TechSpot

Svchost issue

By paperbanjo
Nov 26, 2009
  1. I don't know how long this has been going on, but it really showed itself last night and has been ever since. I called my boyfriend when I got off work last night and he complained that it took 10 minutes for Dragon Age: Origins to load something in-game.. on my computer. Now I knew some of the loading screens take some time, but 10 (literal) minutes is ridiculous. I told him to restart and when he did, my computer wanted to run CHKDSK. I told him not to because last time I did this on my computer, it completely wiped it out and I had to reinstall. (It also did the same to his - I was running it on mine to see if my computer had any issues running it and it turns out it did.)

    It is still trying to run CHKDSK on every boot up.. I'm very reluctant to because of what happened last time.

    That being said, it's been running real sluggish (randomly freezes up, takes a long time to load something, etc).. and when you open Task Manager, this is what you find:

    http://img.photobucket.com/albums/v208/mirkaei/tm1.png
    http://img.photobucket.com/albums/v208/mirkaei/tm2.png

    It was even running higher than Firefox and as high as Dragon Age: Origins does when it is running.

    The highest I have actually witnessed the memory usage at is over 200k (it has taken up 100% CPU at times), as shown here:
    http://img.photobucket.com/albums/v208/mirkaei/procexp1.png

    I tried to change the Windows Updates, even though that service wasn't under this process, and I thought for a moment that it helped but I guess it was just coincidence because the problem came back soon.

    Attached is my hijackthis log. He installed and ran Spybot last night.. says he fixed any issues that came up (I proceeded to go to bed) and also said that once he did that, the performance picked up some.. but of course when I woke up, the memory usage was still a problem.

    Unfortunately ending this process also cuts off my internet.. and I also think it messed with my iTunes because when I loaded it up tonight my entire list of music was gone. Sigh. My boyfriend thinks it might be my crappy Netgear wireless card. I've had it for a month now and I hate to agree with him, but I'm afraid it may be true. I can't use the card without their dumb software installed and it's honestly the only thing that I can think of that would cause this problem.

    He has also recently (a couple weeks ago) connected his 360 to my computer for xBox Live. Could that cause any issue (even when it isn't on)?

    I just want to know what is causing this problem and how to fix it. :(

    Let me know if you have any other questions.

    Thanks.

    Edit: I think I put this in the wrong section (wasn't sure to begin with).. move it if necessary.
     

    Attached Files:

  2. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    Hi paperbanjo,

    Please read 8-step Virus Removal and download the Programs requested in the thread, then post the logs after you have run scans.

    I believe the Xbox would not be the problem and you put it in the right section. How many Anti-Virus programs do you currently have?
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You should understand that svchost is a legitimate Windows process. A full name would be 'generic Host Process for Win32.'

    If would also be helpful to know how much RAM is installed and if you do occasionl reboots to free up the RAM.

    From Wiki:
    and
    More description HERE.

    I have 7-9 svchost processes in the Task Manager on a clean computer.

    Image 1 shows a normal Task Manager processes tab.
    Image 2 shows 9 processes highlighted
    Svchost PID 1084 in Process image has to be identified.
    (I'm going to take a guess that is will be the SuperFetch process, which is known to be a high memory user.)

    The system you have is 64 bit and HijackThis does not read this correctly, so that log isn't of help.

    What I need to establish is if you think you have a malware problem or a system problem. I would encourage you to re-post in the Windows OS forum first. Look for help in identifying THIS particular process and go from there. If the system is coming up with the error checking, something needs to be resolved. Error checking-CHEKDSK will not wipe out a system.

    You can identify which services are running under a given process by using the tasklist command:
    • Click on Start> Run> type in cmd>
    • From the command line type in tasklist /FI filter (note space before /F1)
    • For PID value type in 1084
    • This should identify which task is running.

    If you have a problem with the command, let me know. Once you have identified which process this is for, you will know how to handle it. As you found out, you cannot indiscriminately stop svchost processes.

    I'm going to ask a moderator to move this thread and re-title it Vista 64 bit svchost problem

    This basically shows the same thing as Task Manager. Note which PIDs are using excessive memory. Now type tasklist /svc , it will tell you which services are running under each PID for svchost. This should help you identify the memory hog. From the numbers you've listed, they don't look too excessive, though maybe a little high.
     
  4. paperbanjo

    paperbanjo TS Rookie Topic Starter

    @Anonymous:

    I only run AVG (the free version).

    Ran a full scan.. there were 126 warnings, 3 removed and healed, 123 not removed/healed. I went ahead and did that. I attached the Overview.

    Java updated. Ran CCleaner

    Ran HijackThis again, new log attached. Other logs attached.

    @Bobbye:

    I meant to post it in the Windows OS forum to begin with. I wasn't thinking it was any sort of Malware problem.

    The command brings up this (I've restarted so the PID has changed).

    Image Name PID Session Name Session# Mem Usage
    ========================= ======== ================ =========== ============
    svchost.exe 744 Services 0 186,400 K

    Image Name PID Services
    ========================= ======== ============================================
    svchost.exe 744 AudioEndpointBuilder, hidserv, Netman,
    PcaSvc, SysMain, UxSms, Wlansvc,
    WPDBusEnum, wudfsvc

    Thanks for your help.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    In the grand scheme of all things malware, Tracking cookies don't rate high and that's what the AV found. Hopefully you have SAS remove them. But when I see so many oin a system, I question what kind of maintenance the user if doing: disc cleanup, defrag, remove temporary internet files and Cookies and regular scan with the security programs are all considered 'regular maintence.

    To get better control over the Tracking Cookies:

    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)

    As I told you, HJT doesn't not work on a 64 bit OS as you have. Results are incionsistent and can't be relied on to determine good and bad entries.

    I do see a Service that you can check the startup type: Server 2003 R2 DFS Replication (DFSR.EXE)
    Discription:
    Click on Start> Run> type in services.msc> OK> find the following Services and double-click on it:
    (DFSR) > set Startup type to Manual]> Close Services.

    There are 2 posts on this site by David Shen from this TechNet forum to troubleshoot this Service:
    Please read them both, then follow the Steps in the second post:

    Here is the link to Process Explorer.

    See if that helps your problem.
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I think you may have a physical Hard Drive fault, that may need replacing

    regarding:
    CheckDisk can wipe out a faulty Hard Drive, or a filesystem that is encrypted


    What you need to do, is backup all your personal data (Docs; Pics; etc) to external media
    Then perform a CheckDisk on the drive, if the drive is wiped from doing this, replace it.
    Then do a Drive Diagnostics on the Hard Drive

    I have seen faulty Hard Drives specifically showing Svchost with high memory and CPU usage, caused by hardware
    And my first feeling is that you need to replace the Hard Drive and re-install Windows clean
    I prefer free Avira Antivirus over free AVG
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    kimsland, just a clarification for me: CHKDSK won't wipe a hard drive under normal conditions> meaning the drive is not faulty- is that correct? About the encryption, can you explain to me how or why CHKDSK wipes encryption?
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Obviously correct




    Chkdsk can cause issues and even lose data on an encrypted Hard Drive (in this sense wipe data)

    Here's some MS Artcle Quotes:
    http://support.microsoft.com/kb/952079


    http://support.microsoft.com/kb/314870

    http://support.microsoft.com/?kbid=828693
    The quotes are a bit jumbled and confusing, but having encryption and then running CheckDisk to restore data (otherwise corrupted) can cause that date to be lost into fragments of broken data (if faults to the file system or Hard Drive exists)
     
  9. paperbanjo

    paperbanjo TS Rookie Topic Starter

    I want to say it's been about 2 months since I have done a disk cleanup and defragged my computer and such. AVG runs nightly at midnight, though it probably only completes once or twice a week since I am usually at my computer when it goes off and if I'm in the middle of a game, I have to stop the scan. Since I had to restore my computer several months ago, I have honestly never viewed the completed scan and removed what it found because I have a terrible memory and forget the scan ever happened.

    I went ahead and re-installed the AdBlock add-on. I forgot to (see above ;)) when I had to reinstall Vista before.

    DFSR was already set to Manual.

    I did what you said with that in Process Monitor.. but when I set the filter, DFSR never came up in the list.. and I also never got an error when I opened the services.msc and eventvwr. Perhaps I missed something or was supposed to change a step? And I would like to note that my Firefox is running much lower now.. perhaps it was full from all those cookies? ;)

    As for the hijackthis log, I had already run it again and done everything before I saw your reply. I apologize.

    If it comes down to it, I'll let the CHKDSK scan. I backed everything up when I made my post.. with my luck something will make my computer restart when I'm not here and then CHKDSK will run and I'll lose all my stuff. So I'm ready for it, I just don't want to do it and if it's going to happen, I'd like it to happen when I have the time.

    I also really don't want to buy a new hard drive if that's the case!


    All that being said, I unfortunately can't really give any input on a performance increase. I've put nearly all my waking hours into work these last couple days and the hours at my computer have been spent trying to troubleshoot and doing all this to figure out why it is consuming so much memory. I'll see if I notice anything tonight before I hit the sack or over the next 3 days as I will have some time off.

    I appreciate all of your help.
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I'd like to hear how after running CheckDisk it then runs ok (or not)

    You can also run a Drive Diagnostics on your HardDrive as well (if you like)
     
  11. paperbanjo

    paperbanjo TS Rookie Topic Starter

    I ran the drive diagnostics (quick test) and that passed. I'll run an extended test while I sleep tonight and see how it turns out. I'll run the CHKDSK tomorrow night. I'll let you know how it goes.
     
  12. paperbanjo

    paperbanjo TS Rookie Topic Starter

    The extended test also passed. Again, I'll run the CHKDSK tonight.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Many of the problem that occur on a system are cause by the user- usually what they didn't do!

    Maintenance for the Computer System


    • [1] Error Checking (CHKDSK) to ensure that your hard drive is healthy and working. Weekly.

      [2]Then run Disk Cleanup to remove any extra or useless files. Weekly Includes:

      • [o] Deleting temporary internet files, Each time you go to a site, a temporary file is placed on you computer's hard drive. These can add up to a lot of space if not deleted regularly.
        [o] Deleting cookies, These are small files web site put on your hard drive to identify you and track your surfing habits. If you have a password save for a certain web site, deleting your cookies will delete that as well. Over the years there have been some lively debates about how often to do this.
        [o]Delete History- This is similar to temporary internet files. But when you delete History, it deletes the URLs in the Address box drop-down menu.

      [3] Disk defrag, This takes all of the bits of data on your hard drive and puts them in order. If you use your computer a lot, you can have data scattered all over your hard drive. It makes you computer run slower when it is looking for this information. Monthly or bi-monthly.

      [4] Checking for security and critical updates, This requires you to go to Microsoft.com and do an Windows update scan. Often there are security problems or hackers have found a vulnerable spot in Windows that needs to be fixed. This includes Windows updates, Java and Adobe Reader.

      [5]Security programs:Dependent on type
      [o] Antivirus program> a good, regularly updating AV program should be on the system at all times. Scan once a week, not every day.
      [o] Spyware/Adware> you do not need to scan on startup. Once a week should be adequate.
      [o]Bi-Directional Firewall Does not need to be on auto-update.

      [6]Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.
     
  14. paperbanjo

    paperbanjo TS Rookie Topic Starter

    I wanted to say that I guess I have defrag set to run every Wednesday and it last ran on the 25th.. so that does get run. I didn't know this was set up. Should I change it to once a month?

    I let the CHKDSK run tonight while I ate dinner and it ran fine.. my computer isn't dead. It also isn't trying to run it when I start it up anymore (since I let it finish). However, still having the svchost issue. :\
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes.

