Solved svchost.exe causing random CPU 100%

bestuck

New Member
Messages
8
Hello all.

What the title says, basically. I created a dump file if it's worth anything (couldn't upload it as attached, so here it is) and I took a screenshot of the process properties:

qW1S84Z.png

The strange thing is that if I end the task and delete the svchost file in the temp folder nothing happens at all. But, it does hurt me while I need the CPU to do heavy load, like gaming or decompressing files. And it's kind of frustrating because it is so random, I don't know what causes it.

Thanks in advance.
 

My Computer

System One

  • OS
    Windows 8.1
    Computer type
    PC/Desktop
    CPU
    Intel G2020
    Motherboard
    Asus H61
    Memory
    4GB Kingston
    Graphics Card(s)
    AMD HD7750
    Browser
    Firefox
    Antivirus
    -
SVCHOST (service Host) is a program that runs other windows programs on your computer. There can be several instances of svchost running at the same time. If you are having a problem you need to figure out what is svchost is running (it could be Windows Defender such).

You can view what svchost is running using the Task Manger but you have to click on the button labeled Show All Processes (or show "More" button in Win8)
Then Right-click on a SVCHOST process and select the Go to Service(s) menu option. You will now see a list of services on your computer with the services that are running under this particular SVCHOST process highlighted.

See this article on using Process Explorer How to determine what services are running under a SVCHOST.EXE process
 
Last edited:

My Computer

System One

  • OS
    Win8.1
    Computer type
    PC/Desktop
    System Manufacturer/Model
    HTPC: Custom built
    CPU
    intel i5-2400
    Motherboard
    Gigabyte GA-Z68MX-DS2H
    Memory
    16GB Corsair DDR3-1600
    Graphics Card(s)
    on-board HD3000
    Sound Card
    On-board
    Monitor(s) Displays
    Samsung 32" LED
    Hard Drives
    eight HGTS Deskstar NAS, 3TB
    seven WD Red NAS, 3TB
    one Seagate ES.2, 1TB
    one 64GB SSD
    PSU
    Corsair 750W
    Case
    Li-Lian case with SuperMicro hotswap backplane
    Cooling
    Case 4 6" fans, stock CPU cooler
    Other Info
    Two 3-Ware (LSI) model 9650SE-8LPML RAID cards.
SVCHOST (service Host) is a program that runs other windows programs on your computer. There can be several instances of svchost running at the same time. If you are having a problem you need to figure out what is svchost is running (it could be Windows Defender such).

You can view what svchost is running using the Task Manger but you have to click on the button labeled Show All Processes (or show "More" button in Win8)
Then Right-click on a SVCHOST process and select the Go to Service(s) menu option. You will now see a list of services on your computer with the services that are running under this particular SVCHOST process highlighted.

See this article on using Process Explorer How to determine what services are running under a SVCHOST.EXE process

Thank you for your response. Unfortunately, I can't seem to solve the problem. I've found out one thing though, it starts on boot. Every time.

But the thing is, that link is good for finding "Host process for windows services", and my problem concerns svchost.exe . Here's a few screenshots:

C0GEdNZ.png
jusldOK.png
 
Last edited:

My Computer

System One

  • OS
    Windows 8.1
    Computer type
    PC/Desktop
    CPU
    Intel G2020
    Motherboard
    Asus H61
    Memory
    4GB Kingston
    Graphics Card(s)
    AMD HD7750
    Browser
    Firefox
    Antivirus
    -
Did you "right click" on it and go to Services?
 

My Computer

System One

  • OS
    Win8.1
    Computer type
    PC/Desktop
    System Manufacturer/Model
    HTPC: Custom built
    CPU
    intel i5-2400
    Motherboard
    Gigabyte GA-Z68MX-DS2H
    Memory
    16GB Corsair DDR3-1600
    Graphics Card(s)
    on-board HD3000
    Sound Card
    On-board
    Monitor(s) Displays
    Samsung 32" LED
    Hard Drives
    eight HGTS Deskstar NAS, 3TB
    seven WD Red NAS, 3TB
    one Seagate ES.2, 1TB
    one 64GB SSD
    PSU
    Corsair 750W
    Case
    Li-Lian case with SuperMicro hotswap backplane
    Cooling
    Case 4 6" fans, stock CPU cooler
    Other Info
    Two 3-Ware (LSI) model 9650SE-8LPML RAID cards.
Two enormous issues with that file.

