Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

High memory usage svchost.exe for dcomlaunch process


  • Please log in to reply
4 replies to this topic

#1 Plexi

Plexi

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 01 January 2014 - 07:32 PM

Hello,

I've run into a problem that I can't seem to diagnose; unsure whether it us malware related or not.

I'm running windows 7 home professional 64 bit. 8 gigs of ram.

Very recently, as in within the last couple days, applications have begun to hang and crash. Upon investigation, I found that one of the svchost.exe files is chewing up a huge amount of memory. The process usually sits between 15 to 25 percent cpu usage, but can spike up to 50 to 80; meanwhile the memory usage continues to rise. Eventually, the process closes (I think) and it causes a system restart.

I have a little experience dealing with computer infections, so I tried to do some investigating on my own initially (I know you guys don't like to hear that, sorry). Anyway, the specific svchost.exe that is seemingly causing problems was managing the Power service, the Plugplay service, and DCOMlaunch service. I split them up to try to identify the problem and it's the one managing DCOMlaunch. I looked at the threads in process explorer and, while I don't fully understand what they mean, it seems that there are several threads related to msvct.dll and ntoskml.exe.

I've done what I usually do when I run into problems; I ran MBAM, MBAR, and I did a scan with ESET, I did a scan with my regular antivirus Avira, but everything is coming up totally clean, so I'm stumped.

Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 Plexi

Plexi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 08 January 2014 - 01:33 AM

Bump

#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:12:32 PM

Posted 08 January 2014 - 11:21 AM

Hi,

Let's see if this is malware based: 

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
 
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

There should be a text file named rkill.txt on the desktop, copy and paste that into your next reply.

xXToffeeXx~


Edited by xXToffeeXx, 08 January 2014 - 11:21 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 Phere

Phere

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 08 January 2014 - 11:23 AM

Plexi, 

I too have run into this issue on Windows 7 Ultimate 64 bit 8 GB RAM. I have also ran MBAM, MBAR, CCCleaner, MSEssentials, ESET Scan, RogueKiller, JRT, Farbar Service Scanner, Farbar Recovery Scan Tool, RKill and all coming back clean and am still running into the issue as well. I receive an annoying "Windows must now restart because the DCOM Server Process Launcher service terminated unexpectedly" or a "Windows will restart in 1 minute" or "Wndows myst now restart because the Power Service Terminated unexpectedly." After becoming so annoyed with the forced restarts, I started cancelling the restarts with shutdown -a but noticed various applications would not open, file access was prevented, and hardware (mic, headset, gaming mouse) failed to work if I did not already have them in use. I'm about to do a full reinstall but am concerned as I just built this pc and installed Win 7 less than a month ago. I have seen a few threads on similar issues with DCOM processes running at high CPU usage and the aformentioned scans and cleaners resolved the others issues. There is a thread on overclock.net that covers some of the processes you can disable that aren't required for your DCOM services to continue running correctly. Search for Wiindows 7 DCOM Services being terminated, forcing restarts and read the second post. SAdly it did not work for me. 



#5 daverolland

daverolland

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 25 March 2014 - 10:34 AM

I found a solution to this problem.  It may or may not help you inasmuch as I am running XP.  A system file called RPCSS had been patched with a virus of some sort.  I renamed the file and copied a legit version from Windows on another PC.  Reboot.  Problem solved. 

 

I don't know why MBAM, etc., didn't find it.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users