    Yeah!

    Now that we have resolved that issue, please rescan with HijackThis and paste the new logs in next reply. I'll look through the Services and instruct you on changing some of the Startup Types.

    Note: Please don't go whacking the Services off! If it's don't right, the system will be fine. If it's don't wrong, you might not be able to use the system. Please trust me.
     
  16. paperbanjo

    paperbanjo TS Rookie Topic Starter

    Here ya go.

    Edit: You did want HJT, right? You were saying it doesn't work right with my OS.. so just checking.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    So sorry- had memory lapse. Forgot you had the 64 bit Vista. But I think I can help with the Services with the information I have. It's going to be either later tonight though or in the AM. I am wiped out!
     
  18. paperbanjo

    paperbanjo TS Rookie Topic Starter

    Sure thing.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please print- no seconds on this!

    To change Services: Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Click on Start> Run> type in services.msc> OK
    • Double click on Service display name to be changed
    • Change Startup type as directed
    • Stop Services changed to Manual
    • Exit from Services
    • Reboot the system into Normal Mode.> Only the Services needed will start.

    Source: Black Viper: http://www.blackviper.com/WinVista/servicecfg.htm

    • [1] Service Name ArcSoft Connection Service> Manual
      Display Name: ACDaemon.exeACDaemon)
      [2] Service Name (registry): ALG>> Manual
      Display Name: Application Layer Gateway Service
      [3] Service Name (registry): aspnet_state> Manual
      Display Name: ASP.NET State Service
      [4] Service Name AVG WAtch dog>> Automatic
      Display Name: avg9wd
      [5] Service Name (registry): DFSR>> (Manual)
      Display Name: DFS Replication
      [6] Service Name (registry): KeyIso> Manual
      Display Name: CNG Key Isolation
      [7] Service Name (registry): MSDTC>> Manual
      Display Name: Distributed Transaction Coordinator
      [8] Service Name NVIDIA Display Driver Service>> Manual
      Display Name: nvsvc
      [9] Service Name (registry): ProtectedStorage>> Manual
      Display Name: Protected Storage
      [10]Service Name (registry): RpcLocator>> Manual
      Display Name: Remote Procedure Call (RPC) Locator
      [11]Service Name (registry): SamSs>> Manual
      Display Name: Security Accounts Manager
      [12]Service Name SBSD Security Center Service>> Automatic
      Display Name: SBSDWSCService
      [13]Service Name (registry): slsvc>> Automatic
      Display Name: Software Licensing
      [14]Service Name (registry): SNMPTRAP>> Manual
      Display Name: SNMP TrapO23
      [15]Service Name (registry): Spooler>> Automatic
      Display Name: Print Spooler
      [16]Service Name (registry): UIODetect>> Manual
      Display Name: Interactive Services Detection
      [17]Service Name (registry): vds>> Manual
      Display Name: Virtual Disk
      [18 Service Name (registry): VSS>> Manual
      Display Name: Volume Shadow Copy
      [19]Service Name WMI Performance Adapter>> Manual
      Disply Name: wmiApSrv
      [20]Service Name (registry): WMPNetworkSvc>> Manual
      Display Name: Windows Media Player Network Sharing Service
      ----------------------------------------------------------------------
      The following are all non-Microsoft Services. I recommend you set the all to Manual:
      [21]Service Name Bonjour
      Display Name: mDNSResponder:
      [22]Service Name Dragon Age AUpdater
      Display Name: DAUpdaterSvc
      [23]Service Name: iPod
      Display Name: iPod
      [24]Service Name LiveTurbineMessageService
      Display Name Turbine Download Manage (?)
      [25]Service Name LiveTurbineMessageServiceTurbine Network Service
      Display Name: LiveTurbineNetworkService -
      [26]Service Name Steam Client Service
      Display Name: Steam\SteamServicee
      [27Service Name Apple Modile Device
      Display Name: AMD
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...