# Solved: SVCHOST.exe high usage and slow computer



## monkeyDLuffyPK (Aug 7, 2011)

Hi i hadnt installed anything new and attempted to get on my computer. there is a svchost.exe that even without anything running the computer is just sitting idle the svc memory usage is sitting at 150k... this is super extreme... it seems when i try and do anything it just locks the computer up and i cant do anything... the usage doesnt increase but the programs are very slow to respond. i saw another thread on this forum where it was said disabling auto updates may help but in my case it has not =( the services that it is affecting are as listed:
-AudioEndpointBuilder
-hidserv
-Netman
-PcaSvc
-SysMain
-TrkWks
-UxSms
-WlanSrvc
-wudfsvc

I havent installed anything new since it has started doing this it just started recently.. i noticed that i had lots of updates and i have attempted to go to service pack 1 for windows but it gives me an error. i tried to follow microsofts advice and downloaded the system update readiness tool but it didnt seem to help at all.. any tips at all would be GREATLY appreciated as i need to use this computer for both uni and personal tasks.

edit: Virus scan showed no infections.


----------



## Mark1956 (May 7, 2011)

Hi, when you view the instance of svchost.exe in Task Manager (the one that is using all the memory) right click on it and select "Open File Location" and tell me what it states in the top task bar of the window that will then open.


----------



## monkeyDLuffyPK (Aug 7, 2011)

C:\Windows\System32?
Is this what you mean? the process memory usage has gone down to 90k im able to browse the net but is 90k still reasonably high? or normal? sorry im a bit of a noobie when it comes to this.


----------



## Mark1956 (May 7, 2011)

As it is in the System32 folder that's ok, anywhere else and it would be very suspicious. I have 15 instances of svchost in my Task Manager running at between 1.3MB and 43MB. Are you sure you mean 90K and not 90MB?


----------



## monkeyDLuffyPK (Aug 7, 2011)

haha yes my bad! its running at 150mb or 150,000k. I did HAVE virus' which AVG couldnt find but i have got rid of them. but the process remains very high.


----------



## Mark1956 (May 7, 2011)

Please explain how you removed the virus and what with.


----------



## monkeyDLuffyPK (Aug 7, 2011)

i ran the computer in safe mode with networking. i ran malwarebyte and superantispyware then rebooted. they were gone and computer seems fine besides this process.


----------



## Mark1956 (May 7, 2011)

There is a chance that you still have an infection that was not found while scanning in safe mode. Try the scans in Normal mode. Please keep the logs produced by both programs just in case you need help from a Malware expert as they will need to see them.

If nothing is found and/or the svchost.exe still uses high memory % then please post a log from HJT so I can see if there is anything suspicious lurking in your system. If I find anything you will have to go to the Malware forum for further assistance.

Download and install HJT

When the TrendMicro HJT install box appears, double click on the HJTInstall.exe. Click on Install.

* It will be installed by default here: C:\Program Files\Trend Micro\HijackThis. 
* A shortcut to the application will also be placed on your Desktop. 
* The program will open automatically after installation. 
* The folder HijackThis is where you will find the HJT logs that you save. 
* The first time you open HijackThis, check the Main Menu button at the bottom center. When the main menu appears check the box "Show this window when I start HijackThis". 
* Click on "Do a system scan and save logfile." When the log pops up in Notepad, copy and paste that file back here as a New Message in this forum.

The use of HJT is purely for observation please do not try to fix anything with it or you may damage your system. If I see any suspicious files I will advise you to open a new thread in the Malware forum so an expert can help clean up your PC.


----------



## monkeyDLuffyPK (Aug 7, 2011)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:32:39 AM, on 10/08/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3631665289-2483044825-3756601792-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-3631665289-2483044825-3756601792-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7684 bytes


----------



## Mark1956 (May 7, 2011)

Why have you not updated to Service Pack 1?

At the top section of the HJT log is a list of running processes, is that the full list or did you miss some when you copied the log?


----------



## monkeyDLuffyPK (Aug 7, 2011)

I didnt miss anything that is all that is currently running. i did the scan again and it has the same result. I havent been able to upgrade to service pack 1. ive tried to run the update and it gets to 10% then fails on me. ive tried it multiple times i downloaded the windows readiness tool that it recommended after it failed.
Should i be concerned by the bottom of that log? the 023 has a lot of file missings...

Edit: when im in task manager there is a lot more processes running then the scan seems to show. i could screen shot them for you if that would help?


----------



## jcitron (Aug 8, 2011)

I noticed that too, Mark. I wish my system ran with such few processes. 

Monkey- You might want to give this a try.

http://technet.microsoft.com/en-us/sysinternals/bb896653

This will allow you to dig in deeper into what's running on your system, and see which components are contained in the Service Hosts.

Recently a user at work had an infection on his machine, and there was a root kit that came down with it. The infection was cleared, but the rk was still there and causing awful machine performance issues. I used this tool mentioned above to see what else was running because the old taskmanger doesn't quite show everything.

John


----------



## monkeyDLuffyPK (Aug 7, 2011)

This is what was shown when i ran that program. You can see the high svchost.exe running. let me know if there is anything else you would like to see.


----------



## Mark1956 (May 7, 2011)

Are you using the free or paid version of Malwarebytes. I see Malwarebytes as a running process. You should not be running this at the same time as AVG anti virus, try uninstalling one of them and see if that makes any difference.

Are you using a 64bit version of Windows? if so then the O23 entries showing file missing is normal.

I don't see much in the log to be concerned with but as you are not able to update to SP1 this is a sign of an infection which is of concern. Many infections do not show up in the HJT log. Further analysis can only be done by qualified Malware staff in the Malware forum so I would start a new thread in there.

Follow this link http://forums.techguy.org/virus-other-malware-removal/943214-everyone-must-read-before-posting.html and provide all the logs thay request in the instructions, please be patient, do not bump the thread and you should eventually get the help you need. Post back here if no assistance is offered and I will direct you to another forum that is not as busy.

Make sure you uninstall uTorrent as this will not be allowed to stay on your PC during a clean up. Use of uTorrent is a risky business as many infections can be included in P2P files. It is quite likely that that is where you got the infection from.


----------



## monkeyDLuffyPK (Aug 7, 2011)

Thanks for the help both mark and jcitron. I have moved to a thread in the virus section and i shall await a reply. Thanks for you time.


----------

