svchost running at 100%

StephenB_2

Warning Programs that access or monitor the Internet such as antivirus, firewall. or proxy clients may be negatively affected when you run the netsh winsock reset command. If you have a program that no longer functions correctly after you use this resolution, reinstall the program to restore functionality.

From http://support.microsoft.com/kb/811259

SJB

pchelpman

Hello again Duncan

That comment of yours a couple of posts back ... not sure. I always recommend CleanUp as a first try because it's easier for people to use. It cleans out all temp files (where malware might hide) and I've never had anyone complain after just running the default cleaning settings.

That said if you are happier with CCleaner then that's fine.

What I will say is please delete everything from all temp. folders/locations. They are not needed and, as I say, malware can hide there.

One reminder on HJT ... it's a great application but even the developer - Merijn Belekrom - warns it doesn't reveal everything.

Your last log doesn't show anything very bad except perhaps your remark about RIPE being your ISP (that 017 entry). I have come across many troubled folk with the RIPE Network out of Amsterdam..which is a known spyware/adware heaven. I am always careful with RIPE users.

I recommend you go work through all procedures in the first 4 posts to this thread .....

http://forums.moneysavingexpert.com/showthread.html?t=133269

If you can't do any of the steps let us know what happened. Ewido is particualrly useful at fixing things HJT can't see.

As you already have SP2 don't worry too much about skipping advice on how to install SP1a.

By the way ... any advice you see on disabling system restore .... don't do it at this stage. Yes, malware may be hiding there but we'll work on what we have at the moment before taking that step.

If you are still having touble download/install/run/scan with Trojanhunter [free fully working trial version].

http://www.misec.net/

When done please post another HJT log and let us know how your system is working then.

If it's not all fixed we may have to resort to other deeper scanners.

Chippy_Minton

Since the problem appears to be with Automatic Updates and specifically update.exe in C:\WINDOWS\SoftwareDistribution\Download, do what others have suggested and check the Windows Update log file (c:\windows\WindowsUpdate.log) for errors.

Compare the errors to those listed here:
http://inetexplorer.mvps.org/archive/windows_update_codes.htm

How to read the Windowsupdate.log file:
http://support.microsoft.com/?kbid=902093

My 'guess' is that deleting update.exe will help to fix this problem.

BigDunc

That comment of yours a couple of posts back ... not sure. I always recommend CleanUp as a first try because it's easier for people to use. It cleans out all temp files (where malware might hide) and I've never had anyone complain after just running the default cleaning settings.

That said if you are happier with CCleaner then that's fine.

It wasn't a comment about the general usefulness of CleanUp, more that I found it didn't just do the options ticked.

I will try the various suggestions and report back.

Duncan

pchelpman

Thanks for the feedback, Duncan. Curious why CleanUp didn't do as you instructed.

Suggest you do as Chippy says first before my earlier post this morning. My concern is that the update file is indeed corrupt in some fashion. Maybe deleting it then reinstalling will fix it.

I really hope it does but this all smells wrong. It still smacks of malware infections to me.

star1_2

:cool: I've not read every post 100% so not sure if you've fixed the problem ....

but i'm 99% sure you have the BLASTER Virus .... as others have said since it hides it'self in a legitermate Windows program it doesnt seam to be detected by virus checking programs.

I've had this same problem on 2 machines - for a utliity to clear this up do a search on google for BLASTER SVCHOST VIRUS .... there are various utilties out there to detect and clear it up (you may need to run it a couple of times to detect for some strange reason!!) ....

http://www.sophos.com/support/disinfection/blastera.html

More help and info above.

Hope this helps !!

GreenNotM

This does look like a blaster-ish trojan/worm - they can turn off firewalls. anti-virus and updates and they fight back - hence ur 100% cpu.

http://vil.nai.com/vil/stinger/ <<< download stinger.exe (removes top 60 worms/trojans) or what ever they have had to rename it to because the virus writers were attcking stinger as well.

Do a safe boot with no network connections - turn off system restore - these viruses just reload themselves. Open a command prompt . Change to the c:\ root directory and do a "rmdir recy*.* /s" to remove your recycle bins. Next go looking for your temp folders - ALL of them ! and delete these too. Usually in docs and settings etc.. and the windows\temp.

Run stinger and reboot till it reports no more infections - have known it to take over 6 runnings to clear a pc.

Good luck .

PS A lot of trojans/worms now are network based - if you have more pc's in the house/lan these may be the actual infected pc's

Browntoa

nothing in the hijack logs to indicate this, don't see the point in running stinger

Mr_Skint_2

Browntoa wrote:

nothing in the hijack logs to indicate this, don't see the point in running stinger

Yep clean as a whistle... :wave:

star1_2

I thought this atfirst when I had SVCHOST running at 99/100% - and the logs showed as being clean, and dispite running 3 diffrent virus progs that found nothing.

"Apparently" - Because of the nature of how the Blaster Virus works (by embedding it'self in such a way) in a legitimate file - the logs apparently won't show anything suspect ....

IMHO - if every avenue you've tried has not fixed the problem - you have nothing to loose by running the checks for the BLASTER virus - eg. from Sophos (a respected virus checking provider) - it might just surprise you .... it did for me !! :cool: