How JustAnswer Works:

  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.

Ask Douglas Your Own Question

Douglas
Douglas, Network Admin
Category: Computer
Satisfied Customers: 271
Experience:  Microsoft Certified Professional, CompTIA Net+
63416420
Type Your Computer Question Here...
Douglas is online now
A new question is answered every 9 seconds

SVCHOST -netsvcs using 100% cpu and 650MB ram.

Customer Question

I am running windows xp home edition on a dell dimension 8250 with one GB RAM. There is a svchost process for netsvcs that is using huge amount of memory ( > 650MB) and CPU time up to 100%. If I stop DHCP service the svchost process stops using all the cpu and slowly frees up the memory until its using about 150MB. How can I determine which of the DLLs is causing the problem? Forgot to mention I am running SP3.
Submitted: 2 years ago.
Category: Computer
Expert:  Douglas replied 2 years ago.
Hello, my name is XXXXX XXXXX I'll be happy to help you today! There's more than one possibility, but the first thing I'd suspect is malware - that your PC has a trojan and is being hijacked for use on a botnet. Follow the below steps to see if this is the case:

- Uninstall any and all other anti-spyware programs, registry cleaners, etc. If you have Mcafee or Norton, you may want to consider uninstalling these programs as well, as they are resource hogs and are not very effective against malicious software

- Download and run the Microsoft Security Scanner: http://www.microsoft.com/security/scanner/en-us/default.aspx

- Download winsockfix from http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml. Do not run this yet.
- Download MalwareByte's AntiMalware from www.download.com (search for malwarebytes antimalware). Update and run quick scan.
- Download Spybot Search & Destroy from www.safernetworking.org. Update, run quick scan, then apply immunization.
- Restart your PC.
- If you cannot connect to the internet, run winsockfix by double-clicking it and following prompts
- You may delete the EXE's
- Restart your PC (winsockfix should do this for you after it's finished and you click OK)
- I recommend downloading, installing, and using the Firefox web browser from www.firefox.com with the adblockplus addon

(if you cannot download these files on the infected machine for whatever reason, download them on another machine and copy them over via thumb drive)


Let me know if this doesn't solve your issue!
Customer: replied 2 years ago.
I'll try what you suggested but I already tried the MS malacious software removal tool. It found nothing.
Expert:  Douglas replied 2 years ago.
The MS one isn't the greatest - malwarebyte's and spybot are much more effective. If it's just a stack issue, Winsockfix will correct the problem. No worries if the above doesn't work we'll figure it out :)
Douglas, Network Admin
Category: Computer
Satisfied Customers: 271
Experience: Microsoft Certified Professional, CompTIA Net+
Douglas and 4 other Computer Specialists are ready to help you
Customer: replied 2 years ago.
These suggestions did not work.
Customer: replied 2 years ago.
Douglas

I tried all your recommendations. The software found some minor problems but nothing else.

I did not run winsockfix because I was able to access the network after running spybot and re-booting.


The svchost -netsvcs process is still using up huge amounts of memory and cpu time. Looks like it is not a virus. Isn't there a way to determine which DLL in the svchost process is causing the problem? I have the microsoft process explorer running on the pc. But I don't know much about it. I can see threads flashing by that are using lots of memory but how do you relate that to a DLL?

I think this problem started after I hit the power button to HIBERNATE the pc and the pc would hang during the restart from hibernation. I had to force the pc to re-boot. When the pc came up it gave me a warning msg that a microsoft update was not installed successfully. So I looked in control panel > add or remove programs - and found two or three updates that were installed at around the time I hibernated the pc. I removed those updates. After a while I noticed that the pc was running slow and using tons of real and virtual memory.

Any ideas?

Ralph
Expert:  Douglas replied 2 years ago.
Download HijackThis (download.com should have it). This program will export a log letting you know which DLL is using svchost excessively, and if it's malicious, should block it.

Also, uninstall Microsoft Security Essentials.

Hope this helps and let me know!
Customer: replied 2 years ago.
Douglas

I'll try HijackThis. Should I uninstall Microsoft Security Essentials first?

Ralph
Customer: replied 2 years ago.
Douglas

I ran HijackThis and fixed most errors. Still have problem.

I did not fix the last few errors as I was not comfortable fixing them.

See below.

Ralph
--------------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:01:42 PM, on 2/21/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\WINDOWS\system32\mmc.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 2246 bytes
Expert:  Douglas replied 2 years ago.
Try these two things:

- Uninstall Norton or whatever symantec product you're using
- Run the WinsockFix exe

Restart, and see if tha that helps!
Customer: replied 2 years ago.
Douglas

I uninstalled all virus protection and re-ran winsockfix and I still have the problem. I am going to have to re-install all software if I can't fix this problem soon.

I noticed over the last 3 days that automatic updates and uninstalls do not run if DHCP service is stopped. I wonder why? Auto updates is a separate service. And an uninstall should not involve the network at all. Hmmm!

Ralph
Expert:  Douglas replied 2 years ago.
Why is the DHCP service stopped?

Norton is more of a resource hog than it is virus protection, I don't recommend using it, but it's up to you. Free anti-virus software such as Comodo is more effective.

When you boot into safe made is the process still consuming a great deal of resources?
Customer: replied 2 years ago.
I have to stop the DHCP service or the svchost process eats up all the memory and cpu time and nothing else runs. It only takes about 5 minutes for svchost to hose the machine. If I stop dhcp the svchost process gives up most of the memory (except about 150 - 200MB), but it takes about 10 minutes to free up the memory.

If I boot up in SAFE MODE with networking the svchost still uses lots of memory and cpu.

Ralph
Expert:  Douglas replied 2 years ago.
If the problem is occuring even in safe mode, there's a problem. I know you probably don't want to hear this, but at this point I'm going to have to recommend you re-install the OS from scratch, as I think this may be your only solution at this point.
Customer: replied 2 years ago.
Thanks for your time.

Ralph
Expert:  Douglas replied 2 years ago.
Sorry I couldn't be more helpful!
Customer: replied 2 years ago.
Don't feel bad. Microsoft could not help me either.

I traced it down to dhcp but could not find the culprit dll.

I will not ask for my money back. You spent enough time on this problem

Ralph
Expert:  Douglas replied 2 years ago.
Sorry I wasn't more helpful!

JustAnswer in the News:

 
 
 
Ask-a-doc Web sites: If you've got a quick question, you can try to get an answer from sites that say they have various specialists on hand to give quick answers... Justanswer.com.
JustAnswer.com...has seen a spike since October in legal questions from readers about layoffs, unemployment and severance.
Web sites like justanswer.com/legal
...leave nothing to chance.
Traffic on JustAnswer rose 14 percent...and had nearly 400,000 page views in 30 days...inquiries related to stress, high blood pressure, drinking and heart pain jumped 33 percent.
Tory Johnson, GMA Workplace Contributor, discusses work-from-home jobs, such as JustAnswer in which verified Experts answer people’s questions.
I will tell you that...the things you have to go through to be an Expert are quite rigorous.
 
 
 

What Customers are Saying:

 
 
 
  • My Expert answered my question promptly and he resolved the issue totally. This is a great service. I am so glad I found it I will definitely use the service again if needed. One Happy Customer New York
< Last | Next >
  • My Expert answered my question promptly and he resolved the issue totally. This is a great service. I am so glad I found it I will definitely use the service again if needed. One Happy Customer New York
  • I am very happy with my very fast response. Eric is very knowledgeable in the subject area. Thank you! RP Austin, TX
  • Hi John, Thank you for your expertise and, more important, for your kindness because they make me, almost, look forward to my next computer problem. After the next problem comes, I'll be delighted to correspond again with you. I'm told that I excel at programing. But system administration has never been one of my talents. So it's great to have an expert to rely on when the computer decides to stump me. God bless, Bill Bill M. Schenectady, New York
  • The Expert answered my Mac question and was patient. He answered in a thorough and timely manner, keeping the response on a level that could understand. Thank you! Frank Canada
  • Wonderful service, prompt, efficient, and accurate. Couldn't have asked for more. I cannot thank you enough for your help. Mary C. Freshfield, Liverpool, UK
  • This expert is wonderful. They truly know what they are talking about, and they actually care about you. They really helped put my nerves at ease. Thank you so much!!!! Alex Los Angeles, CA
  • Thank you for all your help. It is nice to know that this service is here for people like myself, who need answers fast and are not sure who to consult. GP Hesperia, CA
 
 
 

Meet The Experts:

 
 
 
  • Andy

    Computer Consultant

    Satisfied Customers:

    5311
    11yr exp, Comp Engg, Internet expert, Web developer, SEO
< Last | Next >
  • http://ww2.justanswer.com/uploads/EN/Engineer1010/2012-6-9_132423_jaj12a.64x64.jpg Andy's Avatar

    Andy

    Computer Consultant

    Satisfied Customers:

    5311
    11yr exp, Comp Engg, Internet expert, Web developer, SEO
  • http://ww2.justanswer.com/uploads/BA/barrenrock/2011-10-19_215925_JamesJAFinal.64x64.jpg James's Avatar

    James

    Sr. Computer Support Expert

    Satisfied Customers:

    8376
    20 years of experience building, fixing and servicing PCs and operating systems.
  • http://ww2.justanswer.com/uploads/zeyank/2009-09-26_154244_P8110079.png Ryan H.'s Avatar

    Ryan H.

    Computer Support Specialist

    Satisfied Customers:

    1741
    A+ Certified Technician - 10 Years experience working with all types of computer systems.
  • http://ww2.justanswer.com/uploads/JA/jadedangel57/2011-11-8_193134_janenewsm.64x64.jpg Jane Lefler's Avatar

    Jane Lefler

    Sr Prog Analyst / Technician

    Satisfied Customers:

    0
    Computer Programmer / Technician/ Consultant 16+ years
  • http://ww2.justanswer.com/uploads/RO/robmpreston/2013-9-23_233814_mijiFZm.64x64.jpg RPI Solutions's Avatar

    RPI Solutions

    Support Specialist

    Satisfied Customers:

    3476
    5+ Years in IT, BS in Computer Science
  • http://ww2.justanswer.com/uploads/BA/barunrath/2012-7-5_201954_Profilepic2.64x64.jpg B. Rath's Avatar

    B. Rath

    Computer Support Specialist

    Satisfied Customers:

    8671
    Certified Computer/Networking Support Specialist.
  • http://ww2.justanswer.com/uploads/FS/fszcze/2012-6-18_181848_500test.64x64.jpg Frederick S.'s Avatar

    Frederick S.

    Computer Specialist

    Satisfied Customers:

    7240
    Computer technician and founder of a home PC repair company.