Two things come to mind:
1. The svchost you mention, isn't the "real" svchost, and is simply undetected malware dropping files.
2. Svchost is the proper file expected on the system, but something is injected into it, causing it to misbehave.
You mentioned procexp, which is good if you know quite a bit about what you are looking for. However, if the details are foggy, I would use "GMER" (GMER.net). You can launch the .exe and it will do a quick scan right up front, and then you can hit the "scan" button on the right, to scan the entire system. Once that is complete, you can save the log down to the system.
If you like, you can post that log up here, and we can see if there is anything obvious.
thanks for your reply. I have attached the log generated by GMER. There was a warning stating that there was a change on ROOTKIT processes. Please let me know if there is something you notice.
GMER LOG.log.zip 11.0 K
So it points to "Disk - \Device\Harddisk0\DR0 - sector 00: rootkit-like behavior; - <-- ROOTKIT !!!"
MBR infectors are somewhat rare, but they certainly do still exist. Hard to say if this is the real culprit, or perhaps a "false detection" of GMER, against a legitimate change to your MBR (master boot record)
I would probably use the tool below, to capture your MBR, and then submit it to McAfee labs. (probably should open up a service request with us as well)
Device \Driver\00001244 -> \Driver\iaStor \Device\Harddisk0\DR0 8AC6F50C
This is also a sign of a rootkit that might have modified the iaStor.sys file.
Thanks for the info guys. Not sure what else to do. I have escalated to our local IT guys in my company to log ticket with McAfee as they are also not able to figure this out. Please do let me know if there is anything else I can do.
The author of GMER has created a tool that you can run that may remove this problem. This is a command line utility for 32-bit Windows 2000 and later.
Use MBR -t at the command prompt to check for the rootkit, MBR -f to fix it if it is detected.
I also have made a Boot CD you can create to scan and clean your computer from known infections that can be detected by the AV or allows for manual removal.