1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

svchost: rpcss using 70% of CPU continously

Discussion in 'Windows XP' started by colorado97, Mar 16, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. colorado97

    colorado97 Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    58
    Task Manager shows svchost.exe is using nearly all of the processor's capacity all the time. System was infected with a virus. Ran the Stinger program to remove them. What would cause svchost to continue using the processor continuously? What can be done to correct the problem?
     
  2. Sponsor

  3. Sequal7

    Sequal7

    Joined:
    Apr 14, 2001
    Messages:
    2,382
  4. colorado97

    colorado97 Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    58
    With the processor running at the levels it is and the dial up connection, the housecall site runs rather slowly; but, I'll give it a try. I'll post the results as soon as (if) I get them.
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Download 'Hijack This! http://www.spychecker.com/program/hijackthis.html
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the " scan " button will change into a " save log " button.
    Press that, save the log , load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
    .
     
  6. colorado97

    colorado97 Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    58
    I've run TrendMicro's Housecall program and various other virus scanning utilities now. None of the utilities detected anything new. All say congratulations you're system isn't infected. However, the instance of svchost.exe running RpcSs is still utilizing about 70% of the processor's capacity on a continuous basis. What should be done to fix the problem?
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Follow mobo's instructions and post a Scanlog anyway. Those antivirus programs don't catch everything.
     
  8. colorado97

    colorado97 Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    58
    Logfile of HijackThis v1.97.5
    Scan saved at 5:26:18 PM, on 3/18/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\mqsvc.exe
    C:\WINNT\Explorer.Exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
    C:\Program Files\RAM Idle\RAMIdle.exe
    C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
    C:\WINNT\System32\ctfmon.exe
    C:\WINNT\sm.exe
    C:\WINNT\System32\explore.exe
    C:\Disk Utilities\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\RAM Idle\RAMIdle.exe
    O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [Video] explore.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\System32\msconfig.exe /auto
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKLM\..\RunServices: [Video] explore.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [OLE] C:\WINNT\sm.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37902.5592708333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3B1C5677-EE93-4927-9957-0952C9F90A82}: NameServer = 209.153.128.4 169.207.1.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3B1C5677-EE93-4927-9957-0952C9F90A82}: NameServer = 209.153.128.4 169.207.1.3
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You've got some worms running:

    C:\WINNT\sm.exe
    C:\WINNT\System32\explore.exe

    And possibly:

    O4 - HKLM\..\Run: [MSConfig] C:\WINNT\System32\msconfig.exe /auto

    msconfig.exe does not come preinstalled in Win2k, so if you didn't install it it is suspicious.

    If you are not sure, find the file in the system32 folder, right click on it and select Properties > Version and verify whether it has a Microsoft Copyright. Also msconfig, if legit, will not normally show a s a startup unless you have disabled items in it and have not told it not to warn you on each reboot. IF you are using msconfig to disable items, these items will not show in the Scanlog and we will not know what else may be lurking.

    For now, put checks in the following HijackThis Scanlog entries:

    O4 - HKLM\..\Run: [Video] explore.exe
    O4 - HKLM\..\RunServices: [Video] explore.exe
    O4 - HKCU\..\Run: [OLE] C:\WINNT\sm.exe

    Click Fix, and then reboot.

    You should now be able to delete these files:

    C:\WINNT\sm.exe
    C:\WINNT\System32\explore.exe

    You may need to ensure "show hidden files" is checked in Folder Options > View if you have difficulty finding them

    ^^ do not confuse with explorer.exe or Iexplore.exe !!

    If you cannot delete them in normal mode, reboot in Safe Mode and repeat the operation:

    how to start in Safe Mode
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    Then post another scanlog when you have completed these steps.
     
  10. uly7

    uly7

    Joined:
    Jan 27, 2004
    Messages:
    687
    Hola
    I have 5 Svchost.exe running at the same time in the task Manager.
    Is this normal?
    I also have a IEXPLORE.EXE and explorer.exe running at the same time. Is this normal?
    Thanks
    Uly7:confused:
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  12. uly7

    uly7

    Joined:
    Jan 27, 2004
    Messages:
    687
    Hola Rollin
    thanks for the "Super-fast" respond.
    Uly7
     
  13. colorado97

    colorado97 Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    58
    The WinXP version of msconfig was put on the system to control some start up items that were problematic (those being software for the DVD burner).

