Problem with svchost running too much memory - could it be malware related?

I installed some cracked software (bad me!) and suddenly my svchost process started going off the wall in terms of memory usage, noticeable slowing my machine. Screens of processes and services attached;

Ive run malwarebytes and avast and both come up clean. OTL log attached too. Any help much appreciated - any advice even if its just to block the services would be appreciated.

many thanks asw

services jpg

processes jpg

The svchost.exe (Services Host), is used by many services for obvious reasons, so there will be many occurrences of svchost.exe (I currently have 6 running none using anything close to that amount of RAM). What you have to identify are the services using the instance of of svchost using the most memory. But using memory is one thing, using CPU is probably more of an issue as it implies activity.

There is no way we can condone the use of cracks on this the official avast support forum. That said I would be looking at removing/uninstalling that cracked program, but the damage may already be done if there was a malware guest with the crack.

I use a small utility Svchost Analyser from http://www.neuber.com/free/svchost-analyzer/index.html that may help identify what is running under that svchost instance.

It will ned one of the malware removal specialists to analyse your OTL log, there should also have been an extras.txt file created by OTL, which should also be attached.

The screens on my later post identify the services that particular instance of the host is using

OK, I have just opened my win7 system as XP doesn’t have the any access to the Services in task manager.

I take it you highlighted the instance of svchost.exe using the most RAM and right clicked it and selected the Go to Service(s) option ?

If so all of those entries highlighted and listed in your image1 appear to be legit windows services. So this will have to be analysed by a specialist.

thanks for your time

There is only 2 times i see svchost with high CPU usage:

One is with a corrupted windows automatic update servie

or u have a rootkit or some other peace of malware :-X [check out Link in DavidR’s reply]

Use process explorer to track down the location of svchost: http://technet.microsoft.com/en-us/sysinternals/bb896653

It must be normally located in c:\windows\system32

Hi the only thing I can see in the OTL is a remnant of relevant knowledge

The services/drivers and launch point all look OK

Could you run OTL with this script so that I can see if there are any oddball net services running. There will only be one log this time

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

In WIN 7 Task Manager, select View → View Columns. Then checkmark “command line.” This will give you a better display in Task Manager of where processes are running from.

I also use Svchost Analyzer. I really don’t know how effective it would be in detecting a rouge hidden service using it’s own svchost container that isn’t running at the time you used it. Also the malware might detect Svchost Analyzer is running and remain hidden.

When I had a problem with svchost in WIN 7, it was because my service permissions were hosed; in particular the dnscache service. This is the service a DNS exploit would go after.

You might also try ProcessHacker: http://sourceforge.net/projects/processhacker/. Runs similar to SysInternal’s ProcessExplorer but has more options. For example, it has a toolbar option that will give you a popup with the name of anything svchost.exe starts executing. Also will terminate processes that can not be terminated using RKill, etc.

many thanks for all the replies - thanks for the links Don they look helpful anyway.

Essexboy attached is the new log

thanks again asw

No extra net services are running

Lets have a look at the MBR

Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://dl.dropbox.com/u/73555776/aswMBRscan.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://dl.dropbox.com/u/73555776/aswMBRlog.png

ok this is odd - was running the asw.exe - then it crashed (see screenshot) - looks like it crashed when it hit the folder with the cracked copy of office…

…chastise away…I reckon I need to delete the cracked copy of office before anything else

Would be advisable… Remember no crack is really free, it comes loaded with goodies. Rootkits MBR infectors etc…

Would be advisable... Remember no crack is really free, it comes loaded with goodies. Rootkits MBR infectors etc..
Plus Win 7 scans your HDD for illegal software plus a number of security software products do so also. You don't need legal problems on top of malware I assume?

Yep - its taught me a lesson - ok deleted it all and the MBR ran fine - file attached. Thanks again for your time;

it wont let me attached the .DAT file - any ideas?

this work as a .txt?

All areas are looking good, but we can go fishing to put your mind at rest

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now