Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

High Memory Usage

Posted on 2011-10-19
22
Medium Priority
?
703 Views
Last Modified: 2012-05-12
Computer running Windows XP Pro SP3.  SVChost.exe gains memory usage until computer is so slow it is unuable.  In event viewer get message that TCP/IP has reached security limit...  Have installed and used Process Explorer and find that Kernal32.dll!CreateThread+0X22 is the one that uses most CPU.  Also can not install updates thru Windows Automatic Update.  Have run SpyBot and Malwarebyes as well as Symantec Corporate Ver 10---a couple of minor Trojans found and cleaned.  However, nothing seems to stop the memory leak.  Have searched and tried several "fixes" but without success.  What can we do next?  
0
Comment
Question by:ginGer
  • 10
  • 9
  • 2
  • +1
22 Comments
 
LVL 10

Assisted Solution

by:joelsplace
joelsplace earned 332 total points
ID: 36995624
You most likely have malware that is hiding from those programs.  Try SuperAntiSpyware and Combofix.
SpyBot and Malwarebytes are excellent but it seems to be hit or miss which one of the four fix problems.
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Combo fix looks shady but has been the only thing to fix a lot of malware problems I've seen.
Windows update not working says it's almost certainly malware.
0
 

Author Comment

by:ginGer
ID: 36995636
Thank you---will download and run programs!
0
 
LVL 6

Expert Comment

by:Sid_F
ID: 36995643
Boot the machine in safe mode, is it faster? if so start looking at your startup programs by start run-msconfig, if its still slow check outbound connections in case of undetected infection at a command prompt type netstat -an
Do you see alot of connections? check event viewer, are there any error messages?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:ginGer
ID: 36995962
Running SuperAntiSpyWare now.  But we have booted in safe mode and while it is somewhat faster, the memory leak does not stop.  It still keeps connecting to foreign ip addresses even without opening the internet.  Also did a netstat -a which showes wininet.dll and ws2_32.dll as being used for each of the connections.   Windows update will not work either. Have looked at Startup and don't see anything unusual. The error message in event viewer is that the TCP/IP has reached its security limit.
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 36996323
That just means that TCP has reached it's maximum outbound connection limit that was implemented because of malware.
If none of the anti-malware programs I recommended work I sometimes have to pull the disk and connect it to another PC to scan it.  Once everything is removed I put it back in the original PC and run the scans again to remove registry issues that don't get picked up when scanning in another PC.
0
 

Author Comment

by:ginGer
ID: 36996337
OK---will keep that in mind after SuperAntiSpyware finishes.  We set it to do the FULL scan so will probably finish running after work hours (this is an office pc).  Will post results tomorrow.  thank you for your help.
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 36996382
I would download and run Cleanup! to get rid of all your temp files and make the scans run faster.  Make sure to say no when running the scan.  Yes does a demo scan that doesn't do anything.
http://www.stevengould.org/index.php?option=com_content&task=view&id=15&Itemid=69
It does all users.  I check the box on the last tab to scan the drive for temp files also.
Another advantage is that often malware is hiding in your temp file locations.
0
 

Author Comment

by:ginGer
ID: 36996396
Had SpyBot on computer and ran it this morning.  Clicked option to delete all temp files.  Is this good enough or should I use Cleanup?
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 36996473
I believe Spybot just checks the current user.  Cleanup! does all users and scans the entire drive for temp files.  If you don't have other users on the PC it probably won't make much difference.  It's a tiny program and worth a try.  You can run it while Superantispyware is running just say no when it wants you to log off to delete other files.
0
 
LVL 30

Accepted Solution

by:
Sudeep Sharma earned 168 total points
ID: 36996630
Please the following in the sequence as described:
1. Rogue Killer, followed by (you should not restart your system here)
2. MalwareBytes - Full system scan
3. Reboot after MalwareBytes fix the issues
4. TDDSKiller.

Go through the articles below for link and guide on how to run the tools described above

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_5124.html (Stop-the-Bleeding-First-Aid-for-Malware)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

TdssKiller
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
or
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

or you could also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

I hope that would help

Sudeep
0
 

Author Comment

by:ginGer
ID: 36999726
Running ComboFix---If needed can I send log for review?
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 37000576
Sure.
0
 

Author Comment

by:ginGer
ID: 37000807
Here is ComboFix log---the computer is still connecting to the foreign ip address and the cpu running at 60-100% ----Do you see anything?
Combo-log.txt
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 37001236
Check your internet options, connections, lan settings and make sure no proxy is listed.  (unless you use one)
In Spybot under advanced mode, tools check your Winsock LSPs.  If there are problems there LSPFix is a good tool to fix them.  http://www.cexx.org/lspfix.htm
You may have to put the drive in another machine to scan it.
Try NOD32's online scanner:  http://go.eset.com/us/online-scanner/run
One thing I've been assuming that you are updating all these tools when you install but I guess I should have asked.  Are you?  They don't really do any good if they can't or aren't updated.
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 37001291
Looking back over your posts it really looks like a rootkit.  ComboFix usually gets them but not always.  I would slave the drive to another machine or build an Ultimate Boot CD4Win to boot from and do scans.  Some rootkits are really good at hiding from malware tools when the OS is running.
Don't be surprized if removing the rootkit makes the PC bluescreen on boot.  The last nasty rootkit I removed did.  If so, you will have to boot from another PC and load the registry to fix it.
0
 

Author Comment

by:ginGer
ID: 37001421
1.  Yes all tools are updated before they are run.  
2.  No proxy is listed in internet options.  
3.  Will have to find a machine to slave it to.  May take a day or so.
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 37001512
The UBCD4Win is a great tool if you take the time to build it and setup the drivers.  You can do everything from it.  The advantages to using another box are:  It's easy (if you have one),  It's easier to update than a CD & some scanners don't seem to work with the UBCD4Win.  Let me know if I can help.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 37003619
@ginGer,

Did you tried TDSSKIller yet?
0
 

Author Comment

by:ginGer
ID: 37005933
Downloaded this morning.  In meetings today, will run it before I slave to another machine.  Thanks!
0
 
LVL 10

Expert Comment

by:joelsplace
ID: 37006908
One that I forgot to mention is the MS Malicious software removal tool.  I had it fix a box one time when nothing else would.  You do have to download and run it manually.  The one that downloads from MS Update doesn't do as much.
0
 

Author Comment

by:ginGer
ID: 37018880
Ran the TDSKiller this morning.  Found Rootkit virus.  Did a Cure and that FIXED the problem.  Now Windows Update works and have downloaded and installed all updates.  Re-Ran the SuperAntiSpyware and cleaned up some tracking cookies.  Can't say Thank you enough for your help!!!!!!!!!!!!!!!!!!!!!!!
0
 
LVL 10

Assisted Solution

by:joelsplace
joelsplace earned 332 total points
ID: 37018932
Glad it's fixed!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question