So my SvcHost is all of a sudden taking 100% of my CPU, and I'd like to figure out which service is responsible for this. Is there any way to differentiate the load being generated by the multiple services running in a single SvcHost?
I have run a virus scan and it came up clean my tool is old and outdated so it found nothing.
I tried stepping through the services, stopping them one by one, but I couldn't find the culprit (note some services also auto restarted and I didn't want to disable them).
Update: I used Process Explorer last night but there were many services, some of which couldn't be stopped, in the offending SvcHost. Today I checked again at heavyd's suggestion and got lucky because only two services are in the offending SvcHost today.
DcomLaunch - DCOM Server Process Launcher
TermService - Terminal Services
Neither of which are stoppable. I am up to date on Windows updates. Going to run another virus scan for the heck of it although nothing turned up last night. Maybe it's time for a fresh start (this install is from sometime in 2004).
Update: Definitely a virus. After the last reboot the CPU usage dropped, but I got some odd "Security Software Installed" messages at boot, oddly named processes running (for example, 555573478785.exe), and suspicious keys added to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run that were not there last night.
Symantec AntiVirus Corporate 8.1.0.825 presented some warnings, but it doesn't seem to be catching everything :-(
Malwarebytes' Anti-Malware results:
Malwarebytes' Anti-Malware 1.44
Database version: 3763
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/19/2010 12:12:58 PM
mbam-log-2010-02-19 (12-12-58).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 290960
Time elapsed: 1 hour(s), 23 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 25
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\kbabjtm.dll (Trojan.Hiloti) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: kbabjtm.dll -> Delete on reboot.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\55533526 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\kbabjtm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\Temp\~TM17.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\~TM466.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\mach\Local Settings\Temporary Internet Files\Content.IE5\2WE7TOVW\load[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\mach\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\mach\Start Menu\Programs\Startup\monnid32.exe (Trojan.Bredolab) -> Delete on reboot.Second scan results:
Malwarebytes' Anti-Malware 1.44
Database version: 3763
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/19/2010 1:54:07 PM
mbam-log-2010-02-19 (13-54-07).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 290753
Time elapsed: 1 hour(s), 18 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{0D9A148D-2E7E-411F-8807-407114206A75}\RP2138\A0129104.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D9A148D-2E7E-411F-8807-407114206A75}\RP2138\A0129105.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.Update: After a couple more scans it looks like my PC no longer has a virus.
Thanks everyone!
44 Answers
I would suggest grabbing Microsoft/SysInternals Process Explorer. With process explorer you can open the specific svchost process and see which services are being run from that process. You can then use the "Services" tab in the process details to stop individual services to find the culprit.
1As long as the multiple services are running in a single svchost.exe you can't differentiate the load. But there is an easy and safe way to split them out in separate svchost.exe's:
SC Config Servicename Type= ownDo this in a command-line window or put it into a BAT/CMD script. Requirements for this to work are:
- Administrative privileges when the
SCcommands are executed. - Restart of the computer. It does not takes effect before.
- The space after "=".
The original state can be restored by:
SC Config Servicename Type= shareExample: to make Windows Management Instrumentation run in a separate SVCHOST.EXE:
SC Config winmgmt Type= ownI have used the following sequence on a Windows XP system. It can be pasted directly into a command-line window.
rem 1. "Automatic Updates"
SC Config wuauserv Type= own
rem 2. "COM+ Event System"
SC Config EventSystem Type= own
rem 3. "Computer Browser"
SC Config Browser Type= own
rem 4. "Cryptographic Services"
SC Config CryptSvc Type= own
rem 5. "Distributed Link Tracking"
SC Config TrkWks Type= own
rem 6. "Help and Support"
SC Config helpsvc Type= own
rem 7. "Logical Disk Manager"
SC Config dmserver Type= own
rem 8. "Network Connections"
SC Config Netman Type= own
rem 9. "Network Location Awareness"
SC Config NLA Type= own
rem 10. "Remote Access Connection Manager"
SC Config RasMan Type= own
rem 11. "Secondary Logon"
SC Config seclogon Type= own
rem 12. "Server"
SC Config lanmanserver Type= own
rem 13. "Shell Hardware Detection"
SC Config ShellHWDetection Type= own
rem 14. "System Event Notification"
SC Config SENS Type= own
rem 15. "System Restore Service"
SC Config srservice Type= own
rem 16. "Task Scheduler"
SC Config Schedule Type= own
rem 17. "Telephony"
SC Config TapiSrv Type= own
rem 18. "Terminal Services"
SC Config TermService Type= own
rem 19. "Themes"
SC Config Themes Type= own
rem 20. "Windows Audio"
SC Config AudioSrv Type= own
rem 21. "Windows Firewall/Internet Connection Sharing (ICS)"
SC Config SharedAccess Type= own
rem 22. "Windows Management Instrumentation"
SC Config winmgmt Type= own
rem 23. "Wireless Configuration"
SC Config WZCSVC Type= own
rem 24. "Workstation"
SC Config lanmanworkstation Type= own
rem End.I suggest you give AVIRA AntiVirus a try. It has a higher detection rates than any major antivirus out there. I definitely recommend it.
The same condition with me. This is virus on my side. But there is no doubt that NO ANTIVIRUS can cure it because SvcHost itself was being injected and infected. SvcHost can never be deleted or terminated then.
Use the Sysinternal's Process Explorer
Then, find which SvcHost service is running
without a parent. Because eachsvchost.exemust be loaded byservices.exe. OR you can figure out theParentof a process by: Double Clicking on it >> "Image" Tab >> "Parent" Label.
Additionally, if the virus you got is the same as the one with me (infecting from all html files with VBScript), you should do the following steps.
Clear all
.htmlfiles (or) remove the code from each.htmlfile.After cleaning the
.htmlfiles, for me in this situation, I surely replaced theSVCHOST.EXEfrom the Windows XP installation CD, by usingRecovery Consolefrom boot.
