# svchost.exe (netsvcs) High Memory Usage



## jayhawkins1985 (Apr 30, 2015)

Hi all,

I wonder if anyone can help me. For the last month or so, my laptop has been grinding to halt every few hours for no particular reason. When i checked the recourse manager i noticed that my RAM was almost at full capacity and that the process svchost.exe (netsvcs) was using over 1.5GB of memory. After waiting 5 minutes or so, the process drops to its normal level of around 70,000KB.

My ASUS Zenbook laptop is running 4GB of RAM however unfortunately it is the model where the RAM cannot be upgraded.

The peak will happen randomly and seems to be unrelated to any programs i'm running. I have Googled this time and time again but can't find anything that has helped so far. Any help would be much appreciated.

*Tech Support Guy System Info Utility version 1.0.0.2*
OS Version: Microsoft Windows 7 Professional, Service Pack 1, 64 bit
Processor: Intel(R) Core(TM) i7-2677M CPU @ 1.80GHz, Intel64 Family 6 Model 42 Stepping 7
Processor Count: 4
RAM: 3998 Mb
Graphics Card: Intel(R) HD Graphics Family, 1807 Mb
Hard Drives: C: Total - 97678 MB, Free - 5530 MB; D: Total - 138325 MB, Free - 72863 MB;
Motherboard: ASUSTeK Computer Inc., UX31E
Antivirus: Sophos AntiVirus, Updated: No, On-Demand Scanner: Enabled

Many thanks in advance


----------



## flavallee (May 12, 2002)

You're correct about the *ASUS ZENBOOK UX31E* laptop not supporting more than 4 GB of RAM. 

You didn't say how many running processes there are in the Windows Task Manager, but it's my guess your laptop has too many startup and service entries loading and running.

---------------------------------------------------------


----------



## jayhawkins1985 (Apr 30, 2015)

Hi Flavallee,

Thanks for your reply. Albeit I do have a lot of processes running but for 90% of the time the memory is running at around 2.6GB which leaves 1.4GB free. Then all of a sudden and without warning Scvhost.exe (netsvcs) jumps to 1.5GB and wipes out my free memory freezing my laptop.

I appreciate what you're saying, in that if I was running less processes the increase in resource wouldn't cause my laptop to lock up - but that isn't really what I'm trying to fix. I guess I'm more concerned with why the process is suddenly jumping so high all of a sudden.

I understand the process is something to do with windows update, and yes I can disable it in the services menu but then I can't get automatic windows updates.

Does it had to be that black and white or is this Scvhost.exe (NetSvcs) process behaving abnormally?

Thanks again for your help and if you do need a list of running processes I can get them for you.

Jay


----------



## flavallee (May 12, 2002)

> if you do need a list of running processes I can get them for you


These are my "canned instructions", but you can submit images instead.

----------------------------------------------------------

Click Start, then type *MSCONFIG* in the search or run box, then press the Enter key.

When the small "System Configuration" window appears, click the "Startup" tab.

Write down ONLY the names in the "Startup Item" column that have a checkmark next to them.

If the "Startup Item" column isn't wide enough to see the entire name of any of them, widen the column.

Submit those names here in a vertical list.

Make sure to spell them EXACTLY as you see them there.

--------------------------------------------------------------

Click Start, then type *SERVICES.MSC* in the search or run box, then press the Enter key.

When the "Services" window appears, expand it so you can see the list more clearly.

Write down ONLY the names in the "Name" column that have their startup type set on Automatic and Automatic(Delayed Start).

If the "Name" column isn't wide enough to see the entire name of any of them, widen the column.

Submit those names here in a vertical list and in alphabetical order.

Make sure to spell them correctly.

----------------------------------------------------------


----------



## jayhawkins1985 (Apr 30, 2015)

*Services*


























*Start up*


----------



## flavallee (May 12, 2002)

Uncheck these startup entries.

After you're all done, click Apply - OK/Close - Exit Without Restart.

*Adobe Updater Startup Utility

Intel(R) Common User Interface

Intel(R) Common User Interface

Intel(R) Common User Interface

Java Platform SE Auto Updater

QuickTime*

---------------------------------------------------------------

Double-click these service entries, one at a time, to open its properties window.

Change "Startup Type" to Manual, then click Apply.

After you're all done, restart the computer.

*Adobe Acrobat Update Service

AVG PC Tuneup Service

Distributed Link Tracking Client

Google Update Service

MBAMScheduler
MBAMService* (only if you have the free version of Malwarebytes)

*Microsoft .NET Framework NGEN v4.0.30319_X64

Microsoft .NET Framework NGEN v4.0.30319_X86

Roozz Updater

Skype Updater

TeamViewer 10

Windows Live ID Sign-in Assistant*

---------------------------------------------------------------


----------



## flavallee (May 12, 2002)

Your computer appears to be infected, so do the following AFTER you complete post #6.

Go here, then click the large blue "Download Now @ Bleeping Computer" button to download and save *AdwCleaner.exe* to your desktop.

Close all open windows first, then double-click *AdwCleaner.exe* to load its main window.

Click the "Scan" button, then allow the scanning process to finish.
(Note: Several seconds may pass before the scanning process starts, so be patient.)

Click the "Logfile" button.

When the log appears, save it.

Return here to your thread, then copy-and-paste the ENTIRE log here.

Note: After you submit the log, close AdwCleaner. When the warning appears, click "Yes".

---------------------------------------------------------


----------



## jayhawkins1985 (Apr 30, 2015)

Hi Flavallee

The application found something called Expat, which I installed to enable me to watch my Sky Go service from abroad. Happy to consider any other programs if you know of any?

Logs below:

# AdwCleaner v4.203 - Logfile created 06/05/2015 at 16:04:09
# Updated 30/04/2015 by Xplode
# Database : 2015-05-05.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : hawkinsj - BTC-1-270612
# Running from : C:\Users\hawkinsj\Downloads\adwcleaner_4.203.exe
# Option : Scan

***** [ Services ] *****

Service Found : ExpatShieldService
Service Found : ExpatSrv
Service Found : ExpatTrayService
Service Found : ExpatWd

***** [ Files / Folders ] *****

Folder Found : C:\Expat Shield
Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\Program Files (x86)\Expat Shield
Folder Found : C:\Program Files (x86)\Iminent
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\ProgramData\BitGuard
Folder Found : C:\ProgramData\Conduit
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Expat Shield
Folder Found : C:\Users\hawkinsj\AppData\Local\Conduit
Folder Found : C:\Users\hawkinsj\AppData\LocalLow\Conduit
Folder Found : C:\Users\hawkinsj\AppData\Roaming\Browser Extensions
Folder Found : C:\Users\hawkinsj\AppData\Roaming\download Manager
Folder Found : C:\Users\hawkinsj\AppData\Roaming\Mozilla\Firefox\Profiles\iwu3izoq.default\Extensions\{3122a38b-f748-4131-9e49-68baab98f4ed}
Folder Found : C:\Users\hawkinsj\AppData\Roaming\Mozilla\Firefox\Profiles\iwu3izoq.default\Extensions\{e0973605-70ce-423b-bd8b-6168c90637ba}

