1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

SVCHOST using large amounts of Phys. Memory

Discussion in 'Virus & Other Malware Removal' started by Kraizy, Feb 24, 2015.

Thread Status:
Not open for further replies.
Advertisement
  1. Kraizy

    Kraizy Thread Starter

    Joined:
    Feb 24, 2015
    Messages:
    14
    Hi there,

    I'm having issues with svchost using up to 90% or more of my physical memory. This usually happens around 3-5mins after logging into my profile.

    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit
    Processor: Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz, Intel64 Family 6 Model 37 Stepping 5
    Processor Count: 4
    RAM: 1974 Mb
    Graphics Card: NVIDIA GeForce 310M, 512 Mb
    Hard Drives: C: Total - 431937 MB, Free - 154115 MB; D: Total - 29690 MB, Free - 14788 MB;
    Motherboard: LENOVO, Base Board Product Name
    Antivirus: Avira Desktop, Disabled

    I've looked around your forums and found various threads with this same issue that have been solved however a lot of them have had different solutions to their svchost issue and I was afraid to just randomly try out one fix after another as it might not be applicable to my problem and I might end up breaking my laptop instead.

    Here are a few screenshot I took of the offending process.
    [​IMG]
    [​IMG]
    [​IMG]

    The last screenshot is the properties of the offending process and I used the program Process Explorer to view it. By the time I took that picture svchost.exe was using up to 500k of physical memory.

    Also I've tried Ending the process tree using the task manager which works for awhile but then it just starts up after a minute or two. Ending the process tree a second time causes it to stay closed which I'm happy for. :)

    Also even after closing svchost and seeing everything's normal in the task manager my laptop tends to slow down every now and then and even freeze up while doing something as simple as checking my Facebook, loading a Youtube video, or playing games like MapleStory or DragonNest. I'm not sure if the this is related to the svchost problem but any with both would be awesome!
     
  2. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    80,748
    First Name:
    Frank
    Your Lenovo computer has only 2 GB(2048 MB) of RAM and has 68 running processes, so it's no surprise that it's using more than 90% of its RAM.

    Adding more RAM to it and reducing the number of running processes will go a long way towards improving speed and performance.

    --------------------------------------------------

    What's the complete description(model name, model number, etc.) of that computer?

    http://support.lenovo.com/us/en/products/?type=Desktops-and-all-in-ones&c=1 (Desktops)

    http://support.lenovo.com/us/en/products/?type=Laptops-and-netbooks&c=1 (Laptops)

    --------------------------------------------------
     
  3. Kraizy

    Kraizy Thread Starter

    Joined:
    Feb 24, 2015
    Messages:
    14
    Wow that was a really fast response!

    Yeah I know it's a bit low-end. My main PC died on me so my dad gave me his spare laptop to use and that's when I found out it had a few problems.

    It's a Lenovo G460. Unfortunately the Lenovo IdeaPad doesn't seem to have a Machine type - Model.
    http://support.lenovo.com/us/en/find-product-name#Ideanote
     
  4. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    80,748
    First Name:
    Frank
    Lenovo G460

    Features And Specifications

    It supports a maximum of 8 GB of DDR3 PC3-8500(1066 MHz) RAM.

    It's currently running with 2 GB of RAM, so that means it has a 1 GB module in both slots or it has a 2 GB module in one slot and has an empty slot.

    Depending on the current module setup and whether you want to increase it to 4 GB or 8 GB will determine what you need to buy.
     

    Attached Files:

  5. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,796
    That svchost.exe process seems legit and it's in the right location. However, the autostart location looks very suspicious to me. What exactly is the SDGame service?
     
  6. Kraizy

    Kraizy Thread Starter

    Joined:
    Feb 24, 2015
    Messages:
    14
    @Phantom010 Yeah it doesn't sound like something that should be running svchost but I'm not sure what SDgame is.

    @flavallee I've never tried buying ram for a laptop before since I've never owned one but I'll see what the prices are. Since I'm just a callcenter agent I'll probably just keep saving up till I can fix my main PC.

    But is there anything I can do to stop the svchost from eating up so much of my physical memory when I first bootup the laptop? My usual fix is to just end the process tree twice which is enough to make it go away however I'm not sure if what I'm doing is safe.
     
  7. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,796
    Yes. Determining what SDGame is.

    Let's start with the following scanners. If not enough, you'll probably need more powerful tools only available in the Virus & Other Malware Removal forum.


    Please download AdwCleaner.

    • Double-click the adwcleaner.exe to run the tool.
    • Click Scan.
    • When the scan is finished, click Cleaning.
    • When the cleaning process is over, click Logfile and a Notepad window will be opened.
    • Please post the contents into your next reply.
    -----------------------------------------------------------------------

    Please download and run the free Malwarebytes Anti-Malware.

    • Select the language and click OK.
    • Accept the agreement.
    • Make sure the Enable the Free Trial box is deselected and the Launch Malwarebytes Anti-Malware box is selected, and then click on Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Scan Now.
    • The scan may take some time to complete, so please be patient.
    • When the scan is completed, click on Quarantine All.
    • Click on Copy to Clipboard.
    • Paste the contents into your next reply.
    • You may be prompted to restart the computer instead, to complete the removal process.
    • If indeed prompted, upon restart, launch Malwarebytes Anti-Malware again and select History > Application Logs.
    • Find your Scan Log (the date when run will identify it).
    • Select the right box, then hit the View button. The History Log window will open.
    • At the bottom of that window are two options, Copy to Clipboard and Export.
    • Select Copy to Clipboard.
    • Paste the contents into your next reply.
     
  8. Kraizy

    Kraizy Thread Starter

    Joined:
    Feb 24, 2015
    Messages:
    14
    I'll do these right away but I'll post again on this thread in a couple of hours since it's already 12am where I am and need to get some sleep.

    Thanks for all the quick replies guys! I hope this gets this laptop up and running. I'll also swing by the computer store on my way home and check if they have any laptop rams I can afford.

    Cheers!
     
  9. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    80,748
    First Name:
    Frank
    Here are some examples and prices for quality 2 GB and 4 GB DDR3 PC3-8500(1066 MHz) SODIMM modules.

    2 GB

    4 GB

    ------------------------------------------------------------
     
  10. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,796
    RAM will definitely help, but possible malware shouldn't be overlooked. 2 GB is perfect for XP, but a little on the low-end for Windows 7.
     
  11. Kraizy

    Kraizy Thread Starter

    Joined:
    Feb 24, 2015
    Messages:
    14
    Here are the logs you asked for.

    AdwCleaner:
    # AdwCleaner v4.111 - Logfile created 25/02/2015 at 01:29:17
    # Updated 18/02/2015 by Xplode
    # Database : 2015-02-18.3 [Server]
    # Operating system : Windows 7 Home Premium Service Pack 1 (x64)
    # Username : Kevin - ARCHIE-PC
    # Running from : C:\Users\Kevin\Desktop\Security and Maintenance\adwcleaner_4.111.exe
    # Option : Cleaning

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Deleted : C:\ProgramData\Uniblue
    Folder Deleted : C:\Program Files (x86)\Conduit
    Folder Deleted : C:\Users\Archie\AppData\LocalLow\AVG Secure Search
    Folder Deleted : C:\Users\Archie\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\Archie\AppData\LocalLow\PriceGong
    Folder Deleted : C:\Users\Jing\AppData\LocalLow\AVG Secure Search
    Folder Deleted : C:\Users\Kevin\AppData\Local\PackageAware
    Folder Deleted : C:\Users\Kevin\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\Archie\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
    Folder Deleted : C:\Users\Archie\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
    File Deleted : C:\Users\Archie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_facebook.conduitapps.com_0.localstorage
    File Deleted : C:\Users\Archie\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_facebook.conduitapps.com_0.localstorage-journal

    ***** [ Scheduled tasks ] *****


    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
    Key Deleted : HKLM\SOFTWARE\Classes\driverscanner
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A1CCCE0D-AE21-42A2-BE58-8E6109410995}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
    Key Deleted : HKLM\SOFTWARE\Conduit
    Key Deleted : HKLM\SOFTWARE\Uniblue

    ***** [ Web browsers ] *****

    -\\ Internet Explorer v11.0.9600.17631


    -\\ Mozilla Firefox v31.0 (x86 en-GB)

