May 042011

SVCHost running at near 100%One of the office computers, an XP Pro system, started having problems last week locking up, usually right after starting internet explorer or bringing a running program to the foreground. We would pull up task manager and see that one of the svchost.exe processes was using nearly 100% of cpu cycles. If this process was killed then the computer would once again become usable except that killing svchost.exe has side effects. Many programs tuck their processes into svchost so killing it doesn’t just solve the problem, it will also cause other active programs to lock up when bring them to the foreground later.

I finally sat down to see if I could fix this problem. A preliminary Google search showed that Windows updater is a common cause of this problem. I tried a couple of the fixes with no luck, so started from scratch to examine the problem. The first thing I noticed is that somehow this computer is not running Microsoft Security Essentials (MSE). We run MSE as our antivirus program on our XP machines. I must have missed installing it on this computer. The quick scan brings up 2 viruses right away, Rogue:Win32/FakeYak and Trojan:DOS/Alureon.A.

Rogue:Win32/FakeYak was easily removed by MSE but Trojan:DOS/Alureon.A was immune to it. A Google search had multiple sites suggesting TDSS Rootkit Removing Tool (TDSSKiller.exe) from Kaspersky Labs. Sure enough, TDSSKiller made quick work of the virus. Running MSE again found and removed a third virus, TrojanDownloader:Win32/Karagany.A.

The only remaining oddity is that internet explorer will not pull up any website, displaying the error message, “”. I ran ipconfig and noticed that there were no dns servers listed. I checked proxy servers, none. I then checked the network settings, sure enough, the box was selected to specify dns servers but none were listed. Quick fix.

Hopefully this is then end of it. And time to make sure MSE is running on all the machines.