First it's located in the system temp folder, which is a strong indication that it's a component of malware which was written to use the %TEMP% variable. That variable only points to C:\Windows\Temp if the variable is expanded as the System user account.

Second, the real svchost.exe is also digitally signed by Microsoft, and the tab which would show that is missing.

I believe you may be the victim of a malware infection that has obtained full system access (NT AUTHORITY\SYSTEM user) and could potentially inject malicious drivers in the kernel.
 

My Computer

System One

  • OS
    Kernel 4.x
    Computer type
    PC/Desktop
    CPU
    i5 3570K
    Motherboard
    P8Z77-V LK
    Memory
    G.skill Ripjaw Z 2133MHz 9-11-10-28
    Graphics Card(s)
    GTX770 4GB Dual BIOS
    Sound Card
    Audigy 4 Pro
    Monitor(s) Displays
    32" SAMSUNG HDTV
    Screen Resolution
    1920x1080 progressive
    Hard Drives
    10TB total
    3 RAID arrays
    3 single disks
    PSU
    Corsair HX750
    Case
    Corsair R400
    Cooling
    Corsair H100
    Keyboard
    Logitech G510
    Mouse
    Logitech G5
    Internet Speed
    ~900mbps (~115MB/s) down, ~10mbps(~1.5MB/s) up
    Browser
    Firefox & Chromium
    Antivirus
    Common Sense
Two enormous issues with that file.

First it's located in the system temp folder, which is a strong indication that it's a component of malware which was written to use the %TEMP% variable. That variable only points to C:\Windows\Temp if the variable is expanded as the System user account.

Second, the real svchost.exe is also digitally signed by Microsoft, and the tab which would show that is missing.

I believe you may be the victim of a malware infection that has obtained full system access (NT AUTHORITY\SYSTEM user) and could potentially inject malicious drivers in the kernel.

Thank you very much for the diagnosis. I'll get right on this to try to find it. Although I think it's better to format because I've been dealing with browser bars, ads extension and stuff like that a few weeks ago (I thought I solved that but apparently not).

Just a quick thought: could it be something like uTorrent or Hola? I've read that they came pre-installed with bots to mine bitcoin or something like that. I don't have those programs right now but I have had them in the past (I deleted them as soon as I heard those news).
 

My Computer

System One

  • OS
    Windows 8.1
    Computer type
    PC/Desktop
    CPU
    Intel G2020
    Motherboard
    Asus H61
    Memory
    4GB Kingston
    Graphics Card(s)
    AMD HD7750
    Browser
    Firefox
    Antivirus
    -
UPDATE:

I looked through the DMP file you provided in the link and i found some very interesting strings that explain your problem.

The strings were:
E:\CryptoNight\bitmonero-master\contrib\epee\include\net/http_client.h
E:\CryptoNight\bitmonero-master\contrib\epee\include\net/http_server_handlers_map2.h

Finally the nail in the coffin of strings in that dump.
"C:\Windows\Temp\svchost.exe" -a cryptonight -o stratum+tcp://pool.monerocrypt.com:1001 -u 43s6t7KoCXtaBZ48bL5sPDhTEs6FG9FA8RCGkqC5xzkCATVAYzSmykD67mSXkejwnSQ552bjF5DsCCunopJPwAUZEkphFBZ -p x

That there is a command line confirming what I thought. That svchost.exe is a crypto currency miner. It will consume all of your computers resources to generate money for some wanna-be hacker who wrote the malware.

He uses the monerocrypt.com mining pool, and his ID is "43s6t7KoCXtaBZ48bL5sPDhTEs6FG9FA8RCGkqC5xzkCATVAYzSmykD67mSXkejwnSQ552bjF5DsCCunopJPwAUZEkphFBZ"

You can go to that website and view his stats with that ID.
His rate of hash mining isn't very impressive, so he's likely not infected many computers.

However the total amount of crypto-coins he has generated is equal to about US$42866. (fourty-two thousand dollars)
That's a bit more impressive.

You need to scan and clean your computer of viruses immediately. If you cannot clean it, you may need to format and reinstall Windows.


You can also view a full listing of this malware's history mining at monerocrypt.com using the ID i posted above.

I would report this ID to the pool as soon as possible in hopes that some sort of action will be taken against them, however unlikely that may be.
 

My Computer

System One

  • OS
    Kernel 4.x
    Computer type
    PC/Desktop
    CPU
    i5 3570K
    Motherboard
    P8Z77-V LK
    Memory
    G.skill Ripjaw Z 2133MHz 9-11-10-28
    Graphics Card(s)
    GTX770 4GB Dual BIOS
    Sound Card
    Audigy 4 Pro
    Monitor(s) Displays
    32" SAMSUNG HDTV
    Screen Resolution
    1920x1080 progressive
    Hard Drives
    10TB total
    3 RAID arrays
    3 single disks
    PSU
    Corsair HX750
    Case
    Corsair R400
    Cooling
    Corsair H100
    Keyboard
    Logitech G510
    Mouse
    Logitech G5
    Internet Speed
    ~900mbps (~115MB/s) down, ~10mbps(~1.5MB/s) up
    Browser
    Firefox & Chromium
    Antivirus
    Common Sense
Just a quick thought: could it be something like uTorrent or Hola? I've read that they came pre-installed with bots to mine bitcoin or something like that. I don't have those programs right now but I have had them in the past (I deleted them as soon as I heard those news).

Crypto-currency miners that operate like this one overwhelming come from one source.

These infections come from torrent's of popular newly released and cracked computer games. Often they're secretly slipped into encrypted setup data files. They avoid initial detection this way. Further due to anti-malware companies flagging all cracked software as viruses, the real viruses get overlooked. Malware writers take advantage of this coupled with the huge demand for cracked software (namely games, since most gamers are young or not technical enough to catch them, along with assured targeting of powerful computers) to spread their miners across many computers making them a huge amount of money.

Now whether you ever downloaded cracked software is none of my or anyone on this forum's business. There are also ways to get infected by this malware that are completely legal.

The real issue is cleaning this stuff off your computer so your privacy and bank accounts aren't potentially threatened as well.
 

My Computer

System One

  • OS
    Kernel 4.x
    Computer type
    PC/Desktop
    CPU
    i5 3570K
    Motherboard
    P8Z77-V LK
    Memory
    G.skill Ripjaw Z 2133MHz 9-11-10-28
    Graphics Card(s)
    GTX770 4GB Dual BIOS
    Sound Card
    Audigy 4 Pro
    Monitor(s) Displays
    32" SAMSUNG HDTV
    Screen Resolution
    1920x1080 progressive
    Hard Drives
    10TB total
    3 RAID arrays
    3 single disks
    PSU
    Corsair HX750
    Case
    Corsair R400
    Cooling
    Corsair H100
    Keyboard
    Logitech G510
    Mouse
    Logitech G5
    Internet Speed
    ~900mbps (~115MB/s) down, ~10mbps(~1.5MB/s) up
    Browser
    Firefox & Chromium
    Antivirus
    Common Sense
Well, thank you very very much, again. It took two scans of malwarebytes and a full scan of avast free to finally remove it. Still, to be safe I'm going to format it soon.

On a side note: I don't pirate software at all. Nor do I pirate games. I play about three games, and they are all from Steam. I do pirate movies and tv shows, so it must have come from there, which is very strange because I always check that they are only movie files.
 

My Computer

System One

  • OS
    Windows 8.1
    Computer type
    PC/Desktop
    CPU
    Intel G2020
    Motherboard
    Asus H61
    Memory
    4GB Kingston
    Graphics Card(s)
    AMD HD7750
    Browser
    Firefox
    Antivirus
    -
Well, thank you very very much, again. It took two scans of malwarebytes and a full scan of avast free to finally remove it. Still, to be safe I'm going to format it soon.

On a side note: I don't pirate software at all. Nor do I pirate games. I play about three games, and they are all from Steam. I do pirate movies and tv shows, so it must have come from there, which is very strange because I always check that they are only movie files.