    I was able to delete the worm, sm.exe, from within windows. I got access denied messages as I tried to delete the three copies of explore.exe that existed on the system. So, since the drive is formatted as FAT32, I used a windows98 boot disk and got to a DOS prompt. I then deleted the explore.exe file from the root directory, WINNT, and WINNT\SYSTEM32 directories. Svchost.exe is not utilizing the processor like it was before, but now the system does not disconnect from the internet when I try disconnecting. Below is the new hijackthis log:

    Logfile of HijackThis v1.97.5
    Scan saved at 4:19:11 PM, on 3/22/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\mqsvc.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\WINNT\Explorer.Exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
    C:\Program Files\RAM Idle\RAMIdle.exe
    C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
    C:\WINNT\System32\ctfmon.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\RAM Idle\RAMIdle.exe
    O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Washer] c:\Program Files\ccwasher\washer.exe /0
    O4 - HKLM\..\RunOnce: [washindex] c:\Program Files\ccwasher\washidx.exe "Administrator"
    O4 - HKCU\..\RunOnce: [washindex] c:\Program Files\ccwasher\washidx.exe "Administrator"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37902.5592708333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3B1C5677-EE93-4927-9957-0952C9F90A82}: NameServer = 209.153.128.4 169.207.1.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3B1C5677-EE93-4927-9957-0952C9F90A82}: NameServer = 209.153.128.4 169.207.1.3

    When the system was restarted today Norton detected Trojan.virtualroot and said it couldn't be repaired. The Norton log shows the following:

    1/22 - WINNT\SYSTEM32\TFTP920 infected with W32.Valla.2048 virus. File repaired.

    1/22 - WINNT\SYSTEM32\TFTP1304 infected with W32.ElKern.4926 virus. File repaired.

    1/22 - Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JLUNQR2B\.mid infected with W32.Klez.H [at] mm virus . File quarantined.

    1/22 - Administrator virus scanning: Master boot records and Boot records both showed: Scanned - 1 Infected - 0 Repaired - 0 Files: Scanned - 34269 Infected - 3 Repaired - 2 Quar'ed - 1 Deleted - 0

    2/6 - Documents and Settings ... Content.IE5\5MBIU7FC\bgcol.pif infected with W32.Klez.H [at] mm virus. Unable to repair this file. Access to the file was denied.

    2/22 - WINNT\system32\socks5.exe infected with Bloodhound.Packed virus. Unable to repair this file. Access to the file was denied.

    Virus scannings on 3/13, 3/14, and 3/21 all showed 0 infections.

    3/22 - file C:\explorer.exe infected with Trojan.VirtualRoot virus. Unable to repair this file. Access to this file was denied.

    Note again that the processor is no longer being utilized like it was. :) But the system won't disconnect from the net and there still appears to be some infections. What should the next steps be?
     
  14. Sequal7

    Sequal7

    Joined:
    Apr 14, 2001
    Messages:
    2,382
    well, it would be beneficial to go to symantec and perform an online scan, as im betting you use the housecall one in the beginning.
    The symantec site is far superior to finding and fixing the latest viruses.

    It should catch and repair the viruses.

    the alternative is to go to the symantec website and downlaod the following repair tools:
    Trojan.VirtualRoot = http://securityresponse.symantec.com/avcenter/venc/data/trojan.virtualroot.html
    bloodhound.packed = http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.packed.html
    W32Klez = http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

    then delete(if not already done) the files
    WINNT\SYSTEM32\TFTP1304
    WINNT\SYSTEM32\TFTP920
     
  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't see any files there that can't be deleted as long as they are not in use.

    You shouldn't need to use a DOS boot disk, either try Safe Mode or Safe Mode with Command prompt. This last method doesn't load the Explorer shell, so anything that is hooked into Explorer.exe should be deleteable.

    I don't really see anything in the Scanlog that should affect disconnecting, but to be sure you can try a "clean boot" by using msconfig to bypass the startup group all together.

    Also I don't know if some of those startups are yours intentionally or were created by the worm.

    For example:

    C:\WINNT\System32\inetsrv\inetinfo.exe

    Executable used by MS Internet Information Server (IIS). If it's running, then so is IIS. Useful in knowing whether you require the patch for the Code Red worm. Comes with PWS (Personal Web Server) or NT4 and handles ASP-, PHP code (+ more)

    ref: http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM

    And what method are you using to disconnect? Are you right clicking on the connection icon in system tray and trying to disconnect, or are you simply not getting the automatic prompt. This last is an IE configuration option that may need to be reset.
     
  16. colorado97

    colorado97 Thread Starter

    Joined:
    Mar 16, 2004
    Messages:
    58
    What about the Socks5.exe that's infected with Bloodhound.Packed? Is that a needed file? Will deleting affect anything?

    MS FrontPage is installed, but I don't think IIs is needed for that.

    Disconnect by right-clicking icon in task bar. Doesn't actually disconnect though and icon remains in task bar.
     
  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/212413

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice