w2000 100% cpu usage svchost gone wild

  • Thread starter Thread starter Keith
  • Start date Start date
K

Keith

Win 2000
I have 100% cpu usage 100% of the time. sp4. svchost.exe
is the cpu hog (wish I could find out what started it)I
can't figure out a way to end the process or terminate the
tree from Task Manager; "Access Denied". I have found a
lot of vague talk on the boards about solutions but not
the solution. Search of the KB is not enlightening.

I see dozens of posts on all types of boards but I haven't
found the solution...

Help!
Keith
 
Check the C:\WINNT\SYSTEM32\WINS folder and see if you see
either a svchost.exe or dllhost.exe file there. If you do
you have the Blaster worm or some variant there of. There
are good instructions on stopping this on the trendmicro
website but I believe the correct thing to stop this is to
drop to a command prompt and type NET STOP "NETWORK
CONNECTIONS SHARING". This stops the svchost.exe
service. The dllhost.exe command to stop it is NET
STOP "WINS CLIENT" You will also have to go into the
registry and clear out the entries for Rpcpatch and
Rpctftpd. Then you should be able to delete thos files if
that is indeed the problem.
 
Your infected.
www.antivirus.com has a free online scanner and
Do a Google for w32.Blast.Worm and one for Welchia
Use the fixtool by Symantec or others
Add the patch from Microsoft, but be careful you follow directions carefully
or it won't take. They will just say, "Nup" your safe.
What if your local drugist sales you some condoms, but you don't read follow
the directions. Something unexpected is gonna happen.
hehe

good computing,
don
-------



Win 2000
I have 100% cpu usage 100% of the time. sp4. svchost.exe
is the cpu hog (wish I could find out what started it)I
can't figure out a way to end the process or terminate the
tree from Task Manager; "Access Denied". I have found a
lot of vague talk on the boards about solutions but not
the solution. Search of the KB is not enlightening.

I see dozens of posts on all types of boards but I haven't
found the solution...

Help!
Keith
 
Thanks for the input.
I agree I must be infected...but with what I don't know.
The WINNT/SYSTEM32\WINS folder is empty.
I am the poster boy for security patches and updates; a
month ahead of the curve on the recent worm storms. Last
week I know all patches were up to date. McAffey has never
found anything, all definitions were up to date 9/4/03.
I have run the blaster and welchia tools but they found
nothing.
I have lost my network connection since this (100% cpu
usage)started. Connection Status shows active
Sent/Received.

Lasyt week I did run Gibson Research's (grc.com) "No
Share" to close NetBIOS to "unsafe operation". Since this
started I ran Gibson's LetShare to undo the changes...

Oh, yeah, this is a laptop, the only other thing I did was
run the battery completly dead last week. I noticed in KB
that there were some "100% cpu usage" notices that
mentioned brief cpu spikes (1 or 2 minutes) relating to
battery/low battery...doesn't seem to fit this problem.
Battery is charged fine.

I am almost ready to reformat. What's a day out of my life
versus this lingering dirty feeling of infection that
sucks all the life out of my cpu?

Any further help would be appreciated!
Keith
 
Are you SURE this means a viral infection ??

Norton says I am clean, but I have this issue and those files AREE there, but there
are also in that location on a normally working machine.

I began having 100%, but not usually from svchost. It happens when I open up
internet Explorer windows, particularly if I open several at a time...

any ideas??

David

Jim said:
Check the C:\WINNT\SYSTEM32\WINS folder and see if you see
either a svchost.exe or dllhost.exe file there. If you do
you have the Blaster worm or some variant there of. There
are good instructions on stopping this on the trendmicro
website but I believe the correct thing to stop this is to
drop to a command prompt and type NET STOP "NETWORK
CONNECTIONS SHARING". This stops the svchost.exe
service. The dllhost.exe command to stop it is NET
STOP "WINS CLIENT" You will also have to go into the
registry and clear out the entries for Rpcpatch and
Rpctftpd. Then you should be able to delete thos files if
that is indeed the problem.
Click to expand...

--
David 'db' Butler, Consultant
Acoustics by db
"...all the rest are just brokers"
now on the web at http://www.db-engineering.com
Boston, Mass
Phone 617 969-0585 Fax 617 964-1590
 
Back
Top