problems but i looked to see what programs are running and svchost.exe is one of the programs.. actually i think theres 5 or 6 or em running but im not positive.. Is this thing bad for my PC?? Should i get rid of it? Is it even a virus or a worm?? And by the way im running XP Pro. I think it might be a file thats supposed to be in there but i just wanna make sure.
July 14, 2005, 8:57 PM CST by Google to sgross2006
svchost.exe is a part of winXP and win2000, but their are certain nasties on the net which impersonate the file, if there's nothing going wrong with your operating system then there is nothing to fix.
July 15, 2005, 4:04 PM CST by Cray_x1 to valentinovalo
svchost.exe shouldn't be in your program files folder, so you can delete that one. The file should be somewhere in your windows directory, and if you want to replace that one look to the last paragraph, it shows you how, otherwise don't worry about it. Also if you can't delete the svchost in program files, try deleting it in safe mode.

On your windows XP install disk there actually is a full list of the windows files, except that their extensions have been slightly changed. to get to them look on your win XP cd-rom (right click on the CD-ROM icon and choose open when the disk is in) and go into i386. This is the folder with backup programs, except youll notice that all the extensions have been slightly altered, e.g. ".exe" to ".ex_". So in here do a search (all files and folders) for "Svchost.ex_". Once you find it, copy it into a file on your hard drive, change the extension to .exe instead of .ex_, boot into safe mode, navigate in the windows folder to where svchost.exe is normally and finally replace the one in the windows folder with the new one you copied from the CD.
September 22, 2005, 9:00 PM CST by Shuin
Hi guys, ok i have something that is really weird... i've read this whole thread... and i see we are all experiencing svchost.exe problem, and it's symtoms... but in my case, i have 6 svchost.exe running but it is not doing anything to my computer at all... everything works fine...but my cpu usage is jumping from high to low over and over again... i dont know what is wrong ... except when i play games i experience skips and pauses, i wonder if this is the reason for it...and again my computer works fine...i've ran all the scans already w/ zonealarm and the free mcafee, i have no virus/spywares... if u know y it is affecting my game play, help me please...I have Sony NoteBook w/ XP H.E ... with all the drivers up to date. I wonder if it is svchost?
September 28, 2005, 12:13 AM CST by DVOM
I've read a lot of this thread and i had a similar problem. Mainly the svchost.exe process running about 99%. No viruses/trojans present. It was crippling my machine. It slowed the machine down to a crawl and I couldn't connect to the internet.

I was able to temporarily fix it by shutting down the service in "task manager" that was taking the CPU time.

The solution to my particular problem was that I had added a new extra large hosts file to my XP OS. That was the problem. I knew this about W2K but not XP, you need to disable DNS Cllent in services.
Đ 2000-2005 pcvsconsole.com