[emeraldnzl]

Quote

Looks like it's still there.

Let's see if this will do it. Make sure the G drive is attached, then do this:

Please run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :processes
  killallprocesses
  
  :Files
  G:\svchost.exe
  G:\autorun.inf
  
  :Commands
  [Reboot]

  
  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
  
• It will produce a log for you on reboot, please post that log in your next reply.

[terrorist96]

========== PROCESSES ==========
All processes killed
========== FILES ==========
File move failed. G:\svchost.exe scheduled to be moved on reboot.
G:\autorun.inf moved successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.1.24.0 log created on 01122010_125018

Files\Folders moved on Reboot...
File move failed. G:\svchost.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...



When I go on my G drive and change the folder options to view hidden files, the svchost is still there.

Couldn't I just format the drive? Since there's nothing there that I need.

Attached thumbnail(s)

• 

[emeraldnzl]

Quote

Couldn't I just format the drive? Since there's nothing there that I need.

Yep, sounds like a good thing to do to me.

After that run Kaspersky again just to make sure.

We will then go to clearing away the tools we have been using.

[terrorist96]

Alright, I formatted it, disabled Resident Shield on AVG and am running Kaspersky again. I don't see the svchost on my flash drive anymore but it's still in my resource monitor.

Here's the result of the scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 12, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 12, 2010 19:41:47
Records in database: 3301412
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 116649
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 00:53:37

No threats found. Scanned area is clean.

Selected area has been scanned.

Attached thumbnail(s)

• 

[emeraldnzl]

Quote

I don't see the svchost on my flash drive anymore but it's still in my resource monitor.

Yes, svchost is an essential system file and should not be removed. The ones we were removing though were trojans pretending to be the genuine thing.

We have a couple of last steps to perform and then you're all set.

Please go here to download OTC.

Run this program to remove the tools we have been using.

You will be asked to reboot the machine to finish the Cleanup process choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep.

Next, we need to clean your restore points and set a new one:

Please go here for directions on how to do this. You need to turn System Protection off to delete all old restore points, reboot and then turn System Protection back on to create a new restore point.

-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that your machine is clean here are some things that I think are worth having a look at if you don't already know a bout them:

---------------------------------------------------------------------------------------------------------------------

Regularly check that your Java is up to date. Older versions are vunerable to malicious attack.

• Download from here Java Runtime Environment (JDK) Update
  
• Scroll to where it says "Windows XP/Vista/2000/2003/2008 online" and download and follow the instructions to install.
  
  Reboot your computer.
  You also need to uininstall older versions of Java.
  
  
  
• Click Start > Control Panel > Programs
  
  
• Remove all Java updates except the latest one you have just installed.

--------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week. For ease of use, you might consider the following free program:

• ATF Cleaner

--------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure

• Click Start > Run
  
• Type Inetcpl.cpl & click OK
  
• Click on the Security tab
  
• Click Reset all zones to default level
  
• Make sure the Internet Zone is selected & Click Custom level
  
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* Consider using an alternate browser.

Opera may be downloaded from here. It is one of the least targeted of all browers.

Avant may be downloaded from here. Another one that is less well known.

Firefox may be downloaded from Here. I use Firefox because I like it. Used to be one of the safest but now targeted probably as much as IE.

NoScripts is a good Add-on for Firefox that prevents execution of malicious scripts. Some people may find this intrusive. Actually once you learn how easy it is to allow and disallow scripts (bottom right corner right click on the red O with the S and red slash) it becomes easy.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting


• Microsoft Windows Update
  
  monthly.
  
  And to keep your system clean run these free malware scanners
  
  
• AdAware SE Personal
  
  
• Spybot Search & Destroy
  
  
• SuperAntiSpyWare
  
  weekly, and be aware of what emails you open and websites you visit.

An antivirus program is essential.

Here are a couple of to choose from (these are also free for personal use):

• Avast
  
• AVIRA Note: AVIRA free comes with adware that promotes their paid for version each time it updates.

I like Avira but some people find the pop up advertisements each time it updates a bit trying.

A firewall is essential to help prevent hackers from infiltrating your computer.

Here are two good firewalls free for personal use:

• OnLine-Armour
  
• PC Tools Firewall Plus

Note: Do not use more than one anti-virus or firewall. Running two or more real-time anti-virus, anti-spyware and firewall monitors at the same time can cause a conflict. That conflict can result in slow computer performance, error messages, crashes of the programs or other types of failure. You will very likely end up with little or no protection.

Go here for some good advice about how to prevent infection.

Have a safe and happy computing day!

