Svchost and Svchost.exe - Crashs, CPU maximization, viruses, exploits and more.

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

Fortunately, I was able to uninstall service pack 2 in safe mode, and then I remembered the winternals administrator's pak. I ran the crash analyzer and it told me the driver that caused the failure (when my half sp1/sp2 crashed) was bdguard.sys. A search on google led me to only chinese sites that (with rough translating tools) said that BDGaurd.sys was a new virus no antivirus product on the market was able to fix.

After i followed the procedure to delete system32\dirvers\bdguard.sys (I also deleted system32\bdguard.dat for good measure), the computer seems to have been fixed.

Wow. Well done... and thanks for sharing all that information!

The #1 reason for SP2 failures is pre-existing spyware and viruses on the machine being upgraded. (That's why I pointed to that list of things to do first.) I expect you're gun shy at this point, and I can certainly understand that.

Problem: svchost.exe was maxing out the CPU (under user name of Network Service) preventing connection to internet.

Culprit: using very large hosts file from Supertrick suite to block ads in brower while DNS Client service is running.

Resolution: do ipconfig /flushdns to clear dns cache. Then, disable DNS Client service. Browser connected to internet perfectly, blocking ads with host file, and Svchost.exe not causing CPU maximum usage.

Read on further if needed...

In my case I was using a very large hosts file from the Supertrick suite to block ads from my browser. For the longest time the hosts file caused no problems. But one day I loaded my browser and couldn't connect to the internet.

The Task Manager showed svchost.exe with CPU usage of 99% and user name of Network Service. If I killed the task I could connect. But this was a pain in the ass. If I deactivated the host file I did not have the problem but got the ads in my browser.

The culprit wound up being the DNS Client service being on automatically and apparantly keeping cache of entries in very large hosts file. When I flushed the cache and disasbled the DNS Client the problem went away.

I inform about successful solution of problem with SVCHOST.EXE big (80%) resources usage:

Use ProcessExplorerNt ! Using it, I have found the consumer of resources (SVCHOST), and in its Properties/Services - such consumer as tapi services (someone can have others) consuming formally small resource (1-3 %), but probably twitching SVCHOST constantly. Therefore I have killed totally ugly made fax service of Windows XP - now silence!

One of the programs you recommend for cleaning up the registry is PConPoint. I bought this program, but it has not gotten rid of the error message I get after startup. Repeated emails to their support have become circuitous and we are now back to stage one. All their email replies appear to be canned messages with no personal response. It appears no one speaks English, or at least there is no attempt at a personal reply. I feel I have been cheated by purchasing this software because nothing has changed in my computer.

To be clear, I've not recommended that program - I'm not even familiar with it. Perhaps it was displayed in an advertisement - the contents of which I don't control.

Hello there!
Thanks for the great article about the svchost problems, I had this problem and the microsoft fix did patch it. However I must say that I am a little disappointed, as none of my virus scanners and anti spyware programs were able to detect and remove it ( I have used AntiVir XP, Panda Active Scan, LavaSofts Ad Aware, Pest Patrol, Mc Afee Anti Spyware and PAL Spyware remover, all with no luck so I am probably still infected. )
It would be interesting to know how exactly to fix the problem. I am assuming that the virus / trojan modified one of the DLL files, or added its own DLL files to one of the services. I compared my services list with the one of an uninfected machine and found no difference, so I dont think the trojan adds a new service.

Also it seems to me that svchost is required to have internet access - as soon as I prohibit access of it in zone alarm, my whole machine was unable to load any webpage or use any internet application. With my router's DMZ disabled, as you said in your ( great ) article, the baddies remained quiet and didnt cause any trouble. Its a highly annoying thing and at the same time it would be interesting to find out even more about it, and how to permanently kill the remaining ad and spyware and virus programs. I also found it to trigger other malware - a "bleh.exe" , the mentioned "scvhost" aswell as the usually windows-normal "tftp.exe". Anyway, great article, helped me out! two thumbs up!

zone alarm keeps prompting me that svchost is attempting to access the internet when i block it and check the alerts and logs section of zone alarm indicates this ip and url that is causing the problem 209.244.0.4:53 resolver1.level3.net .

I have been unable to trace this ip other than that it is originating from Aurora Colorado.

What is it? Is it legit? Should I permit access. Sometimes it make four attempts for every one denial then after that I can no longer connect to the internet. Usually closing my browser, then restarting it enable me to once again get access to the internet.

I believe *that* ip is just doing a DNS lookup (mapping some name to an IP address). I'd be more interested in what accesses followed that.

I think this is one of the best articles I've ever read. But what to do in our case?
My company is using aplication with DCOM technology, and on client machines we installed XP SP2. After that our application could not run.
One of the reasons was Firewall which is On by default. To solve this problem, we made exceptions
for application, but also for port 135 which is used by DCOM(it is not running without that port). Now our application is running but what about vulnerability of port 135???

To post a comment on "Svchost and Svchost.exe - Crashs, CPU maximization, viruses, exploits and more.", please return to that article's main page.