I installed some cracked software (bad me!) and suddenly my svchost process started going off the wall in terms of memory usage, noticeable slowing my machine. Screens of processes and services attached;
Ive run malwarebytes and avast and both come up clean. OTL log attached too. Any help much appreciated - any advice even if its just to block the services would be appreciated.
The svchost.exe (Services Host), is used by many services for obvious reasons, so there will be many occurrences of svchost.exe (I currently have 6 running none using anything close to that amount of RAM). What you have to identify are the services using the instance of of svchost using the most memory. But using memory is one thing, using CPU is probably more of an issue as it implies activity.
There is no way we can condone the use of cracks on this the official avast support forum. That said I would be looking at removing/uninstalling that cracked program, but the damage may already be done if there was a malware guest with the crack.
It will ned one of the malware removal specialists to analyse your OTL log, there should also have been an extras.txt file created by OTL, which should also be attached.
OK, I have just opened my win7 system as XP doesn’t have the any access to the Services in task manager.
I take it you highlighted the instance of svchost.exe using the most RAM and right clicked it and selected the Go to Service(s) option ?
If so all of those entries highlighted and listed in your image1 appear to be legit windows services. So this will have to be analysed by a specialist.
Hi the only thing I can see in the OTL is a remnant of relevant knowledge
The services/drivers and launch point all look OK
Could you run OTL with this script so that I can see if there are any oddball net services running. There will only be one log this time
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in netsvcs
%SYSTEMDRIVE%*.exe
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
In WIN 7 Task Manager, select View → View Columns. Then checkmark “command line.” This will give you a better display in Task Manager of where processes are running from.
I also use Svchost Analyzer. I really don’t know how effective it would be in detecting a rouge hidden service using it’s own svchost container that isn’t running at the time you used it. Also the malware might detect Svchost Analyzer is running and remain hidden.
When I had a problem with svchost in WIN 7, it was because my service permissions were hosed; in particular the dnscache service. This is the service a DNS exploit would go after.
You might also try ProcessHacker: http://sourceforge.net/projects/processhacker/. Runs similar to SysInternal’s ProcessExplorer but has more options. For example, it has a toolbar option that will give you a popup with the name of anything svchost.exe starts executing. Also will terminate processes that can not be terminated using RKill, etc.
ok this is odd - was running the asw.exe - then it crashed (see screenshot) - looks like it crashed when it hit the folder with the cracked copy of office…
…chastise away…I reckon I need to delete the cracked copy of office before anything else
Would be advisable... Remember no crack is really free, it comes loaded with goodies. Rootkits MBR infectors etc..
Plus Win 7 scans your HDD for illegal software plus a number of security software products do so also. You don't need legal problems on top of malware I assume?
All areas are looking good, but we can go fishing to put your mind at rest
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks