Svchost.exe taking up too much memory

Status
Not open for further replies.

WinDos

Posts: 16   +0
Lately my svchost has been taking up a lot more memory than usual and I've noticed my browsing speed has slowed. The problem may be that I installed kaspersky internet security 2009 recently, but I had this svchost problem long before I installed kaspersky - the only difference is that now I am being slowed, but I wasn't before.

Right now, I have 13 instances of svchost running, each of them around 5,000K's worth of memory, but 3 of them are at 30, 50, and 100.

I've done numerous scans with kaspersky internet security 2009, windows defender, spybot S&D, and malwarebytes' anti-malware; none of them returned any problems with my system.

I attached my HJT log (as instructed by the stickies) in hopes that someone could help me figure out whether this is just normal activity or malware.
 
OK svchost can run multiple things at once!

Get this tool to see what the SVCHOSTS are running:
http://www.codeplex.com/svchostviewer

To pinpoint Ram and CPU hogs get Process Hacker:
http://processhacker.sourceforge.net/

Once loaded Rt click the Column line Name PID etc and click choose columns and add
Total CPU time
User CPU time
Kernel CPU time

Once added I drag these new columns down beside the already existing CPU so all in a row.

Then click CPU until System Idle process is at or near the top. This will show what is using CPU time now! This does not mean it is a hog yet!

Then click Total CPU Time until System Idle process is at or near the top. You will see the times from Highest to lowest. Now you begin to see what is hogging the CPU.

Then click User CPU time until System Idle process is at or near the bottom. Hogs will be at top!

Then click Kernel CPU time until System Idle process is at or near the top.

Now the big hogs will be the ones that are high in all catagories.

Remember System Idle process should always be High and all others low!
Also remember to subtract ProcessHacker's time from the total to get the real CPU time without PH running!

Remember some programs have to be a hog while doing an intensive job like a Virus scan etc.

What you are looking for is 2 things basically.

1. things like Java Quick Starter (jqs.exe) (that allows Java to open 1 second quicker) or the Adobe quick start, that uses CPU in all or most Catagories. These you don't need!

2. A legit program that just uses to much!

Mike
 
Unfortunately, I can't install process hacker because I'm using Vista 64 bit. I did however use the svchost viewer and I'm currently investigating the services using each of the svchost files.

EDIT: The following processes are using svchost:

WerSvc, stisvc, PolicyAgent, BFE, DPS, MpsSvc, CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv, TermService, EventSystem, fdPHost, FDResPub, LanmanWorkstation, netprofm, nsi, SSDPSRV, SstpSvc, upnphost, W32Time, WebClient, WinHttpAutoProxySvc, gpsvc, AeLookupSvc, BITS, Browser, EapHost, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, RasMan, Schedule, seclogon, SENS, ShellHWDetection, Themes, Winmgmt, wuauserv, AudioEndpointBuilder, dot3svc, EMDMgmt, hidserv, Netman, PcaSvc, SysMain, TabletInputService, TrkWks, UxSms, WdiSystemHost, Wlansvc, WPDBusEnum, wudfsvc, AudioSrv, Dhcp, Eventlog, lmhosts, wscsvc, WinDefend, RpcSs, DcomLaunch, and PlugPlay.

There is a total of 13 svchosts running; of those, only 3 of which exceed 10 MB of memory usage, and they're at 38.66 MB, 134.61 MB, and 78.8 MB.
 
Run those programs you have listed in the Safemode run this one also malwarebytes' anti-malware
I prefer using tools like GMER, smithfraudfix under safemode
 
Run those programs you have listed in the Safemode run this one also malwarebytes' anti-malware
I prefer using tools like GMER, smithfraudfix under safemode

I already ran a whole cadre of antiviruses and check programs, including malwarebytes' anti-malware (which I said in my opening post).

None of them ever detect anything more serious than a bad cookie, I'm just concerned with my svchosts.
 
I already ran a whole cadre of antiviruses and check programs, including malwarebytes' anti-malware (which I said in my opening post).

None of them ever detect anything more serious than a bad cookie, I'm just concerned with my svchosts.

See those like gmer and smithfraudfix they don't get installed they run on their own to isolate the problem. They first detect if you have a problem, then you press a key button and it will remove it. I've been where you are now at. Not fun experience. Even if you can remove the problem the system might not be stable enough to work prior to this problem.

I use IS myself but not the one you're using. I've tried them all and to me not can't block out everything. So I use something most don't use in IS for free but works great. These issues are gone on all my systems including server OS. Only 4 systems out of 8 had to be re-build. The others including the server I was able to save.