    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.HomepageBeforeUnload", "hxxp://isearch.avg.com/?cid={D6C9C4B4-282B-4C67-AC9B-2BBE8B63EDBB}&mid=2a5e8642023847d1bb7a62ea04cfbf80-5bc9721f8d06e4296afd3656eaa8a9b3bec1b3a8&lang=en&ds[...]
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.SearchCaption", "uTorrentControl2 Customized Web Search");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.SearchEngineBeforeUnload", "AVG Secure Search");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID&UM=UM_ID");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.TBHomePageUrl", "hxxp://search.conduit.com/?ctid=CT3072253&SearchSource=13");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.TrusteLinkUrl", "hxxp://trust.conduit.com/CT3072253");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.conduit.com;apps.conduit.com;services.apps.conduit.com\",\"AppsDetectionUrlPattern\":\"hxxp://appdown[...]
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOrigin=29&ctid=EB_TOOLBAR_ID&octid=EB_ORIGINAL_CTID");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CT3072253.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?ComponentId=EB_MY_STUFF_INSTANCE_GUID&lut=EB_MY_STUFF_LUT");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3072253&SearchSource=13");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ConduitSearchList", "uTorrentControl2 Customized Web Search");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT3072253/CT3072253", "\"8aa5c27c903935961cd97aef8c588cbc3\"");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT3072253", "\"1362324308\"");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en", "uG7mdamLoNmpmgC2c0JctQ==");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en&ctid=CT3072253", "GNmdGrr6syWWiO5HPrW6Kg==");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en", "jf4tQQjNr2TQ31uHimzTMg==");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en&ctid=CT3072253", "inm6N6Ad2DrQKGUsOGzkLg==");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en", "0BEXfBAJ1PdxmWK9VOejOg==");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en&ctid=CT3072253", "6nU8AIjBECdJeC23UVuipQ==");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en", "ZU6zjERHpZr7lBpInn+HyA==");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en&ctid=CT3072253", "Y3Dtc1pIAMMkuUpvgoTeaw==");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\"0ea11bd291bce1:16c0\"");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.12.0.8", "\"0e0a4327275cd1:0\"");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.14.1.0", "\"0e0a4327275cd1:151d\"");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.15.1.0", "\"23c5489aa686ce1:16c0\"");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT3072253", "\"d5f44cb0f932aae7fea3743f5ddf3ed4\"");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"d8fe038057addd5b83e0fb0fff400620\"");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Users\\Archie\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\32fld2z7.default\\conduitCommon\\modules\\3.15.1.0");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.15.1.0");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT3072253");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT3072253");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ToolbarsList4", "CT3072253");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.globalUserId", "a7933fc0-4931-426c-bcdc-8ce2e75cc88d");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT3072253");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Mon Aug 26 2013 05:51:06 GMT+0800 (Taipei Standard Time)");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.alertEnabled", false);
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.locale", "en");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Mon Aug 26 2013 05:50:58 GMT+0800 (Taipei Standard Time)");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.userId", "9be0418f-739a-4ef9-84bc-06f7bc48ea70");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.originalHomepage", "chrome://branding/locale/browserconfig.properties");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.originalSearchEngine", "AVG Secure Search");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("browser.search.defaultthis.engineName", "uTorrentControl2 Customized Web Search");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");
    [32fld2z7.default\prefs.js] - Line Deleted : user_pref("browser.startup.homepage", "hxxp://isearch.avg.com/?cid={D6C9C4B4-282B-4C67-AC9B-2BBE8B63EDBB}&mid=2a5e8642023847d1bb7a62ea04cfbf80-5bc9721f8d06e4296afd3656eaa8a9b3bec1b3a8&lang=en&ds=AVG&p[...]
    [ldq0adzu.default\prefs.js] - Line Deleted : user_pref("avg.install.installDirPath", "C:\\ProgramData\\AVG Secure Search\\FireFoxExt\\17.2.0.38");
    [ldq0adzu.default\prefs.js] - Line Deleted : user_pref("avg.userPreferences.URLBarFocus.whiteList", "bing\\.comgoogle\\.\\w+yahoo\\.\\w+gmail\\.\\w+hotmail\\.\\w+live\\.\\w+isearch\\.avg\\.commysearch\\.avg\\.com");

    -\\ Google Chrome v40.0.2214.115

    [C:\Users\Archie\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://isearch.avg.com/search?cid={D6C9C4B4-282B-4C67-AC9B-2BBE8B63EDBB}&mid=2a5e8642023847d1bb7a62ea04cfbf80-5bc9721f8d06e4296afd3656eaa8a9b3bec1b3a8&lang=en&ds=AVG&pr=pr&d=2012-05-17 13:15:07&v=15.2.0.5&pid=avg&sg=0&sap=dsp&q={searchTerms}
    [C:\Users\Archie\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3072253

    -\\ Chromium v

    [C:\Users\Archie\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://isearch.avg.com/search?cid={D6C9C4B4-282B-4C67-AC9B-2BBE8B63EDBB}&mid=2a5e8642023847d1bb7a62ea04cfbf80-5bc9721f8d06e4296afd3656eaa8a9b3bec1b3a8&lang=en&ds=AVG&pr=pr&d=2012-05-17 13:15:07&v=15.2.0.5&pid=avg&sg=0&sap=dsp&q={searchTerms}
    [C:\Users\Archie\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3072253

