svchost.exe eating up CPU

Menno Hershberger wrote:

I have another computer here that looks like it's due for a wiping and
starting over. I was able to get MalwareBytes run on it and it found over
300 malicious items. The majority was MyWebSearch, but there were some
Trojan.FakeAlerts in there too.

But even in Safe Mode, after about 2 or 3 minutes, an instance of
svchost.exe starts running that works its way up to 80 to 90 percent CPU
usage.The one that is guilty is "svchost.exe -k netsvcs" as revealed by
process explorer. And while it's not using up any CPU, hpgs2wnf.exe also
gets started, even in Safe Mode. It usually stays gone once it is
terminated. The svchost.exe can be terminated too, but it will come back
within 2 or 3 minutes.

This is an older Dell, Pentium 2, with a 2.0Gb processor and 512Mb of
ram. It's one of those Dells with special memory that has to be paired
and it now has 4 128's in it. In order to get it up, it would mean having
to replace it all since it can't be added to. That special Dell memory
isn't cheap.

While 512Mb is borderline "enough", it should operate pretty well if I
could figure out how to get rid of that svchost problem. The hpgs2wnf.exe
file is associated with HP's Share to Web service. I find no reference to
it in msconfig or in any of the run keys in the registry. I renamed the
exe to keep it from starting but not the way to do things.

Share to Web is in Add/Remove programs but it errors out when I try to
remove it. Some installation file is missing. One Google hit was at
http://svchost-fix.blogspot.com/201...using-100-
cpu.html (http://tinyurl.com/bmejzfn) will do it - reading that mess is
almost comical but it'll lead you to a downloadable file,
SvchostFixWizard3.exe. Well, that passed Virus Total so I ran it and it
came up with a scam that would cost you $39.95. Oops, no thanks.

Someone mentioned deleting all the prefetch files. I tried that. No
success.

I tried diagnostic mode. That cripples everything up so bad you can't
even open task manager. I anyone has any idea what's going on with this
svchost.exe -k netsvcs I'd appreciate anything you may have to offer.
I've already got his documents copied off. All that's left is his Outlook
Express and Address Book. Bookmarks & Favirites, And pictures and folders
scattered all over thr desktop.

Then its wipeout time if someon doesn't try to stop me.

Last call!

Thanks,

If it was me, I'd be scanning more out of curiosity, rather than
thinking I could fix it :-)

You can download the Kaspersky Rescue Disc, which is a CD which does
an AV scan from Gentoo Linux. You download the 237MB ISO9660 file, and
using an uninfected computer, burn a bootable CD using the ISO9660 file.
Next, shut down the infected computer and connect it to your shop LAN.
The Kaspersky CD can get AV updates from the main site, as long as
you have a LAN that supports DHCP. The Kaspersky CD doesn't support
dialup networking for example, and can't get AV updates with a dialup modem.

On my machine, that takes about an hour to scan C: (about 50GB of files perhaps).
One reason it runs that fast, is the scanner is multithreaded, and the more CPU
cores, the faster the scanner can go.

*******

Now, if this was not a malware problem, and just a "crazy svchost", you can
move the items "sharing" a svchost, into their own svchost. Doing that,
can allow a person to isolate a particular item, as causing a shared
svchost to go to 100%. It doesn't fix the problem, just makes it
clearer which one is the culprit.

http://blogs.msdn.com/b/spatdsg/arc...vices.aspx

"You can split it out into its own service by running:

sc config <service> type= own

And revert it via

sc config <service> type= share
"

Say you're on a WinXP Pro machine, and you use "tasklist /svc" (Pro has tasklist).
I have seven svchost.exe things running, but Microsoft in their wisdom, put most
things into just one svchost.exe. I would have to use the "type= own"
command about 26 times in this case, to kick them all out into their
own svchost. As far as I know, this changes the Registry, and not
the machine running state. You have to reboot, for the "relocated"
services to discover they're on their own. When you reboot, then there
would be 26 more svchosts running, each one holding one thing. (I.e. You're
aiming for a one-to-one mapping.)

svchost.exe 1444 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem, FastUserSwitchingCompatibility,
helpsvc, Irmon, LanmanServer,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, SharedAccess,
ShellHWDetection, TapiSrv, Themes, TrkWks,
W32Time, winmgmt, wscsvc, wuauserv, WZCSVC

What happens then is, one of the svchosts goes to 100%, say it says "wuauserv"
when you check the Tasklist, and then you'd know wuauserv was a pig. What
you'd do about it then, I haven't a clue :-)

But before doing that, I'd run Kav and see if the machine is effectively
totaled, and just move on if it is.

*******

The RAM you've got, is probably RDRAM. RDRAM installs on channels, just
like more modern RAM. You can have a dual channel chipset, with two DIMMs
per channel for example. The chips on each module, are "in series" and the
data flows through all of them. When there are two DIMMs on a channel, the
serial output of one DIMM, feeds the serial input of the second DIMM. If
you only have one DIMM in a channel, you can install a CRIMM or continuity
PCB, to "loop" the output of the module, so it gets back to the chipset.
Machines of that type, should ship with CRIMMs in the box, so a user can
have two or four DIMM configs, at their convenience. The CRIMM doesn't
have chips on it, it just has copper tracks to route the signals.

http://en.wikipedia.org/wiki/Crimm#...ty_modules

If you read whatever Wiki has on RIMM or RDRAM, you'll probably learn
enough to do whatever you want with that thing. I think you could get
modules up to 512MB each, before they stopped making them, but the
price could be just about anything.

There are actually two kinds of modules, 16 and 32 bit, so the signal routing
is a bit different on the two types.

"Therefore, a dual channel mainboard accepting 16-bit modules must have RIMMs
added or removed in pairs. A dual channel mainboard accepting 32-bit modules
can have single RIMMs added or removed as well. Note that some of the later
32 bit modules had 232 pins as compared to the older 184 pin 16 bit modules.
"

I'd have preferred the Wiki showed a topology diagram, so people could get
a better appreciation of how they work, because this is a different technology.
Notice, for example, the heat spreader is riveted to the module. That's because,
with the serial orientation (huge "congo line" made of all the chips), if a program
accesses the same memory location over and over again, one chip on the module gets
"hotter" than the rest, to the tune of around 4 watts. By having a heat spreader
on there, the heat spreads out into the longer metal surface, so the chip doesn't
get as hot. if you were to remove the spreader, and run the module without spreaders,
the chip could be damaged by overheating. This is different than any of the later
modules, where chip heating is uniform per rank. On modern DIMMs, for the most part,
the spreader is a joke. It's a place to print the product name. On the RDRAM
modules, the spreader was there for a good reason (due to potentially uneven heating).
For example, all it would take, is a copy of Prime95, doing a test on a relatively
small chunk of memory, to heat up a single chip on each channel.

Paul