svchost eating up memory

I'm about 90% sure this is a virus/trojan issue, and maybe 10% thinking it might be a driver or software issue.

This is probably way more than you need to know, but maybe something in all of this will help.

This is a Dell Vostro 1500 laptop, running Windows XP, 32 bit.

About a month ago, I started noticing things getting sluggish, and then it started not recovering from standby or hibernation. Shortly after that, I started getting a "You need a different audio codec" message in Divx, but only after the computer had been running for a while (a couple of hours). (And this was on files that had worked perfectly well previously.) I updated the codec, but it didn't help. The only thing that helped was to reboot. I don't remember downloading anything in particular around that time, but I probably did. I do often download updates to this or that driver, or this or that "useful tool." I will only DL zips or "tools" from "trusted sources," but who knows...

The computer continued to run more and more slowly, and now it's pretty much useless. Last night I started digging around, and I found out that there's a svchost that seems to be causing the problem (details below). It starts out OK, about 20,000K memory, and after about 30 seconds starts sporadically increasing in memory usage. Eventually it gets up to about 600,000K, and then it shuts down the computer. (Now it takes about three minutes. Last night it was taking about ten minutes.) It doesn't use up much of the CPU, except sometimes at the very beginning it takes 90-99% for about 20 seconds, and then when it reaches 500,000K - 600,000K, it goes to 90-99%.

I tried shutting down processes within the svchost, and the only one that stopped the memory escalation was shutting down the DHCP. Also, if I shut down my wireless, either using the hard-switch on the computer, or by disabling the wireless at the network-setup level, the memory escalation also stops. (And, yes, the issue also happens when the wireless is shut down and I'm plugged into a hard-ethernet line, so it's not the wireless.) As the memory escalation is going on, I'm hearing the computer crunching away, so something is going on inside there on the hard-drive.

I've uninstalled everything I can possibly uninstall. I've watched the processes in Windows Task Manager, and I've tried ending process trees as much as possible without completely shutting down the computer, and the ones that keep coming back are Google Updater (and I UNINSTALLED the bugger through Control Panel, so it shouldn't be there at all!), and wmiprvse. It seems like whenever the memory starts shooting back up, one or the other puts itself back into the task manager.

And, the other thing, and I don't know quite enough about how things work to know if this is supposed to happen or not, is that I happened to notice that Documents and Settings/Network Service/Local Settings/Temporary Internet Files/Content IE5 has a bunch of folders, with a bunch of brand new files (of all sorts) that are dated pretty much "right now." I don't use IE. At all. And I certainly didn't use it "just now." And, some of the files have names of things that I certainly didn't browse to just now, even in Firefox, like "recipe" or "carnival vacation upgrade."

Here's the details of the svchost that's using up the memory:

Windows Audio - C:\WINDOWS\System32\audiosrv.dll
Computer Browser - C:\WINDOWS\System32\brower.dll
CryptSvc - C:\WINDOWS\System32\cryptsvc.dll
DHCP Client - C:\WINDOWS\System32\dhcpcsvc.dll
Error Reporting Service - C:\WINDOWS\System32\ersvc.dll
Com+ Event System - C:\WINDOWS\System32\es.dll
Help and Support - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
Server - C:\WINDOWS\System32\srvsvc.dll
Workstation - C:\WINDOWS\System32\wkssvc.dll
Network Connections - C:\WINDOWS\System32\netman.dll
Network Location Awareness - C:\WINDOWS\System32\mswsock.dll
Remote Access Connection - C:\WINDOWS\System32\rasmans.dll
Task Scheduler - C:\WINDOWS\System32\schedsvc.dll
Secondary Logon - C:\WINDOWS\System32\seclogon.dll
System Event Notification - C:\WINDOWS\System32\sens.dll
Windows Firewall/Internet Connection Sharing - C:\WINDOWS\System32\ipnathlp.dll
Shell Hardware Detection - C:\WINDOWS\System32\shsvcs.dll
System Restore Service - C:\WINDOWS\System32\srsvc.dll
Telephony - C:\WINDOWS\System32\tapisrv.dll
Themes - C:\WINDOWS\System32\shsvcs.dll
Distributed Link Tracking Client - C:\WINDOWS\System32\trkwks.dll
Windows Time - C:\WINDOWS\System32\w32time.dll
Windows Management Instrumentation - C:\WINDOWS\System32\WMIsvc.dll
Security Center - C:\WINDOWS\System32\wscsvc.dll
Automatic Updates - C:\WINDOWS\System32\wuauserv.dll

 

Fifth log:

 

Oh, well, silly me, I didn't realize that Google Earth would keep calling GoogleUpdate, or that there was some *other* Google Update Helper thing, after I uninstalled Google Update through Control Panel. Pretty soon I'll be finding Google toilet paper in my bathroom, too, lol...

Yes, I do have a boot disk.

Here are the three logs. After I ran tdsskiller and it asked me to reboot, I said yes, but the computer wouldn't shut down properly, so I had to do a hard shut-down. I don't know if that matters. And, after re-starting, I'm still getting the memory issue.

 

Well now something a bit different, sigh.

This morning, when I turned the computer on, the svchost IMMEDIATELY climbed to 400,000K at CPU 50%. I was trying to get on here to see if I had a reply, so I didn't turn the wireless off right away. Once I did turn it off, I got an error, that actually did look like a true Windows error, a nice square box in the middle, in plain Windows font, that said, "Windows thinks your computer is at risk and needs Data Execution Protection." When I clicked No Thank You, I got a "Windows has encountered an error, and we would like you to send a report" message, with a "Send" "Don't Send" button. It actually looked real. (I chose Don't Send.)

Then, when I turned off the wireless, the svchost KEPT CLIMBING. In the past, it has stopped climbing as soon as I turned off the wireless.

Please tell me it's not putting back on all the stuff I spent all day yesterday cleaning off of the computer? :-(

(BTW, at that point I rebooted, and now it seems to be back to "normal" for what it was doing yesterday. Waiting a few minutes, and then slowly climbing at low CPU.)

 

Wow, I feel like I just performed brain surgery by reading instructions from a mail-order catalog. I especially loved the part where I had to enter the fixmbr and fixboot commands in Recovery Console, and it came up and asked me, "Are you sure? I mean, are you really, really sure you want to do this? Because if you don't know what you're doing, your computer might blow up in your lap, leaving your legs bloody stumps, and then it will set fire to your house, and then Freddy Krueger will come after your mother." Ack. Yes, Mr. Computer Man, the guy from the internet told me it'll be OK. LOL...

Oh, and, BTW, G-Parted won't download from that site. It says "no mirror site." I had to torrent it. (Yup, I know, that's how a person gets viruses in the first place. Torrenting random files from unknown sources. I figured at this point, I was ready to throw the computer out the window, anyway, so it hardly made a difference...)

Well, so far, so good. I've had things running for about 15 minutes, and no memory or CPU issues with svchost. Things seem to be running and loading smoothly and quickly.

Fingers crossed, knock on wood.

And, I'm sure this has been said a million times, but there need to be more people like you in the world. I'm an RN, and I hear all the time, "Thank God for our RN's." I take my medical knowledge for granted - "It's just what I do." But to the people who don't have that knowledge, what I can offer is magical. I hope you know that this is the same thing. A person is hurting, angry, frustrated, and it doesn't really matter what the source of that pain is. If someone can step in and take it away, God bless that person.