    *************************

    AdwCleaner[R0].txt - [12563 bytes] - [25/02/2015 01:12:24]
    AdwCleaner[S0].txt - [13661 bytes] - [25/02/2015 01:29:17]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [13721 bytes] ##########

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Malwarebytes Scan Log:
    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 2/25/2015
    Scan Time: 1:41:38 AM
    Logfile:
    Administrator: Yes

    Version: 2.00.4.1028
    Malware Database: v2015.02.24.05
    Rootkit Database: v2015.02.22.01
    License: Free
    Malware Protection: Disabled
    Malicious Website Protection: Disabled
    Self-protection: Disabled

    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: Kevin

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 508838
    Time Elapsed: 1 hr, 27 min, 37 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Enabled
    Deep Rootkit Scan: Enabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 0
    (No malicious items detected)

    Physical Sectors: 0
    (No malicious items detected)


    (end)
     
  12. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,796
    Any change with the svchost.exe process? Still seeing SDGame?
     
  13. Kraizy

    Kraizy Thread Starter

    Joined:
    Feb 24, 2015
    Messages:
    14
    I've checked all 13 of my svchost processes and they actually have the same autostart location
    HKLM\System\CurrentControlSet\Services\SDGame

    I guess this is normal for my laptop. XD

    As for the high memory usage it still spikes up to 90%+ however if I just leave it alone for around 10mins it normalizes itself now. =)
     
  14. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,796
    That is obviously not normal.


    Press the Windows key + R to open a Run box. Copy/Paste the following command:

    Code:
    regedit /e C:\Look.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SDGame"
    Press Enter.

    You won't notice anything. However, it will have created a report on your C drive named Look. Attach that file to your next reply.


    --------------------------------------------------------------------------------


    Next,


    Run a free ESET Online Scan HERE. Use Internet Explorer.

    [​IMG]


    • When asked, allow the ActiveX control to install.
    • Select Enable detection of potentially unwanted applications and select Advanced Settings.
    • Make sure to check the options Remove found threats and Enable Anti-Stealth technology are checked.
    • Click Start. (This scan can take a while, so please be patient).
    • Once the scan is completed, select List of found threats.
    • Select Export to text file... and save the file as ESETlog.txt on your Desktop.
    • Click the Back button.
    • Click the Finish button.
    • Use Notepad to open the saved log file (on your Desktop - ESETlog.txt).
    • Copy and paste that log as a reply to this topic.
     
  15. Kraizy

    Kraizy Thread Starter

    Joined:
    Feb 24, 2015
    Messages:
    14
    Here's the info on SDGame registry. Wasn't able to find a file attach button sorry.

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SDGame]
    "Type"=dword:00000001
    "Start"=dword:00000003
    "ErrorControl"=dword:00000001
    "ImagePath"=hex(2):5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
    74,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,\
    00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,\
    20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
    "DisplayName"="SDGAME"
    "WOW64"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SDGame\Security]
    "Security"=hex:01,00,14,80,64,00,00,00,70,00,00,00,14,00,00,00,30,00,00,00,02,\
    00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
    00,00,02,00,34,00,02,00,00,00,00,03,18,00,ff,01,0f,00,01,02,00,00,00,00,00,\
    05,20,00,00,00,20,02,00,00,00,03,14,00,ff,01,02,00,01,01,00,00,00,00,00,01,\
    00,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,\
    00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SDGame\Enum]
    "0"="Root\\LEGACY_SDGAME\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    ESETlog. Looks like the first two files didnt delete or quarantine.

    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\uTorrentControl2\ldrtbuTor.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\uTorrentControl2\tbuTor.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
    C:\temp\Archie Du\Software\From Mario\switchsetup.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application deleted - quarantined
    C:\temp\Archie Du\Software\_New\switchsetup.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application deleted - quarantined
    C:\Users\Archie\AppData\Local\Temp\utt4E10.tmp.exe a variant of Win32/Toolbar.Conduit potentially unwanted application deleted - quarantined
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\uTorrentControl2\ldrtbuTor.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\uTorrentControl2\tbuTor.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - SVCHOST using large
  1. TNstumbler
    Replies:
    1
    Views:
    629
  2. James321
    Replies:
    28
    Views:
    1,600
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1143710

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice