Windows 7 svchost.exe "clone" using 100% CPU

JaieHR

Honorable
Dec 11, 2013
4
0
10,510
0
I''ve been having a really strange problem with my Windows 7 Machine.

It would work normally for a few days and then out of nowhere it would Slow Down drastically, when I check the taskamager to look for any process taking up too much resources I would always find this particular svchost.exe process taking up arround 92% to 98% CPU.

The odd thing is that when I try to find which service it is related to, my task manager won't show me any related services, also on the Description column it will only show "svchost.exe"

My task manager window would look like this when this svchost "clone" is running.

image upload no size limit

However if I terminate this process it doesn't seem to affect anything on the system unlike the other svchost.exe listed there, which have thier description displayed correctly.

I've been googling for similar issues but I've had no luck, I've used different antivirus, anti-spyware and anti-malware scans to check for malicious software but I get no results other than tracking cookies and such (which I already deleted off course) but the problem presists.

If anyone has an idea of what could be calling this svchost.exe "Clone" please let me know.

My sistem specs are
Intel i5-3330 CPU @ 3.30 GHz
6 GB RAM
Windows 7 Pro 64 Bit
 

VincentP

Distinguished
Right hand click on the process in task manager and click "Open File Location".
For the real service host processes, I think this will be C:\Windows\System32, but check on your system.
For the fake one, do the same thing and see if this is in a different location.
The fake one may not be a virus, but any software impersonating a Windows executable is probably up to no good.
 

JaieHR

Honorable
Dec 11, 2013
4
0
10,510
0


Thanks for your replay, I've not had this issue to appear again for now but I'll follow your advice when it does.

Today I tried a file search for svchost.exe I found an svchost file on C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp which is about 6.73 MB while the one on C:\Windows\System32 is less than 30 KB.

Could this be the file that's taking 100% CPU? Is it safe to delete it?

Doing the same search on a different Windows 7 Machine does not show any svchost.exe file on C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp.

UPDATE

The issue appeared again as soon as I finished my replay...

I followed your instructions and it did take me to C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp.
 

Hawkeye22

Champion
Moderator
You can also open a command prompt as administrator and type in

tasklist /svc

and it will show each of the svchosts and the services it is running. Match up the PID from the task manager. It looks as if you will have to tell your task manager to show the PID column.
 

VincentP

Distinguished


Generally anything in a Temp directory can be deleted.
To be on the safe side, just more the file somewhere else so that whatever is running the file can't find it.
Give the machine a reboot, if everything still works correctly you didn't need the file.
 

JaieHR

Honorable
Dec 11, 2013
4
0
10,510
0
Hello there, my issue seems to be solved for now, here's what I did.

I decided to delete the svchost.exe file on C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp but I would still get an svchost.exe file using 92-98% CPU, when right click -> Open File Location I found out there was a new svchost.exe in there about the same size as the last one I deleted (almost 7mb).

After that, I deleted it again and created a folder called "svchost.exe" inside C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp to prevent whatever is creating that file on that location to do so again.

Since then, I haven't had any more problems and my computer is running fine now.

However I'm still not sure what could be creating that svchost.exe file.
 

VincentP

Distinguished


You almost certainly have a trojan.
Malware often protects itself by having a second process running to recreate the first.
The high CPU usage means this could be someone using your computer for computation (e.g. bitcoin mining).
Some supposedly legal browser toolbars are now doing this.

Virus scanners aren't good at picking up malware.
Spybot have a free version you can download:
http://www.safer-networking.org/
 

djett427

Reputable
Mar 9, 2015
429
0
4,860
29


Having the same problem here. It's a rather odd program, and haven't figured out the cause yet.
 

Similar threads


ASK THE COMMUNITY