svchost.exe taking up excessive RAM until crash!? - Trojan? - Help!

[tradmusic]

Hi,

We are having a nightmare with file svchost.exe.

When we boot up our PC, svchost.exe shows several occurences in the Task
Manager. However, one in particular (the only one marked as LOCAL SERVICE),
shows a constant rise in RAM use until it finally causes the machine to
crash (because it's using 7 gazillion megs of RAM!).

We have installed:
Norton Antivirus
McAfee Antivirus
PestPatrol
Adaware
Anti-Trojan Shield

But despite finding one or two other things, svchost.exe seems to still have
trouble. We deleted svchost.exe but this caused Windows to stop recognising
devices, Internet etc - so we replaced it with a known "good" svchost.exe.
To our surprise (or were we really *that* surprised), the same problem still
occured.

Can anyone help, or does anyone know what this is? It is doing our heads
in!!
Does the fact that it is marked as LOCAL SERVICE have any significance? All
other occurences of svchost.exe are marked differently, and they all seem
fine.

Any help would be greatly appreciated, thank you.
Tracey.

 

[Rick \Nutcase\ Rogers]

Hi Tracey,

You are attacking this from the wrong angle by concentrating on svchost.exe.
It runs a collection of files, so replacing it is not going to make any
difference. You need to look more at what is being initiated at boot, these
can help:

How to Troubleshoot By Using the Msconfig Utility in Windows XP [Q310560]
http://support.microsoft.com/?kbid=310560

HOW TO: Perform Advanced Clean-Boot Troubleshooting in Windows XP
http://support.microsoft.com/?kbid=316434

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

 

[Dan]

First thing to do is go to..

C:\WINDOWS\System32\WINS

If there is anything other than SVCHOST.EXE then you may
have a virus

Your best bet is to rename the file, you may find that you
can't because it is in use.

Start in Safe Mode, try there, if not edit your registry.
Go to Start/Run then type in regedit
Go to File then Export and backup your registry

Then
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run and look for anything that is associated with the
file in there and delete.
PLEASE BECAREFUL IN REGEDIT, deleting the wrong thing can
and will do harm to your PC, so please be sure of what
you're deleting.

Then reboot your machine and you SHOULD be ok.

Thanks

 

[tradmusic]

Thanks Nutcase!

Will check those out and let you know how I get on.

Trace.

Hi Tracey,

You are attacking this from the wrong angle by concentrating on svchost.exe.
It runs a collection of files, so replacing it is not going to make any
difference. You need to look more at what is being initiated at boot, these
can help:

How to Troubleshoot By Using the Msconfig Utility in Windows XP [Q310560]
http://support.microsoft.com/?kbid=310560

HOW TO: Perform Advanced Clean-Boot Troubleshooting in Windows XP
http://support.microsoft.com/?kbid=316434

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

Hi,

We are having a nightmare with file svchost.exe.

When we boot up our PC, svchost.exe shows several occurences in the Task
Manager. However, one in particular (the only one marked as LOCAL SERVICE),
shows a constant rise in RAM use until it finally causes the machine to
crash (because it's using 7 gazillion megs of RAM!).

We have installed:
Norton Antivirus
McAfee Antivirus
PestPatrol
Adaware
Anti-Trojan Shield

But despite finding one or two other things, svchost.exe seems to still have
trouble. We deleted svchost.exe but this caused Windows to stop recognising
devices, Internet etc - so we replaced it with a known "good" svchost.exe.
To our surprise (or were we really *that* surprised), the same problem still
occured.

Can anyone help, or does anyone know what this is? It is doing our heads
in!!
Does the fact that it is marked as LOCAL SERVICE have any significance? All
other occurences of svchost.exe are marked differently, and they all seem
fine.

Any help would be greatly appreciated, thank you.
Tracey.

 

[tradmusic]

Thanks Dan,

Really appreciate all this help guys. Will give that go also.

Alarmed that no anti-virus or anti-trojan or anti-pest thing was able to
pick this up.
Bought PestPatrol for $50 and we still have the problem. Should have
searched here first!

Will let you know how I get on.

Thanks again.
Trace.

 

[davetest]

Thanks Dan,

Really appreciate all this help guys. Will give that go also.

Alarmed that no anti-virus or anti-trojan or anti-pest thing was able to
pick this up.
Bought PestPatrol for $50 and we still have the problem. Should have
searched here first!

Will let you know how I get on.

Thanks again.

Open up the task manager. Take note of the PID (process ID)
of the svchost in question.
Open a CMD windows and execute Tasklist /SVC - this command is
not available in XP home but can be downloaded from here:
http://www.computerhope.com/download/winxp.htm


Match up the svchost/PID with the tasklist display, and you'll
find out which windows XP services are running there.
Then you can selectively disable them (from services.msc command)
until you find the culprit.

Users have experienced these sysmptoms from SSDP and Universal plug
and play services, and in most cases these can be disabled.

Dave

 

[Alex Nichol]

First thing to do is go to..

C:\WINDOWS\System32\WINS

If there is anything other than SVCHOST.EXE then you may
have a virus

Or even a 'svchost.exe' there. There should be one in Windows\system32,
and its date should be 23 August 2001, and its size 12800 bytes. There
should also be a backup copy in system32\dllcache. Delete any others,
and If the one in system32 is the wrong size or modification date (it
shows in Search as 13KB, but r-click and check in Properties) then
rename it with a different extension. File protection will bring in the
backup in a few seconds, then reboot to bring that one into use.