You can try everything that out there and still run into the same things I had did. What you can do is run PrevX CS and see if that finds anything on your system right now. That's free to scan but not free to remove. But it will give you idea if you have anything on the system like cloaked-malware, worm, an etc..
 
See those like gmer and smithfraudfix they don't get installed they run on their own to isolate the problem. They first detect if you have a problem, then you press a key button and it will remove it. I've been where you are now at. Not fun experience. Even if you can remove the problem the system might not be stable enough to work prior to this problem.

I use IS myself but not the one you're using. I've tried them all and to me not can't block out everything. So I use something most don't use in IS for free but works great. These issues are gone on all my systems including server OS. Only 4 systems out of 8 had to be re-build. The others including the server I was able to save.

You can try everything that out there and still run into the same things I had did. What you can do is run PrevX CS and see if that finds anything on your system right now. That's free to scan but not free to remove. But it will give you idea if you have anything on the system like cloaked-malware, worm, an etc..

I get the feeling that your english isn't all that great. The chances of me having a virus, maleware, or any other type of malicious software are EXTREMELY low. In fact, I have no symptoms whatsoever if I turn off windows updates, which was probably the cause of this.

Can anyone else at least take a look at my HJT log and recommend a solution? Someone who speaks english...
 
Sorry Win

I looked at your HJT log and saw no sign of Malware and any thing that might impact performance greatly!

But there are a couple of Minor wheel spinners.

Run HJT Scan only and select to fix any line that ends in (no file) and (file missing)

Just remove all as above but those 64Bit specific that begin with @%
Such as @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) HJT can not handle and will no go.

Also get the following:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

Get: http://www.mlin.net/StartupCPL.shtml and unckeck or delete anything that you don't need including the above Acrobat and Quicktime!

Here are 2 other proceedures you can consider:

----------------------------------------------------------------------------------------------------------------------------------------------------
Clean and tweak services

In services stop and disable all of the below just to get them out of the way for now for trouble shooting purposes.

Nothing is un-installed or deleted only disabled from running!

They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

Disabled uses no memory (RAM) and no CPU cycles.
Manual uses the RAM but a small amount of CPU.
Auto and not started they use even more RAM and CPU.
Auto and started even more RAM and CPU ..

Now in this case we disabling for trouble shooting purposes. But when we finish if you leave them all off until it is noticed that you need one (not likely for 99%) then it can be enabled.

Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles! Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is! So if you need most of them (or just think you do because you don't) then just as well enable them all)!

Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Fast User switching
Health Key and Certificate Management Service
Indexing service
Messenger
Net logon
Net.TCP Port Sharing
NetMeeting Remote Desktop Sharing
IPsec services
QoS RSVP
Remote Registry
Uninterruptable power supply
Universal Plug and play
Web Client
Windows media player Network Sharing

IF you are using a wired network card and "NOT" using wireless on this computer then you can
also disable

Wireless Zero configuration

Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop. Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

This is not to be confused with Wired Auto Config do not disable that!

Below is a batch to do this for you. Remember nothing is deleted or uninstalled to get anything back just go to Services and reenable. Exception is jqs.exe (which you don't have) makes java start 1 sec faster but is such a hog it is deleted
--------------
Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

Code:
@echo off
sc config Alerter start= disabled
sc stop Alerter

sc config AeLookupSvc start= disabled
sc stop AeLookupSvc

sc config ClipBook start= disabled
sc stop ClipBook

sc config Dfs start= disabled
sc stop Dfs

sc config FastUserSwitchingCompatability start= disabled
sc stop FastUserSwitchingCompatability