***** [ Scheduled tasks ] *****

Task Found : BackgroundContainer Startup Task
Task Found : BitGuard

***** [ Shortcuts ] *****

***** [ Registry ] *****

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>
Key Found : HKCU\Software\5a5388ddb138e513
Key Found : HKCU\Software\AppDataLow\Software\BackgroundContainer
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Toolbar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\IntelliType Pro\AppSpecific\Iminent.exe
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3A787631-66A2-4634-B928-A37E73B58FB6}
Key Found : HKCU\Software\OCS
Key Found : [x64] HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\Microsoft\IntelliType Pro\AppSpecific\Iminent.exe
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : [x64] HKCU\Software\OCS
Key Found : HKLM\SOFTWARE\5a5388ddb138e513
Key Found : HKLM\SOFTWARE\AVG Nation toolbar
Key Found : HKLM\SOFTWARE\AVG Secure Search
Key Found : HKLM\SOFTWARE\AVG Security Toolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\ExpatIE.ExpatIEApp
Key Found : HKLM\SOFTWARE\Classes\ExpatIE.ExpatIEApp.1
Key Found : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{F5A29F21-B121-48A0-A317-737AF8BB106A}
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKLM\SOFTWARE\ExpatShield
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ExpatShield
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3706EE7C-3CAD-445D-8A43-03EBC3B75908}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0238BBE24EA3A70408B81E4BB89C15E5
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29799DE249E7DBC459FC6C8F07EB8375
Value Found : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17728

-\\ Mozilla Firefox v37.0.2 (x86 en-GB)

-\\ Google Chrome v42.0.2311.135

[C:\Users\hawkinsj\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [4741 bytes] - [06/05/2015 16:04:09]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4800 bytes] ##########


----------



## flavallee (May 12, 2002)

I know nothing about *Expat* or if it's safe to use, but AdwCleaner detects it as a threat.

---------------------------------------------------------


----------



## jayhawkins1985 (Apr 30, 2015)

I removed it now. Anything else you think I should try?


----------



## flavallee (May 12, 2002)

> I removed it now. Anything else you think I should try?


You did a "Scan" and "Cleaning" and allowed it to delete everything?

I need to know what you did or didn't do before we go to the next step.

---------------------------------------------------------


----------



## jayhawkins1985 (Apr 30, 2015)

flavallee said:


> You did a "Scan" and "Cleaning" and allowed it to delete everything?
> 
> I need to know what you did or didn't do before we go to the next step.
> 
> ---------------------------------------------------------


Yes i deleted all threats it detected.


----------



## flavallee (May 12, 2002)

Download and save and then install the free version of

*Malwarebytes Anti-Malware 2.1.6.1022*

*SUPERAntiSpyware 6.0.1186*

Make sure to uncheck and decline to install any extras, such as toolbars and homepages, they may offer.

Make sure to uncheck and decline to use the "Pro" or "Trial" version, if it's offered.

After they're installed, do the following with each one.

-------------------------------------------------------------

Start Malwarebytes Anti-Malware.

Click "Settings". then click "Detection and Protection".

Make sure all boxes in "Detection Options" are checked.

Click "Scan", then select *Threat Scan*, then click "Start Scan".

Note: If it wants to update the definition files first, allow it to do so.

If problems are found during the scan, the number of "Detected Objects" will be listed.

When the scan is finished, make sure to select and quarantine *EVERYTHING* in the list.

If you're prompted to restart the computer to complete the process, do so.

Start Malwarebytes Anti-Malware again.

Click "History - Application Logs".

Double-click on the most recent scan log entry.

When the next window appears, click on the most recent scan log entry.

Select "Export - Text File", then name it *mbam*, then save it on the desktop.

Return here, then copy-and-paste its ENTIRE contents here.

-------------------------------------------------------------

Start SUPERAntiSpyware.

Click "System Tools".

Click "Preferences", then uncheck "Run in the background (system tray)", then click "Done".

Click "Advanced Settings", then uncheck "Follow shortcuts (*.lnk) during scan", then click "OK - Done".

Click "Click here to check for updates".

When the definition files have updated, click "OK".

Click "Scan This Computer", then click *Quick Scan*.

If problems are found during the scan, the number of them will be highlighted in red.

When the scan is finished, click "Continue".

Make sure that *EVERYTHING* in the list is selected, then click "Continue".

When the removal process is complete, click "Continue".

If you're prompted to restart to finish the removal process, do so.

Start SUPERAntiSpyware again.

Click "System Tools", then click "Scan Logs".

Select the most current scan log, then click on its magnifying glass icon so it can open and be viewed, then save it on the desktop.

Return here, then copy-and-paste its ENTIRE contents here.

-------------------------------------------------------------


----------

