How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask Douglas Your Own Question
Douglas, Network Admin
Category: Computer
Satisfied Customers: 271
Experience:  Microsoft Certified Professional, CompTIA Net+
Type Your Computer Question Here...
Douglas is online now
A new question is answered every 9 seconds

SVCHOST -netsvcs using 100% cpu and 650MB ram.

Customer Question

I am running windows xp home edition on a dell dimension 8250 with one GB RAM. There is a svchost process for netsvcs that is using huge amount of memory ( > 650MB) and CPU time up to 100%. If I stop DHCP service the svchost process stops using all the cpu and slowly frees up the memory until its using about 150MB. How can I determine which of the DLLs is causing the problem? Forgot to mention I am running SP3.
Submitted: 5 years ago.
Category: Computer
Expert:  Douglas replied 5 years ago.
Hello, my name is XXXXX XXXXX I'll be happy to help you today! There's more than one possibility, but the first thing I'd suspect is malware - that your PC has a trojan and is being hijacked for use on a botnet. Follow the below steps to see if this is the case:

- Uninstall any and all other anti-spyware programs, registry cleaners, etc. If you have Mcafee or Norton, you may want to consider uninstalling these programs as well, as they are resource hogs and are not very effective against malicious software

- Download and run the Microsoft Security Scanner:

- Download winsockfix from Do not run this yet.
- Download MalwareByte's AntiMalware from (search for malwarebytes antimalware). Update and run quick scan.
- Download Spybot Search & Destroy from Update, run quick scan, then apply immunization.
- Restart your PC.
- If you cannot connect to the internet, run winsockfix by double-clicking it and following prompts
- You may delete the EXE's
- Restart your PC (winsockfix should do this for you after it's finished and you click OK)
- I recommend downloading, installing, and using the Firefox web browser from with the adblockplus addon

(if you cannot download these files on the infected machine for whatever reason, download them on another machine and copy them over via thumb drive)

Let me know if this doesn't solve your issue!
Customer: replied 5 years ago.
I'll try what you suggested but I already tried the MS malacious software removal tool. It found nothing.
Expert:  Douglas replied 5 years ago.
The MS one isn't the greatest - malwarebyte's and spybot are much more effective. If it's just a stack issue, Winsockfix will correct the problem. No worries if the above doesn't work we'll figure it out :)
Douglas and 5 other Computer Specialists are ready to help you
Customer: replied 5 years ago.
These suggestions did not work.
Customer: replied 5 years ago.

I tried all your recommendations. The software found some minor problems but nothing else.

I did not run winsockfix because I was able to access the network after running spybot and re-booting.

The svchost -netsvcs process is still using up huge amounts of memory and cpu time. Looks like it is not a virus. Isn't there a way to determine which DLL in the svchost process is causing the problem? I have the microsoft process explorer running on the pc. But I don't know much about it. I can see threads flashing by that are using lots of memory but how do you relate that to a DLL?

I think this problem started after I hit the power button to HIBERNATE the pc and the pc would hang during the restart from hibernation. I had to force the pc to re-boot. When the pc came up it gave me a warning msg that a microsoft update was not installed successfully. So I looked in control panel > add or remove programs - and found two or three updates that were installed at around the time I hibernated the pc. I removed those updates. After a while I noticed that the pc was running slow and using tons of real and virtual memory.

Any ideas?

Expert:  Douglas replied 5 years ago.
Download HijackThis ( should have it). This program will export a log letting you know which DLL is using svchost excessively, and if it's malicious, should block it.

Also, uninstall Microsoft Security Essentials.

Hope this helps and let me know!
Customer: replied 5 years ago.

I'll try HijackThis. Should I uninstall Microsoft Security Essentials first?

Customer: replied 5 years ago.

I ran HijackThis and fixed most errors. Still have problem.

I did not fix the last few errors as I was not comfortable fixing them.

See below.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:01:42 PM, on 2/21/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

End of file - 2246 bytes
Expert:  Douglas replied 5 years ago.
Try these two things:

- Uninstall Norton or whatever symantec product you're using
- Run the WinsockFix exe

Restart, and see if tha that helps!
Customer: replied 5 years ago.

I uninstalled all virus protection and re-ran winsockfix and I still have the problem. I am going to have to re-install all software if I can't fix this problem soon.

I noticed over the last 3 days that automatic updates and uninstalls do not run if DHCP service is stopped. I wonder why? Auto updates is a separate service. And an uninstall should not involve the network at all. Hmmm!

Expert:  Douglas replied 5 years ago.
Why is the DHCP service stopped?

Norton is more of a resource hog than it is virus protection, I don't recommend using it, but it's up to you. Free anti-virus software such as Comodo is more effective.

When you boot into safe made is the process still consuming a great deal of resources?
Customer: replied 5 years ago.
I have to stop the DHCP service or the svchost process eats up all the memory and cpu time and nothing else runs. It only takes about 5 minutes for svchost to hose the machine. If I stop dhcp the svchost process gives up most of the memory (except about 150 - 200MB), but it takes about 10 minutes to free up the memory.

If I boot up in SAFE MODE with networking the svchost still uses lots of memory and cpu.

Expert:  Douglas replied 5 years ago.
If the problem is occuring even in safe mode, there's a problem. I know you probably don't want to hear this, but at this point I'm going to have to recommend you re-install the OS from scratch, as I think this may be your only solution at this point.
Customer: replied 5 years ago.
Thanks for your time.

Expert:  Douglas replied 5 years ago.
Sorry I couldn't be more helpful!
Customer: replied 5 years ago.
Don't feel bad. Microsoft could not help me either.

I traced it down to dhcp but could not find the culprit dll.

I will not ask for my money back. You spent enough time on this problem

Expert:  Douglas replied 5 years ago.
Sorry I wasn't more helpful!