Why svchost.exe eats all processor time?

Status
Not open for further replies.

Scorpio(Max)

Baseband Member
Messages
25
Since several minutes to i start work, 1 of svchost.exe processes begins to use all processor time and the system hangs!!
 
I know it could happend but i'm not sure!
• I need freeware antivirus
• (Win 2000 Server) as workstation
 
svchost.exe is almost like a chemical that the computer needs to process applications and system services. In xp it is normal for the svchost to sap up to 15,000k if it is sapping more, and it reads as all caps: SVCHOST.EXE, then you have a virus, a network virus that will infect anything on the lan.
 
svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. Note: svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down.
 
I just took a look at the amount of usage those were taking.
I only show three in my log but I show 6 in my task manager using:
3,168
3,960
4,208
22,636
4,128
4,872

And my sytem is perfectly healthy.

Here is the quote I was looking for yesterday when I had to go work on a client's computer:
svchost.exe [System32\svchost.exe]

%System% is a variable. By default, the legit files are:

C:\Winnt\System32 (Windows NT/2000): C:\Winnt\System32\svchost.exe*
C:\Windows\System32 (Windows XP): C:\Windows\System32\svchost.exe*
C:\Windows\System (Windows 95/98/Me): not normally present*

To know if it is legit - the easy way; simply remember these *

These are vital Windows system files, and should usually never be touched!

The legitimate files are never plural.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

There are many variants across all OS. This list is not comprehensive.
This is the hard way to get it right > working through these and not get lost.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

SVC variants – Trojans, viruses and hijackers.
These variants are often case specific as shown.

These are generally found in the Windows folder and are sometimes in plural form.

c:\windows\svchosts e.g.Troj/Hostidel.B

c:\windows\svchostc.exe e.g. Backdoor.Zinx

c:\WINDOWS\svchost32.exe e.g. Nachi Worm.



However, these variants are found in the \Windows\System folder

c:\Windows\system\svchosts.exe e.g. Sdbot-N / Troj/Sdbot-Z virus!

C:\WINDOWS\SYSTEM\svchost32.exe e.g. BackDoor-AQT

C:\WINDOWS\SYSTEM32\svchosts.exe e.g. IRC-Sdbot trojan

C:\Windows\System32\Wins\svchost.exe Welchia worm, W32.Blaster, LoveSan.D, Nachia

C:\Windows\System32\Svhost.exe. e.g. Backdoor.Socksbot; WORM_AGOBOT.D (W32/Gaobot.gen ); BAT.Boohoo.Worm

C:\Windows\System32\SVCH0ST.EXE [ with an 0, not an O ] WORM_SAGE.A.



SCV variants:– Trojans, viruses and hijackers

c:\windows\scvhost.exe e.g. W32/GAOBOT worm

c:\windows\SCVHOS.EXE



Startup Variants:

O4 -HKLM\..\Run:[svshost] svshost.exe e.g. W32.Spybot.Worm, Worm.P2P.SpyBot.gen

O4 -HKLM\..\Run:[scvhost] scvhost.exe e.g. W32/Randex-S
There is also an SVCHOS startup.


Related Variants

C:\WINNT\SYSTEM32\MSVCHOST.EXE e.g. Downloader-GJ


** All names of malware depend on the identifying company and may have several aliases!

NOTE: just to keep you on your toes: this exception is a legit file:

c:\windows\SCVHOSTS.EXEÂ…Â…Â….Windows Print Spooler (SCVHOSTS.EXE)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

[From what I know; normal size for System32\svchost.exe is 8 to 14k, depending upon file version. Fully patched WinXP SP1 is 13k. (to be confirmed)]




Svchost.exe General Information:

The legit file c:\System32\svchost.exe is a generic host process name for services that are run from dynamic-link libraries. The System32\svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, System32\svchost.exe checks the services portion of the registry to construct a list of services that it needs to load for other windows components.

System32\svchost.exe could be almost anything..... Svchost.exe is what XP uses/calls an item when it needs to perform certain functions but doesn't have a subroutine to do them on its own (it uses the generic Windows file svchost.exe).

There is an intensive internal comms system in XP. There can be multiple instances of System32\svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. It is normal for win processes to use reasonable but not excessive cpu and normal for several concurrent System32\svchost.exe processes to happen.
 
How many startup items do you have? If you have a lot, go to start, run, type msconfig, go to startup, disable all except antivirus and firewall if you have one. See if this makes any difference.
 
Status
Not open for further replies.
Back
Top Bottom