Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SVCHOST.EXE eating up memory after virus


  • Please log in to reply
19 replies to this topic

#1 magic9669

magic9669

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 August 2011 - 09:49 AM

I had a virus on my computer and after cleaning with malwarebytes, the svchost.exe eats up all of my CPU and memory. Am I still infected?

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:34 AM

Posted 16 August 2011 - 09:54 AM

Can you post the log from Malwarebytes?

#3 magic9669

magic9669
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 August 2011 - 09:58 AM

I didnt save the original but i'll run another scan and post if thats ok?

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:34 AM

Posted 16 August 2011 - 09:59 AM

It should automatically be saved under the Logs Tab, but if you cant find it run a full scan.

#5 MR Cracker

MR Cracker

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 16 August 2011 - 10:12 AM

I think the virus is not deleted completey
and you have to scan your computer with a powerful AntiVirus

#6 magic9669

magic9669
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 August 2011 - 11:14 AM

@Bleeping Madman - the scan is almost complete.

I think the virus is not deleted completey
and you have to scan your computer with a powerful AntiVirus


I have ESET and scanned it with this as well with no luck. As well as TDSSKiller and Super Antispyware

#7 MR Cracker

MR Cracker

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 16 August 2011 - 11:38 AM

ESET is very bad AntiVirus as I experienced.
TDSSKiller is not a AntiVirus it just delete some rootkits that use drivers
and i do not used Super Antispyware before but it is not a complete AntiVirus
post in Virus, Trojan, Spyware, and Malware Removal Logs forum
and make sure the process name is svchost.exe and not scvhost.exe,ect.

also you can do this if you are advance
with process explorer file which process of svchost uses cpu then in services of it look at for an usual enabled service then disable it by service manager of windows

#8 magic9669

magic9669
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 August 2011 - 12:19 PM

I'm not sure of a virus scanner that is better than others, so any suggestions are welcome.

I used TDSSKILLER just to see if there was a rootkit involved. Super Antispyware is good but its only used for spyware not malware (although from what I notice it sometimes classifies some malware as spyware as well).

I was merely letting everyone know what I used and that i'm still having an issue. It is the SVCHOST.EXE and not SCV.

I have used process explorer and shut down all of the services involved one at a time and none of it worked..ALTHOUGH, there was one or two services that wouldnt shut down (says it was in use or something along those lines). I dont recall which processes they were but I will try to find out.

Log from Malware bytes should be coming soon. Even after a clean two days ago, i noticed it found several more items so now i know I'm not cleaning it fully.

Thanks gents I appreciate it.

#9 magic9669

magic9669
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 August 2011 - 12:36 PM

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7478

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/16/2011 1:13:04 PM
mbam-log-2011-08-16 (13-13-04).txt

Scan type: Full scan (C:\|)
Objects scanned: 292367
Time elapsed: 1 hour(s), 40 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Value: 1 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4293541492 (Trojan.FakeAlert) -> Value: 4293541492 -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel\HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\psinger\Local Settings\Application Data\lsx.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 MR Cracker

MR Cracker

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 16 August 2011 - 12:37 PM

it is important to find which service uses CPU. try to find it with process explorer or other programs

#11 magic9669

magic9669
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 August 2011 - 12:39 PM

Please note that this computer is part of a domain with GPO's set up. Hence the ForceClassicStart registry key (amongst some others). Just wanted to point that out.

Edited by magic9669, 16 August 2011 - 12:46 PM.


#12 magic9669

magic9669
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 August 2011 - 01:26 PM

it is important to find which service uses CPU. try to find it with process explorer or other programs


Remote Access Connection Manager is the only process that I cannot stop. I can only assume that this is the process causing an issue. What can i do to fix it?

#13 MR Cracker

MR Cracker

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:04 AM

Posted 16 August 2011 - 02:18 PM

when you stop other services use of CPU dont stop and is on 100%?

if yes it seems your computer is hacked
and post in Virus, Trojan, Spyware, and Malware Removal Logs forum to find a solution

#14 magic9669

magic9669
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 16 August 2011 - 02:39 PM

Its not necessarily 100% from the SVCHOST.EXE file. I'd say 80% and above and the other programs/processes take up the rest.

Based on Process Explorer, I stopped all services that were associated with the SVCHOST file except for two that I was unable to due to unresponsive time. They seem to go hand in hand. Remote Access Connection Manager was unable to stop and when I try to stop Telephony, it asks me to stop that one as well, so I cannot stop that one. All other services were stopped and still the SVCHOST.EXE was eating up the cpu usage and over 500Mb of RAM.

Also, I posted the Malware Bytes results above per CryptoDan. I'm awaiting the next step.

#15 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:34 AM

Posted 16 August 2011 - 02:39 PM

Is this part of a work environment, and are you the administrator the for the Domain?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users