Not meant as an accusation, sorry.

Like I said, there are numerous ways to be infected by this type of malware.
 

My Computer

System One

  • OS
    Kernel 4.x
    Computer type
    PC/Desktop
    CPU
    i5 3570K
    Motherboard
    P8Z77-V LK
    Memory
    G.skill Ripjaw Z 2133MHz 9-11-10-28
    Graphics Card(s)
    GTX770 4GB Dual BIOS
    Sound Card
    Audigy 4 Pro
    Monitor(s) Displays
    32" SAMSUNG HDTV
    Screen Resolution
    1920x1080 progressive
    Hard Drives
    10TB total
    3 RAID arrays
    3 single disks
    PSU
    Corsair HX750
    Case
    Corsair R400
    Cooling
    Corsair H100
    Keyboard
    Logitech G510
    Mouse
    Logitech G5
    Internet Speed
    ~900mbps (~115MB/s) down, ~10mbps(~1.5MB/s) up
    Browser
    Firefox & Chromium
    Antivirus
    Common Sense
Well, thank you very very much, again. It took two scans of malwarebytes and a full scan of avast free to finally remove it. Still, to be safe I'm going to format it soon.

On a side note: I don't pirate software at all. Nor do I pirate games. I play about three games, and they are all from Steam. I do pirate movies and tv shows, so it must have come from there, which is very strange because I always check that they are only movie files.

Not meant as an accusation, sorry.

Like I said, there are numerous ways to be infected by this type of malware.

Oh I didn't take it as an insult don't worry! :)

Just out of curiosity for anyone reading, I think it was an ad-block extension for my browser looking at the report from malwarebytes (which prevented chrome from updating, but since I use firefox I didn't notice).

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 08/07/2015
Scan Time: 11:14:16 p.m.
Logfile: malwarebytes scan.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.07.08.08
Rootkit Database: v2015.07.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Emiliano

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 350461
Time Elapsed: 9 min, 47 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
Trojan.Agent, C:\Windows\Temp\lsass.exe, 3296, , [5dfb17c838527fb79aef95bc1be91ce4]

Modules: 0
(No malicious items detected)

Registry Keys: 5
PUM.Security.Hijack.DisableChromeUpdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE, , [6cec1dc236540e28acc9d8b4b1538878],
PUM.Security.Hijack.DisableChromeUpdates, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE, , [d58323bc6b1f01358ce9eaa20ef6db25],
PUP.Optional.TweakBit.A, HKLM\SOFTWARE\WOW6432NODE\TWEAKBIT\ATPopups, , [98c0736c5c2e81b53129038dc73d14ec],
PUP.Optional.TweakBit.A, HKLM\SOFTWARE\WOW6432NODE\TWEAKBIT\ATUpdaters, , [64f4954af8923303abaf652be222748c],
PUP.Optional.TweakBit.A, HKLM\SOFTWARE\WOW6432NODE\TWEAKBIT\Google Analytics Package, , [d3858b544f3b81b5f765d2be36ceac54],

Registry Values: 2
PUM.Security.Hijack.DisableChromeUpdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE|DisableAutoUpdateChecksCheckboxValue, 1, , [6cec1dc236540e28acc9d8b4b1538878]
PUM.Security.Hijack.DisableChromeUpdates, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE|DisableAutoUpdateChecksCheckboxValue, 1, , [d58323bc6b1f01358ce9eaa20ef6db25]

Registry Data: 0
(No malicious items detected)

Folders: 5
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhihnapmdpedhlihabmbcmkjhglphhch\1.1, , [aaae58875b2f979f678ab1d29c68b14f],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhihnapmdpedhlihabmbcmkjhglphhch, , [aaae58875b2f979f678ab1d29c68b14f],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Roaming\Mozilla\Firefox\Profiles\z5cv4ozt.default\extensions\TG@0siT28V.com\content, , [12464d926f1bbb7bd02fbfc454b024dc],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Roaming\Mozilla\Firefox\Profiles\z5cv4ozt.default\extensions\TG@0siT28V.com, , [12464d926f1bbb7bd02fbfc454b024dc],
PUP.Optional.BlockTheAds.A, C:\ProgramData\Block The Ads, , [ce8a8956d0ba6bcb193cb33ec63c21df],