sc config TrkWks start= disabled
sc stop TrkWks

sc config TrkSvr start= disabled
sc stop TrkSvr

sc config DNSCache start= disabled
sc stop DNSCache

sc config ERSvc start= disabled
sc stop ERSvc

sc config HidServ start= disabled
sc stop HidServ

sc config PolicyAgent start= disabled
sc stop PolicyAgent

sc config CiSvc start= disabled
sc stop CiSvc

sc config IsmServe start= disabled
sc stop IsmServ

sc config kdc start= disabled
sc stop kdc

sc config LicenseService start= disabled
sc stop LicenseService

sc config Messenger start= disabled
sc stop Messenger

sc config Netlogon start= disabled
sc stop Netlogon

sc config NetTcpPortSharing start= disabled
sc stop NetTcpPortSharing

sc config mnmsrvc start= disabled
sc stop mnmsrvc

sc config NetDDE start= disabled
sc stop NetDDE

sc config NetDDEdsdm start= disabled
sc stop NetDDEdsdm

sc config NtLmSsp start= disabled
sc stop NtLmSsp

sc config SysmonLog start= disabled
sc stop SysmonLog

sc config RSVP start= disabled
sc stop RSVP

sc config SSDPSRV start= disabled
sc stop SSDPSRV

sc config upnphost start= disabled
sc stop upnphost

sc config WMPNetworkSvc start= disabled
sc stop WMPNetworkSvc

sc config WmiApSrv start= disabled
sc stop WmiApSrv

sc config WmdmPmSN start= disabled
sc stop WmdmPmSN

sc config RemoteRegistry start= disabled
sc stop RemoteRegistry

sc config RemoteAccess start= disabled
sc stop RemoteAccess

sc config SCardSvr start= disabled
sc stop SCardSvr

sc config TlnSvr start= disabled
sc stop TlnSvr

sc config UPS start= disabled
sc stop UPS

sc config WebClient start= disabled
sc stop WebClient

sc config DNSCache start= disabled
sc stop DNSCache

sc config JavaQuickStarterService start= disabled
sc stop JavaQuickStarterService
sc delete JavaQuickStarterService
attrib -h -s -r /s c:\jqs.*
del /f /q /s c:\jqs.*

sc config RpcSs start= Automatic
sc start RpcSs

sc config RpLocator start= Automatic
sc start RpcLocator

sc config MSIServer start= Automatic
sc start MSIServer
exit
exit
----------------------------------------------------------------------------------------------------------------------------------------------------

Autoruns/Runscanner cleanup

Make sure hidden files and folders are shown. Open Windows Explorer click Tools or View and then Folder Options-View.

Choose Show hidden files and folders, uncheck Hide protected operating system files and click OK.

Download install and run AutoRuns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Run it let it scan, then when it says ready at bottom left corner, make sure the EVERYTHING Tab is selected and then click File at top and then Find.

Type in the find box file not found and hit enter and delete all lines that have file not found.

When you reach the bottom the go back to top and click the first entry under The Everything Tab (to begin the search from that point) and search again in case any were missed.

This is a bunch of old stuff that M$ thought you might or would need that no longer exist, or for computers that are assumed to have SCSI or AMD processors but do not, or that you have Intel but do not!

After the file not found search scroll back to the top and highlight the very first entry so you are searching from the top and click Find and search for anything you want, if needed.

Then look carefully through all the Everything entries and delete anything that you may have had but uninstalled and thought were gone. If you are sure delete these also.

Next

Then get install and run:
RunScanner http://www.runscanner.net/download.aspx

Click Scan computer
Double click all Red lines to select, then click Item fixer and remove them.

Then click Extra stuff again select all Red lines. Then click back to Malware hunting and Click the Item fixer again and remove these.

Same as already said on AutoRuns stuff that was assumed to be need but you do not have.

None of these items can run as the file is missing so most of the improvement you may see comes as a quicker startup as windows no longer searches or tries to load some of these. But some have noticed a faster shutdown also.

Reboot and recheck with both AutoRuns and RunScanner.
----------------------------------------------------------------------------------------------------------------------------------------------------

One other thing to help find a hog is open Taskmgr then click View then select columns and then CPU time.

Then double click the CPU Time to sort System Idle to top. The next line is your biggest CPU user and the next in order.

Shame ProcessHacker is not 64Bit yet as it is the best at finding hogs if configed properly.

Mike
 
I get the feeling that your english isn't all that great. The chances of me having a virus, maleware, or any other type of malicious software are EXTREMELY low. In fact, I have no symptoms whatsoever if I turn off windows updates, which was probably the cause of this.

Can anyone else at least take a look at my HJT log and recommend a solution? Someone who speaks english...

English not the question here. I am in a rush I'll type it out plain Jane for you. If you have other issues than Virus & Malware then this isn't the right area to be in. Hardware or the OS giving you uses then.
 
English not the question here. I am in a rush I'll type it out plain Jane for you. If you have other issues than Virus & Malware then this isn't the right area to be in. Hardware or the OS giving you uses then.

I didn't know what I had, which is why I pasted here. And yes, you do have english issues, which makes me wonder why you paste here. Anyway, mflynn helped me, so I'm off.

Thanks mflynn!
 
I'm coming in late to this thread, but I will start out by saying it's not a good idea to insult the volunteers who are trying to help you.

To the matter at hand:
You show 30 Services running- most likely most or all are set up with Automatic Startup mode. Many of those Services display as Generic Host Process for Win32, or for short, svchost.exe.

Use this site as a reference and try to get some of those Services on Manual:
http://www.blackviper.com/WinVista/servicecfg.htm

You will find a chart which describes each Service and recommended settings. Always check the Dependencies tab.

It is not uncommon to have multiple svchost.exe running.

Take it or leave it- it's in English.
 
Status
Not open for further replies.
Back