[terrorist96]

Thank you. But the svchost wasn't always there for me. It only recently showed up. And it eats a crazy amount of RAM. Look at the screenshot I posted in my last post. Doesn't that look a bit excessive? I've seen people who have a lot of svchosts on their computer but mine never had it. Maybe one, but probably not even! And now, all of a sudden, there's more than I can count. My RAM is at like 40% on average and can sometimes reach even 70%+ when I'm actually utilizing my computer's features (i.e. firefox, aim, playing videos, webcamming, etc.)

I thought 64 bit systems were supposed to handle multiple tasks much better than 32. And I thought 4 GB would surely be enough for everyday things without having my computer slowing down.

[emeraldnzl]

Windows NT based machines have a legitmate svchost which if removed will render your machine inoperable.

The legitimate svchost.exe file is always found in \%WINDIR%\System32 or 64bit machines \%WINDIR%\SysWOW64 (WoW64 stands for "Windows on 64-bit Windows", and it contains all the 32-bit binary files required for compatibility, which run on top of the 64 bit) as well. In your mahine's case that would be C:\Windows\System32\svchost.exe and C:\Windows\SysWOW64\svchost.exe . See post #3 in this thread.

If you find it elsewhere then we need to investigate further.

Go to the link below for information on svchost.

http://www.howtogeek.com/howto/windows-vis...-is-it-running/

This link may also be helpful to you:

http://svchost-exe.net/

Tell me if this answers your query.

[terrorist96]

Thanks for that. Yeah, I understand. But do you have any idea why they only recently showed up? Like a few weeks ago, they weren't there and my RAM usage was a lot lower. And I've seen some computers (like mine) that don't have any svchosts running or very very few. I'm just curious.

[emeraldnzl]

Quote

And I've seen some computers (like mine) that don't have any svchosts running or very very few. I'm just curious.

I am not sure what you are driving at here.

Are you saying you don't believe the svchost is needed on machines like yours?

If so, I think you need to seek advice elswhere.

Maybe you are saying that you believe that svchost should not be so active.

Possible causes of this are malware (which we have run some extensive scans for) or some sort of bug in a recently introduced program reacting with svchost.

As far as malware is concerned you could try this I suppose:

It is a pretty big download at 28mb's but is very useful at detecting\cleaning rootkits or whatever it finds.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
  
• Reboot your computer into SafeMode.
  
  You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  Use your up arrow key to highlight SafeMode then hit enter.
  
  
• Double click the setup file to run it.
  
• Click Next to continue.
  
• It will by default install it to your desktop folder.Click Next.
  
• Hit ok at the prompt for scanning in Safe Mode.
  
• It will then open a box There will be a tab that says Automatic scan.
  
• Under Automatic scan make sure these are checked.

• System Memory
  
• Startup Objects
  
• Disk Boot Sectors.
  
• My Computer.
  
• Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
  
• It will automatically Neutralize any objects found.
  
• If some objects are left un-neutralized then click the button that says Neutralize all
  
• If it says it cannot be Neutralized then chooose The delete option when prompted.
  
• After that is done click on the reports button at the bottom and save it to file, name it Kas.
  
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  
  Note: This tool will self uninstall when you close it so please save the log before closing it.

[terrorist96]

I'll try this in a few days. I don't have time at the moment. My system seems fine, I suppose. I might need to upgrade my RAM sometime in the future though. I'd hope 8 would be enough..

[emeraldnzl]

Look forward to hearing how you get on.

[terrorist96]

Well, the scan went a little differently than you explained. For one, the file size was like 57MB or something. Anyway, I couldn't tell where the option for the deep scan was so I just went ahead and it found some things in my I: drive which is another flash drive I have that I had plugged in that I probably didn't have plugged in before. It removed it and restarted. Then I realized where the deep root thing was and did a full deep scan with everything to the max. It found nothing, I clicked "report" but I couldn't see any way to save it. But there was nothing there, so I think it's all good.
Thanks again for all the help again. There's still a bunch of svchosts running and right now my RAM is at 32%. I'll just live with it for now. Maybe I'll upgrade sometime in the future. Take care.

[emeraldnzl]

Quote

For one, the file size was like 57MB or something.

Hmm... thanks for telling me it's a while since I tested that one. Seems it has changed and I will need to check it out.

Quote

But there was nothing there, so I think it's all good.

Sounds good.

Quote

There's still a bunch of svchosts running

As I mentioned there is always the possibility of some bug somewhere in a program that is causing svchost to do more work than usual. Something you could check out if it persists maybe.

In any event I think we can be pretty sure it's not being caused by malware and remember it really is normal to have svchosts running.

I will leave this open for a few more days in case any issues arise.

[emeraldnzl]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.