Tech Support Forum banner
Status
Not open for further replies.
1 - 12 of 12 Posts

·
Registered
Joined
·
19 Posts
Discussion Starter · #1 ·
Im sure you guys get bombarded by this one a lot. Over the past few days ive been doing a lot of research on the issue as I have it now myself. After 3 formats and a hand full of different programs I think I found the root of my issue, however now I am at a road block.

Using the procexp program I ran a process of elimination to try and figure out why my svchost is taking up 50%+ of my cpu and a scaling amount of virtual memory that just keeps getting larger and I came to 2 results, one that I simply could not close, pause, restart, or access in any way even with administration privileges. One catching my eye more then most

RasMan - the remote access connection mangier

Under premissions I see 3 accounts logged, admins - (my computer name included) Authenticated Users, ( read only permissions set)
And this one
Account unknown (S-1-5-32-547)
It had full permissions that I changed to deny currently as I can find no records of what exactly this unknown account is. Doing this greatly lowered the drain on my CPU and virtual memory but I can not remove the account. Any attempt to do so results in it coming back as soon as I go back to the process.

The other process is WIN32 time. I could pause it but not close it or restart it. Pausing it caused no change in anything as well.

Looking for info on how to remove or fix this issue so Ive come here.

As a side note of into I already found and ran the bat file to rerun the dll files in safe mode to fix the svchost, but no effect what so ever sadly.

Hope to get a reply soon!
Thanks for your time
~D~
 

·
Registered
Joined
·
19 Posts
Discussion Starter · #2 ·
Re: yet another svchost issue

It seems that a few of the other processes that svchost runs also has the strange account attached. Im wondering if its a default remote access for windows tech support or something. I left my computer on to test my temp fix and it seems that my fix of denying access to this strange host did stop the drain on my CPU, but the virtual memory usage went rite back up to the 1.5-2gig range.

Could I get another person to run procexp and check the labeled process under svchost to let me know if its just me or a default setting? This info will help me out a lot in trying to figure out a fix for this darn thing.
Thanks
~D~
 

·
Registered
Joined
·
19 Posts
Discussion Starter · #4 ·
Re: yet another svchost issue

Ok I tried that but it had no effect at all. I also manually blocked all access to all of this unknown account as well but the virtual memory issue still persists.
I will admit im kinda at a loss here.

I may however have a clue tho. I find that every now and then I get a chime when my virtual memory is at the 2 gig range in the background. The kinda chime you get when you try to close a window when its doing something. I did a little digging around my computer and I still don't have any hard info on where that chime is coming from, but I find that my sound stops working and I have to restart the process in svchost to get it working again, or just restart my computer. I haven't found any other effect or change from said chime to my computer yet.

My current plan of action is to
1: try a different driver for my sound blaster
2:disable my mother boards sound drivers
3: use a track system changes option on my system mechanic

As always im welcome to any advice anyone may have.

Side note, Is there a way to find out where my virtual ram is stored at? Maybe I can get some more info looking at that. The slow scaling of the virtual memory leads me to believe that its either an endless process loop of some sort, or its storing one series of files over and over, maybe even as junk.
 

·
Registered
Joined
·
19 Posts
Discussion Starter · #5 ·
Re: yet another svchost issue

Ok I found another lead. I found a way to look into my memory and I found out whats taking the massive amount of CPU usage and most of my Virtual memory.

It seems that a DLL file by the name of ntdll.dll+0x10230 is the cause of it. I did a little searching on it and I found a patch for windows SP2 that fixes a critical security risk with this file. My computer data starts at 2005 after my format so I have to manually download windows SP3 just to get some things to work. Since I cant run the patch im going to assume that SP3 comes with it standard? If not a working fix or temp fix even would be greatly helpful.

Im looking for a bone at this point.
 

·
Global Moderator
Knowing how to use Google to solve problems
Joined
·
42,576 Posts
Re: yet another svchost issue

Your profile says that you have SP3. If this computer does not already have SP3 please install it, and any other Windows Updates you don't have.
As for the mystery account, boot into Safe Mode (press F8 at Bootup) Go to Start/Run and type control userpasswords2 and press enter. Here, highlight the offending account and choose Remove. Go to the Advanced ab and the Advanced button/Users and make sure the account is gone.
 

