Svchost issue

Status
Not open for further replies.

paperbanjo

Posts: 8   +0
I don't know how long this has been going on, but it really showed itself last night and has been ever since. I called my boyfriend when I got off work last night and he complained that it took 10 minutes for Dragon Age: Origins to load something in-game.. on my computer. Now I knew some of the loading screens take some time, but 10 (literal) minutes is ridiculous. I told him to restart and when he did, my computer wanted to run CHKDSK. I told him not to because last time I did this on my computer, it completely wiped it out and I had to reinstall. (It also did the same to his - I was running it on mine to see if my computer had any issues running it and it turns out it did.)

It is still trying to run CHKDSK on every boot up.. I'm very reluctant to because of what happened last time.

That being said, it's been running real sluggish (randomly freezes up, takes a long time to load something, etc).. and when you open Task Manager, this is what you find:

http://img.photobucket.com/albums/v208/mirkaei/tm1.png
http://img.photobucket.com/albums/v208/mirkaei/tm2.png

It was even running higher than Firefox and as high as Dragon Age: Origins does when it is running.

The highest I have actually witnessed the memory usage at is over 200k (it has taken up 100% CPU at times), as shown here:
http://img.photobucket.com/albums/v208/mirkaei/procexp1.png

I tried to change the Windows Updates, even though that service wasn't under this process, and I thought for a moment that it helped but I guess it was just coincidence because the problem came back soon.

Attached is my hijackthis log. He installed and ran Spybot last night.. says he fixed any issues that came up (I proceeded to go to bed) and also said that once he did that, the performance picked up some.. but of course when I woke up, the memory usage was still a problem.

Unfortunately ending this process also cuts off my internet.. and I also think it messed with my iTunes because when I loaded it up tonight my entire list of music was gone. Sigh. My boyfriend thinks it might be my crappy Netgear wireless card. I've had it for a month now and I hate to agree with him, but I'm afraid it may be true. I can't use the card without their dumb software installed and it's honestly the only thing that I can think of that would cause this problem.

He has also recently (a couple weeks ago) connected his 360 to my computer for xBox Live. Could that cause any issue (even when it isn't on)?

I just want to know what is causing this problem and how to fix it. :(

Let me know if you have any other questions.

Thanks.

Edit: I think I put this in the wrong section (wasn't sure to begin with).. move it if necessary.
 

Attachments

  • hijackthis.log
    7.8 KB · Views: 6
Hi paperbanjo,

Please read 8-step Virus Removal and download the Programs requested in the thread, then post the logs after you have run scans.

I believe the Xbox would not be the problem and you put it in the right section. How many Anti-Virus programs do you currently have?
 
You should understand that svchost is a legitimate Windows process. A full name would be 'generic Host Process for Win32.'

If would also be helpful to know how much RAM is installed and if you do occasionl reboots to free up the RAM.

From Wiki:
In the Windows NT family of operating systems, svchost.exe is the name of a process and its associated image (executable file) for hosting services. These services are contained within dynamically-linked libraries (DLLs).
and
Because svchost.exe is used as a common system process, some malware often uses a process name of "svchost.exe" to disguise itself

More description HERE.

I have 7-9 svchost processes in the Task Manager on a clean computer.

Image 1 shows a normal Task Manager processes tab.
Image 2 shows 9 processes highlighted
Svchost PID 1084 in Process image has to be identified.
(I'm going to take a guess that is will be the SuperFetch process, which is known to be a high memory user.)

The system you have is 64 bit and HijackThis does not read this correctly, so that log isn't of help.

What I need to establish is if you think you have a malware problem or a system problem. I would encourage you to re-post in the Windows OS forum first. Look for help in identifying THIS particular process and go from there. If the system is coming up with the error checking, something needs to be resolved. Error checking-CHEKDSK will not wipe out a system.

You can identify which services are running under a given process by using the tasklist command:
  • Click on Start> Run> type in cmd>
  • From the command line type in tasklist /FI filter (note space before /F1)
  • For PID value type in 1084
  • This should identify which task is running.

If you have a problem with the command, let me know. Once you have identified which process this is for, you will know how to handle it. As you found out, you cannot indiscriminately stop svchost processes.

I'm going to ask a moderator to move this thread and re-title it Vista 64 bit svchost problem

This basically shows the same thing as Task Manager. Note which PIDs are using excessive memory. Now type tasklist /svc , it will tell you which services are running under each PID for svchost. This should help you identify the memory hog. From the numbers you've listed, they don't look too excessive, though maybe a little high.
 
@Anonymous:

I only run AVG (the free version).

Ran a full scan.. there were 126 warnings, 3 removed and healed, 123 not removed/healed. I went ahead and did that. I attached the Overview.

Java updated. Ran CCleaner

Ran HijackThis again, new log attached. Other logs attached.

@Bobbye:

I meant to post it in the Windows OS forum to begin with. I wasn't thinking it was any sort of Malware problem.

The command brings up this (I've restarted so the PID has changed).

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
svchost.exe 744 Services 0 186,400 K

Image Name PID Services
========================= ======== ============================================
svchost.exe 744 AudioEndpointBuilder, hidserv, Netman,
PcaSvc, SysMain, UxSms, Wlansvc,
WPDBusEnum, wudfsvc

Thanks for your help.
 
In the grand scheme of all things malware, Tracking cookies don't rate high and that's what the AV found. Hopefully you have SAS remove them. But when I see so many oin a system, I question what kind of maintenance the user if doing: disc cleanup, defrag, remove temporary internet files and Cookies and regular scan with the security programs are all considered 'regular maintence.

To get better control over the Tracking Cookies:

Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)

As I told you, HJT doesn't not work on a 64 bit OS as you have. Results are incionsistent and can't be relied on to determine good and bad entries.

I do see a Service that you can check the startup type: Server 2003 R2 DFS Replication (DFSR.EXE)
Discription:
Distributed File System Replication. A distributed file system is a system where network folders are accessed by users on a network but where the files inside those folders are not necessarily all on the same server - some files may be stored on one server, while other files on another server, etc.., but the entire folder appears as one folder to all users whichever server they connect to.

On a fileserver this service runs on all the servers which are participating in the Distributed File System network and its role is to ensure that all the servers are instantly aware of files that have been added, modified, or deleted from the Distributed File System structure.

In Windows Vista this service kicks in when you use the People Near Me networking feature of Vista and its role, in that environment, is, similarly, to ensure that all the users participating in a particular People Near Me network, see at all times the exact same files and folders that are being shared.
Source: http://searchtasks.answersthatwork.com/tasklist.php?File=DFSR

Click on Start> Run> type in services.msc> OK> find the following Services and double-click on it:
(DFSR) > set Startup type to Manual]> Close Services.

There are 2 posts on this site by David Shen from this TechNet forum to troubleshoot this Service:
Please read them both, then follow the Steps in the second post:

Here is the link to Process Explorer.

See if that helps your problem.
 
It is still trying to run CHKDSK on every boot up.. I'm very reluctant to because of what happened last time.

That being said, it's been running real sluggish (randomly freezes up, takes a long time to load something, etc)..
I think you may have a physical Hard Drive fault, that may need replacing

regarding:
If the system is coming up with the error checking, something needs to be resolved. Error checking-CHEKDSK will not wipe out a system
CheckDisk can wipe out a faulty Hard Drive, or a filesystem that is encrypted


What you need to do, is backup all your personal data (Docs; Pics; etc) to external media
Then perform a CheckDisk on the drive, if the drive is wiped from doing this, replace it.
Then do a Drive Diagnostics on the Hard Drive

I have seen faulty Hard Drives specifically showing Svchost with high memory and CPU usage, caused by hardware
And my first feeling is that you need to replace the Hard Drive and re-install Windows clean
I prefer free Avira Antivirus over free AVG
 
kimsland, just a clarification for me: CHKDSK won't wipe a hard drive under normal conditions> meaning the drive is not faulty- is that correct? About the encryption, can you explain to me how or why CHKDSK wipes encryption?
 
kimsland, just a clarification for me: CHKDSK won't wipe a hard drive under normal conditions> meaning the drive is not faulty- is that correct?
Obviously correct




About the encryption, can you explain to me how or why CHKDSK wipes encryption?
Chkdsk can cause issues and even lose data on an encrypted Hard Drive (in this sense wipe data)

Here's some MS Artcle Quotes:
http://support.microsoft.com/kb/952079
After you restart the computer, the Autochk.exe program starts and discovers data corruption on the volume.

This problem occurs only when you restore certain files that are encrypted by EFS. For example, this problem may occur when you restore some encrypted files on a computer that has the 2007 Microsoft Office system installed.



http://support.microsoft.com/kb/314870
* Some enhanced features such as Encryption or Reparse Points are not available, and files that are encrypted or that contain reparse points are not accessible under Windows NT 4.0.

For these reasons, Microsoft recommends that you back up all data and then reformat these NTFS drives either during Setup or after you install Windows


http://support.microsoft.com/?kbid=828693
In certain situations, your computer may stop responding, or hang, when it writes files or folders that are encrypted with the Encrypting File System (EFS) to a partition that is formatted with the NTFS file system. When your computer hangs, you cannot access the contents of the partition, and you have to restart your computer to restore functionality.

This problem has been reported to occur when your computer restores data to encrypted files by using VERITAS Backup Exec version 8.6 or later or by using NTBackup.exe. This problem may also occur when your computer writes EFS data with other programs.

The quotes are a bit jumbled and confusing, but having encryption and then running CheckDisk to restore data (otherwise corrupted) can cause that date to be lost into fragments of broken data (if faults to the file system or Hard Drive exists)
 
I want to say it's been about 2 months since I have done a disk cleanup and defragged my computer and such. AVG runs nightly at midnight, though it probably only completes once or twice a week since I am usually at my computer when it goes off and if I'm in the middle of a game, I have to stop the scan. Since I had to restore my computer several months ago, I have honestly never viewed the completed scan and removed what it found because I have a terrible memory and forget the scan ever happened.

I went ahead and re-installed the AdBlock add-on. I forgot to (see above ;)) when I had to reinstall Vista before.

DFSR was already set to Manual.

I did what you said with that in Process Monitor.. but when I set the filter, DFSR never came up in the list.. and I also never got an error when I opened the services.msc and eventvwr. Perhaps I missed something or was supposed to change a step? And I would like to note that my Firefox is running much lower now.. perhaps it was full from all those cookies? ;)

As for the hijackthis log, I had already run it again and done everything before I saw your reply. I apologize.

If it comes down to it, I'll let the CHKDSK scan. I backed everything up when I made my post.. with my luck something will make my computer restart when I'm not here and then CHKDSK will run and I'll lose all my stuff. So I'm ready for it, I just don't want to do it and if it's going to happen, I'd like it to happen when I have the time.

I also really don't want to buy a new hard drive if that's the case!


All that being said, I unfortunately can't really give any input on a performance increase. I've put nearly all my waking hours into work these last couple days and the hours at my computer have been spent trying to troubleshoot and doing all this to figure out why it is consuming so much memory. I'll see if I notice anything tonight before I hit the sack or over the next 3 days as I will have some time off.

I appreciate all of your help.
 
I ran the drive diagnostics (quick test) and that passed. I'll run an extended test while I sleep tonight and see how it turns out. I'll run the CHKDSK tomorrow night. I'll let you know how it goes.
 
Many of the problem that occur on a system are cause by the user- usually what they didn't do!

Maintenance for the Computer System


  • [1] Error Checking (CHKDSK) to ensure that your hard drive is healthy and working. Weekly.

    [2]Then run Disk Cleanup to remove any extra or useless files. Weekly Includes:

    • [o] Deleting temporary internet files, Each time you go to a site, a temporary file is placed on you computer's hard drive. These can add up to a lot of space if not deleted regularly.
      [o] Deleting cookies, These are small files web site put on your hard drive to identify you and track your surfing habits. If you have a password save for a certain web site, deleting your cookies will delete that as well. Over the years there have been some lively debates about how often to do this.
      [o]Delete History- This is similar to temporary internet files. But when you delete History, it deletes the URLs in the Address box drop-down menu.

    [3] Disk defrag, This takes all of the bits of data on your hard drive and puts them in order. If you use your computer a lot, you can have data scattered all over your hard drive. It makes you computer run slower when it is looking for this information. Monthly or bi-monthly.

    [4] Checking for security and critical updates, This requires you to go to Microsoft.com and do an Windows update scan. Often there are security problems or hackers have found a vulnerable spot in Windows that needs to be fixed. This includes Windows updates, Java and Adobe Reader.

    [5]Security programs:Dependent on type
    [o] Antivirus program> a good, regularly updating AV program should be on the system at all times. Scan once a week, not every day.
    [o] Spyware/Adware> you do not need to scan on startup. Once a week should be adequate.
    [o]Bi-Directional Firewall Does not need to be on auto-update.

    [6]Consider these programs for Extra Security
  • Spywareblaster:
  • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  • IE/Spyad
  • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar Get the free google toolbar to help stop pop up windows.
 
I wanted to say that I guess I have defrag set to run every Wednesday and it last ran on the 25th.. so that does get run. I didn't know this was set up. Should I change it to once a month?

I let the CHKDSK run tonight while I ate dinner and it ran fine.. my computer isn't dead. It also isn't trying to run it when I start it up anymore (since I let it finish). However, still having the svchost issue. :\
 
I didn't know this was set up. Should I change it to once a month?

Yes.

It also isn't trying to run it when I start it up anymore (since I let it finish).

Yeah!

Now that we have resolved that issue, please rescan with HijackThis and paste the new logs in next reply. I'll look through the Services and instruct you on changing some of the Startup Types.

Note: Please don't go whacking the Services off! If it's don't right, the system will be fine. If it's don't wrong, you might not be able to use the system. Please trust me.
 
So sorry- had memory lapse. Forgot you had the 64 bit Vista. But I think I can help with the Services with the information I have. It's going to be either later tonight though or in the AM. I am wiped out!
 
Please print- no seconds on this!

To change Services: Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  • Click on Start> Run> type in services.msc> OK
  • Double click on Service display name to be changed
  • Change Startup type as directed
  • Stop Services changed to Manual
  • Exit from Services
  • Reboot the system into Normal Mode.> Only the Services needed will start.

Source: Black Viper: http://www.blackviper.com/WinVista/servicecfg.htm

  • [1] Service Name ArcSoft Connection Service> Manual
    Display Name: ACDaemon.exeACDaemon)
    [2] Service Name (registry): ALG>> Manual
    Display Name: Application Layer Gateway Service
    [3] Service Name (registry): aspnet_state> Manual
    Display Name: ASP.NET State Service
    [4] Service Name AVG WAtch dog>> Automatic
    Display Name: avg9wd
    [5] Service Name (registry): DFSR>> (Manual)
    Display Name: DFS Replication
    [6] Service Name (registry): KeyIso> Manual
    Display Name: CNG Key Isolation
    [7] Service Name (registry): MSDTC>> Manual
    Display Name: Distributed Transaction Coordinator
    [8] Service Name NVIDIA Display Driver Service>> Manual
    Display Name: nvsvc
    [9] Service Name (registry): ProtectedStorage>> Manual
    Display Name: Protected Storage
    [10]Service Name (registry): RpcLocator>> Manual
    Display Name: Remote Procedure Call (RPC) Locator
    [11]Service Name (registry): SamSs>> Manual
    Display Name: Security Accounts Manager
    [12]Service Name SBSD Security Center Service>> Automatic
    Display Name: SBSDWSCService
    [13]Service Name (registry): slsvc>> Automatic
    Display Name: Software Licensing
    [14]Service Name (registry): SNMPTRAP>> Manual
    Display Name: SNMP TrapO23
    [15]Service Name (registry): Spooler>> Automatic
    Display Name: Print Spooler
    [16]Service Name (registry): UIODetect>> Manual
    Display Name: Interactive Services Detection
    [17]Service Name (registry): vds>> Manual
    Display Name: Virtual Disk
    [18 Service Name (registry): VSS>> Manual
    Display Name: Volume Shadow Copy
    [19]Service Name WMI Performance Adapter>> Manual
    Disply Name: wmiApSrv
    [20]Service Name (registry): WMPNetworkSvc>> Manual
    Display Name: Windows Media Player Network Sharing Service
    ----------------------------------------------------------------------
    The following are all non-Microsoft Services. I recommend you set the all to Manual:
    [21]Service Name Bonjour
    Display Name: mDNSResponder:
    [22]Service Name Dragon Age AUpdater
    Display Name: DAUpdaterSvc
    [23]Service Name: iPod
    Display Name: iPod
    [24]Service Name LiveTurbineMessageService
    Display Name Turbine Download Manage (?)
    [25]Service Name LiveTurbineMessageServiceTurbine Network Service
    Display Name: LiveTurbineNetworkService -
    [26]Service Name Steam Client Service
    Display Name: Steam\SteamServicee
    [27Service Name Apple Modile Device
    Display Name: AMD
 
Status
Not open for further replies.
Back