Jump to content

svchost x 2 high CPU/memory usage

Guest Rafal21

Recommended Posts

Guest Rafal21



Last Friday I got infected with some maleware after visiting websites I was browsing looking for answers to my vba/vbs sciprts questions. First. my McAfee alerted me that some activities got stopped while browsing this webisite, and after a while I noticed that my laptop got very very slow.


I ran McAffe scan which found nothing.

I then ran MB scan which found 14 threats, all successfuly removed. However I noticed that there are two svchost processes which use up to 100% of my CPU now and each of them takes 270MB of my memory slowing my computer down every minute.


I spend last two days doing research on the net and trying to run various scanners/rootkit removal tools etc


I used ESET, TDDS rootkit removal along with 3 other ones. ESET found 4 threats, and other scanner find nothing.


I ran the Resources Motnitor to check what services are associated with both svchost processes, there are none.

However, I found that both of the svchost processes have a number of Associated Handles and few of them point to the generic sounding folder in my  Users/rafal/AppData/Local/Temp  folder which consits of a number of dll files:

libcurl.dll, libeay32.dll, libidn-11.dll, pthreadGC2.dll, ssleay32.dll,zlib1.dll


Now, the whole folder was created at 10:33 on Friday at teh very precise time I got infected after visiting the webiste.

Since both svchost processes use them dlls along with other Windows files, it was not possible top kill the processes or to delete this folder. However, it is possible to suspend both of them which brings CPU usgae to 0%.


Also, once suspended, I ran TFC cleaner which deleted the folder successfuly! (it wasn't able to do it previously).

I thought I won this battle, however, after starting my computer today, this folder recreated itself and both svchost processes are there using up to 100% of my CPU/memory. I can suspend them to bring my computer back to speed but I guess I would rather find an answer to why this is happening.



Link to post
Share on other sites

Guest Rafal21

I ran the RogueKiller and it looks like I am infected with Zero Access.

I managed to delete one entry from the registry but I am unable to remove two other ones.


Here is the report:


RogueKiller V8.7.3 [Oct 15 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : RLI02 [Restricted rights]
Mode : Scan -- Date : 10/16/2013 09:33:58
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\rli02\AppData\Local\Google\Desktop\Install\{89591748-e1ff-c226-a0cc-64381d69f2da}\?��?��?��\?��?��?��\???ﯹ๛\{89591748-e1ff-c226-a0cc-64381d69f2da}\GoogleUpdate.exe" >) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-606747145-1364589140-725345543-286162\[...]\Run : Google Update ("C:\Users\rli02\AppData\Local\Google\Desktop\Install\{89591748-e1ff-c226-a0cc-64381d69f2da}\?��?��?��\?��?��?��\???ﯹ๛\{89591748-e1ff-c226-a0cc-64381d69f2da}\GoogleUpdate.exe" >) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Users\rli02\AppData\Local\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [NOT LOADED 0x2] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


¤¤¤ MBR Check: ¤¤¤

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.