·
Registered
Joined
·
19 Posts
Discussion Starter · #8 · (Edited)
Re: yet another svchost issue

Things just got even more strange. So I killed the thread that was taking all the resources and shortly after a new one under a different name takes its place. and after I kill that one another one under yet another different dll name takes its place

ole32.dll+0x1e43b

EDIT: It seems that the ole32.dll file is used by my net framework
Im going to try and update that to see if that helps.

Currently have 3 of them running each taking up 25% exactly of my quad core.

im going to kill these 3 and see what pops up next.

I havent downloaded anything since I did my format other then my core drivers and one game to kill time. Oh and firefox as well, but no special addons
That and some windows updates and thats it.

Im going to compile a list of all dll files that use large amounts of my systems resources. Maybe there will be a connection somewhere.
 

·
Registered
Joined
·
19 Posts
Discussion Starter · #9 ·
Re: yet another svchost issue

Kernal32.dll activates at the same time as ole32.dll. both take up 25% of my cpu and never more. The .net framework upgrade had no effect on ole32.dll

I can run my computer now if I kill the threads of these 2, but I still need to find out what the cause is.

From my understanding kernal32 is a memory managing dll for windows, and ole32 is a .net framework dll.
Im trying to use this information to narrow what the cause is down, but I dont have in depth knowledge of how the framework works on a computer. I will do a little research on it today but if one of you guys see a connection or have an idea that would be more then awesome.

EDIT: I somehow completely missed your post Spunk. I will try that
 

·
Registered
Joined
·
1,701 Posts
Re: yet another svchost issue

There is some advice on this other thread you might peruse too: Svchost using large amounts of memory.

It's beginning to look like you have an exploit that calls scvhost and may attach itself as a netsvcs. Such a trojan exists but calls netsvcs.exe, but maybe the exploit has morphed. If you have DComLaunch attached to your svshost perhaps that's causing it.

Download and run Process Explorer, hover your mouse over the processes to see what is attached or what called them.

Perhaps you should consider moving your issue to the virus section of TSF?
 

·
Registered
Joined
·
19 Posts
Discussion Starter · #11 · (Edited)
Re: yet another svchost issue

Ok I did what you asked Spunk however the unknown account was not anywhere on the list. I did however run my batch file to fix svchost again and its working fine atm.

It did this once before too and a few hours later it started up again. This time im going to keep a sharp eye on what starts up and when in hopes of finding something out of place.

Or rather it would be nice if it somehow fixed itself with that batch.

While typing this im noticing something. There are a lot of kernal32.dlls running as one may expect, however most of them are only using up less then one hundredths of a percent of my cpu...save one....then 2.....then 3 and now 4. The cpu usage spiked at 4 and has been fluxing back and forth rapidly. It seems more and more kernal32.dlls are spiking my memory

ntdll is also doing the same now.only one instance of it however

Im running Norton atm as it comes standard with one of my driver CDs and it has blocked 2 attacks during this message, 2 that ive seen a few times since I formatted

one called malicious toolkit website 9 and another called malicious javascript website 3

the PATH of the attack is what caught my eye.

\device\harddiskvolume1\windows\system32\svchost.exe

both have the same path and in the time it took me to write that it happened quite a few more times. The IP address of the attacks seem to be spoofed as each one is different.

I own a very powerful firewall that im about to install that will let me monitor all inbound and outbound traffic.

Do we have any known fixes for this attack?

Edit: By the looks of it it may just be a virus now. Thanks for the link. I will post over there to see if they have any info. Thanks for all your help guys.
 

·
Registered
Joined
·
1,701 Posts
Re: yet another svchost issue

It does look like an exploit of some kind. And by the looks of the traffic on TSF and other forums about scvhost gobbling resources it's new, and seemingly powerful.

Good luck in the virus section...and those guys are really good at what they do. Meanwhile, could you navigate to the top of the page, click 'Thread Tools' and then 'Solved'? Thanks.
 
1 - 12 of 12 Posts
Status
Not open for further replies.
Top