Files: 13
PUP.Optional.MultiPlug.Uns, C:\ProgramData\Block The Ads\Block The Ads.exe, , [1741d50afd8d4bebf409db97cf33c23e],
Trojan.BitcoinMiner, C:\Windows\Temp\svchost.exe, , [e276ffe01c6ecc6ab084257bfb096997],
PUP.Optional.AppDataFR.A, C:\Users\Emiliano\AppData\Roaming\appdataFr3.bin, , [b7a1f2edacde44f2d78104fac83a718f],
Trojan.Agent, C:\Windows\Temp\lsass.exe, , [5dfb17c838527fb79aef95bc1be91ce4],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhihnapmdpedhlihabmbcmkjhglphhch\1.1\lsdb.js, , [aaae58875b2f979f678ab1d29c68b14f],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhihnapmdpedhlihabmbcmkjhglphhch\1.1\background.html, , [aaae58875b2f979f678ab1d29c68b14f],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhihnapmdpedhlihabmbcmkjhglphhch\1.1\content.js, , [aaae58875b2f979f678ab1d29c68b14f],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhihnapmdpedhlihabmbcmkjhglphhch\1.1\icjNfJTA.js, , [aaae58875b2f979f678ab1d29c68b14f],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhihnapmdpedhlihabmbcmkjhglphhch\1.1\manifest.json, , [aaae58875b2f979f678ab1d29c68b14f],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Roaming\Mozilla\Firefox\Profiles\z5cv4ozt.default\extensions\TG@0siT28V.com\content\bg.js, , [12464d926f1bbb7bd02fbfc454b024dc],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Roaming\Mozilla\Firefox\Profiles\z5cv4ozt.default\extensions\TG@0siT28V.com\bootstrap.js, , [12464d926f1bbb7bd02fbfc454b024dc],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Roaming\Mozilla\Firefox\Profiles\z5cv4ozt.default\extensions\TG@0siT28V.com\chrome.manifest, , [12464d926f1bbb7bd02fbfc454b024dc],
PUP.Optional.MultiPlug.A, C:\Users\Emiliano\AppData\Roaming\Mozilla\Firefox\Profiles\z5cv4ozt.default\extensions\TG@0siT28V.com\install.rdf, , [12464d926f1bbb7bd02fbfc454b024dc],

Physical Sectors: 0
(No malicious items detected)


(end)
 

My Computer

System One

  • OS
    Windows 8.1
    Computer type
    PC/Desktop
    CPU
    Intel G2020
    Motherboard
    Asus H61
    Memory
    4GB Kingston
    Graphics Card(s)
    AMD HD7750
    Browser
    Firefox
    Antivirus
    -
Looks like you downloaded some freeware and agreed to the installation of free adware as well. It installed itself into both browsers.

However, the PUPs you have there typically aren't related to bitcoin miners, but I wouldn't put it passed them.

Be very careful what you install on your computer.

Be even more careful of what you agree to by leaving a programs installation phase at it's defaults.
 

My Computer

System One

  • OS
    Kernel 4.x
    Computer type
    PC/Desktop
    CPU
    i5 3570K
    Motherboard
    P8Z77-V LK
    Memory
    G.skill Ripjaw Z 2133MHz 9-11-10-28
    Graphics Card(s)
    GTX770 4GB Dual BIOS
    Sound Card
    Audigy 4 Pro
    Monitor(s) Displays
    32" SAMSUNG HDTV
    Screen Resolution
    1920x1080 progressive
    Hard Drives
    10TB total
    3 RAID arrays
    3 single disks
    PSU
    Corsair HX750
    Case
    Corsair R400
    Cooling
    Corsair H100
    Keyboard
    Logitech G510
    Mouse
    Logitech G5
    Internet Speed
    ~900mbps (~115MB/s) down, ~10mbps(~1.5MB/s) up
    Browser
    Firefox & Chromium
    Antivirus
    Common Sense
Back
Top