100% CPU usage

  • Thread starter Thread starter Lynda
  • Start date Start date
L

Lynda

Hi all.

Am running Win2K on a Pentium 3 with 256 mb RAM.

Msconfig, regedit, NAV all shut down on me after a couple of seconds, and my
CPU usage is running at 100%.
I have run NAV in safe mode and it detects nothing, and I cannot find any
trace of the file scvhost.exe which, from what I have read, should indicate
a worm.
There is so much confusing clutter on the web/usenet about what my problem
could be ... can anybody clarify for me exactly what I have been infected
with, and ways to remove it?

As usual, many thanks in advance to all.

Cheers.

Lyn.
 
Lynda said:
Hi all.

Am running Win2K on a Pentium 3 with 256 mb RAM.

Msconfig, regedit, NAV all shut down on me after a couple of seconds, and my
CPU usage is running at 100%.
I have run NAV in safe mode and it detects nothing, and I cannot find any
trace of the file scvhost.exe which, from what I have read, should indicate
a worm.
There is so much confusing clutter on the web/usenet about what my problem
could be ... can anybody clarify for me exactly what I have been infected
with, and ways to remove it?

As usual, many thanks in advance to all.

Cheers.

Lyn.
Click to expand...
It certainly sounds like you've been infected by a virus. However,
svchost.exe is a normal part of your Windows operating system and has
nothing to do with virus infections, (though there are virus messages that
tell you this). Almost any Win2K or WinXP installation will have several
copies of svchost.exe running at all times. If you've deleted your
svchost.exe file, this may also be your problem. You also might try Trend's
housecall service which scans your system via the web.
http://housecall.trendmicro.com/

Gregg C.
 
Thanks Gregg.

I haven't deleted anything yet (and I was referring to "scvhost.exe" (note
the juxtaposed c/v) which I have read about.).
I will try the 'housecall' URL this evening and report back.

Thanks again.

Lyn.
 
Thanks Gregg.

I haven't deleted anything yet (and I was referring to "scvhost.exe" (note
the juxtaposed c/v) which I have read about.).
I will try the 'housecall' URL this evening and report back.
Click to expand...
Usually when the norma svchost is using much CPU-time it can be the
DNS-service if you have a big hosts -list. Disabling the service
helped me. A normal user does not need it.

Jari
 
Quoth the raven named Lynda:
I haven't deleted anything yet (and I was referring to "scvhost.exe" (note
the juxtaposed c/v) which I have read about.).
Click to expand...

...which you should have pointedly shown in your first post. Looks like
just another typo to anyone reading.

However, googling for sCVhost.exe turns up a multitude of sites. Who
knows how many are typos? DO read this page carefully, though:

http://www.computercops.biz/modules.php?name=Forums&file=viewtopic&p=73535

...then get HiJackThis and identify your problem.
I will try the 'housecall' URL this evening and report back.
Click to expand...

Do the above first...
 
Hi all, and many thanks to the folk who replied to this distress call.

'Tis fixed, and I will document this in lay-speak on the off-chance that it
helps future victims.

When viewing running processes (Ctrl-Alt-Delete, Task Manager, Processes) I
saw that one particular program (video_lnk32.exe) was doing nothing for
10-15 seconds, and then suddenly occupying up to 80% of my CPU for a while
before dropping back to nothing, then cycling through the procedure again.

Looking in my system32 folder I saw two new files created very recently.
One was winhlpp32.exe which I had read was worm-related, and the other was
video_lnk32.exe.
A Google search for the latter came up with a total blank ... unheard of for
a legit operating system file.

So. I moved (didn't delete ... a bit nervous!) both files to a junk
directory and restarted Windows2000 in safe mode (because part of the
symptoms of infection are that 'regedit' shuts down after a few seconds in
normal mode}.

Start, Run, regedit, to edit the registry. I backed up by clicking on
Registry, Export registry file, and saving a copy to my hard drive, then
navigated to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
(and checked all the other 'Runs*)

where there was an entry along the lines of:
Windos video link --- video_lnk32.exe

Windos is as is ... not a typo.

Deleted these entries (keys?) and rebooted normally.
Hoorah.

Have Googled again today for 'video_lnk32.exe' and it gets a mention! I see
that another user here in France has the same problem and posted it on a
forum ... is this file just a French thing? :) Anyway, it is now
semi-documented, and hopefully of future help.

Once again, thanks to all.

Cheers.

Lyn.
 
[snip]
So. I moved (didn't delete ... a bit nervous!) both files to a junk
directory ...[...]
Click to expand...

Thanks for the followup, I'm sure it will help some people.
If you still have the "moved" files maybe you could submit
them to various malware detector vendors so that they can
help even more people.
 
Hi !

You are right, Sophos antivirus detects in video_lnk32.exe the Agobot-Fam virus.
The same as winhlpp32.exe and scvhost.exe.

Cheers !

Julien
 
Julk said:
Hi !

You are right, Sophos antivirus detects in video_lnk32.exe the Agobot-Fam virus.
The same as winhlpp32.exe and scvhost.exe.
Click to expand...

http://www.sophos.co.uk/virusinfo/analyses/w32agobotfam.html

With this "family" detection, you don't know specifically which
variant you had. It is recommended that you keep yourself up
to date with respect to patches in any event. Also, this worm
takes advantage of weak passwords on network shares.

In case you didn't already know, getting rid of the malware
(worm or backdoor-trojan) is only part of your responsibility.
If the weaknesses it took advantage of are not addressed,
you will get more malware foisted upon you.

Good luck.
 
Back
Top