[willyg]

I'm running a Dell 510 using XP SP3. Last week svchost, or 2 svchost instances, have taken over the CPU. It runs like this at 100% for an hour or so, and then drops back to normal. However then, nothing responds. Clicking a shortcut or selecting a program produces the little hour glass for a few seconds, but then nothing opens. Can't even shut down because clicking on Start just produces an hour glass.
I read in a few forums that there was a known issue with windows automatic updates causing svchost to use 100% cpu, so I turned that off. But nothing improved. I noticed in process explorer, that some McAfee processes semm to hit the cpu harder than I would expect, so I have also turned off real time scanning temporarily. I have a attached a hijackthis log and screenshot of process explorer, both taken close to the same time last night. Any help in resolving this is greatly appreciated.

Attached Thumbnails

• 

Attached Files

•  hijackthis.log   21.98KB   208 downloads

[Advertisements]

I believe this is a Windows Update problem. At least that is what I've seen the last few months. Seems to have gotten better the last week or so though.


To test, disable Windows Update and see if the problem goes away.

[Ztruker]

I believe this is a Windows Update problem. At least that is what I've seen the last few months. Seems to have gotten better the last week or so though.


To test, disable Windows Update and see if the problem goes away.

[willyg]

Thanks, I had turned off updates via the control panel before, but now I also disabled the automatic update service. Unfortunately no improvement. In process explorer I do see that the svchost instance hogging most of the CPU is being used by DcomLaunch and TermService.

[Ztruker]

How does it behave if you boot to Safe Mode with Networking? If better then something is starting at boot that is causing the problem.

Advanced startup options - XP
Advanced startup options - Vista
Advanced startup options - Windows 7

Use msconfig to determine what is causing the problem

These are good tutorials on using msconfig in XP, Vista or Windows 7:
How to use msconfig in Windows XP
How to use msconfig in Windows Vista
How to use msconfig in Windows 7 and Windows 8

Click on Start then Run, type msconfig and press Enter.
Click on the Startup tab (for Windows 8, the Startup tab has a link to open Task Manager/Startup tab. Use that.), record what is currently starting then click the Disable All button.
Reboot and see if it runs better.
If yes then use msconfig to enable several items at a time till you find the culprit.

If no, start msconfig and click on the Services tab.
Check the Hide All Microsoft Services box, record what is currently starting then click the Disable All button.
Again, do a regular boot, see if it runs normal.
If yes then use msconfig to enable services till you find the culprit.

Once you've found the culprit, uninstall it or find out how to eliminate it from your system. Simply disabling it in msconfig is a temporary fix at best.
Enable everything else you disabled.

[willyg]

Thanks, I'll try those steps and post back the results.

[willyg]

So I booted in safe mode, but it made no difference... CPU was still pegged at 100%. But I still used the link to Pacman's startup programs that was in the msconfig tutorial link to clean up what was automatically starting up... Though no improvement in CPU usage. Next I clicked on services and hid Microsoft services. All that is running are some McAfee services. Two svchost instances are still using 90%+ combined, but there are now some peaks and valleys, not a constant 100%. The svchost that is the biggest hog has the winmgmt service attached to it, and the other is still the svchost with DcomLaunch and TermService.

Bill

[Ztruker]

Hmmm, McSvHost.exe belongs to McAfee. Try uninstalling McAfee completely then test and see how the performance is. If no difference re-install it. If better install Microsoft Security Essentials instead and see how that performs.

[willyg]

We'll, McSvchost hasn't been an issue but I did the complete uninstall and reinstall anyway. Result was no improvement. Strange thing now is that in safe mode the CPU is at 100% steady almost immediately after boot. The 2 svchosts using 90%+ combined are still the one for term svcs/DcomLaunch and the one for a bunch of things like crypto svcs,dhcp client, network connections,winmgmt,etc. But after a regular boot the CPU % is fairly normal with some peaks at 100%. However after 10 minutes or so in regular mode, the PC becomes unresponsive as mentioned in my first post. Processes like Word show up in the process manager, but never open.

[willyg]

Attached is a shot of Process Explorer in safe mode showing the list of services running in one of the problem svchosts. The other svchost is running the DcomLaunch and Terminal Services. Needless to say that with the CPU at 100% with the few services running in safe mode, it is also at 100% after a regular boot.
In looking at some other postings about the same issue, I saw that it was recommended to download and run RKill, which I did. But I'm not sure what this log is saying.

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingc...opic308364.html

Program started at: 02/28/2014 08:45:26 PM in x86 mode. (Safe Mode)
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Reparse Point/Junctions Found (Most likely legitimate)!

* C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
* C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]

Checking Windows Service Integrity:

* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Manual

* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic

* Automatic Updates (wuauserv) is not Running.
Startup Type set to: Disabled

Searching for Missing Digital Signatures:

* C:\WINDOWS\System32\rpcss.dll : 401,408 : 02/09/2009 07:10 AM : 5390b5d1cd56470d33f017a40e792b25 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\rpcss.dll : 396,288 : 04/28/2005 02:35 PM : da383fb39a6f1c445f3afc94b3eb1248 [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll : 398,336 : 07/25/2005 11:20 PM : c369df215d352b6f3a0b8c3469aa34f8 [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll : 401,408 : 02/09/2009 05:56 AM : 9222562d44021b988b9f9f62207fb6f2 [Pos Repl]
+-> C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll : 397,824 : 07/25/2005 11:39 PM : ce94a2bd25e3e9f4d46a7373ff455c6d [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB894391$\rpcss.dll : 395,776 : 08/10/2004 04:00 AM : 5c83a4408604f737717ab96371201680 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB902400$\rpcss.dll : 395,776 : 04/28/2005 02:31 PM : c8061f289e000703e7672916b7fe1571 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll : 399,360 : 04/13/2008 07:12 PM : 2589fe6015a316c0f5d5112b4da7b509 [Pos Repl]
+-> C:\WINDOWS\ServicePackFiles\i386\rpcss.dll : 399,360 : 04/13/2008 07:12 PM : 2589fe6015a316c0f5d5112b4da7b509 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\rpcss.dll : 401,408 : 02/09/2009 07:10 AM : b8aa6523019bfa0164b2e3ca7d6acf59 [Pos Repl]

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 02/28/2014 08:49:27 PM
Execution time: 0 hours(s), 4 minute(s), and 1 seconds(s)

Attached Thumbnails

• 

[willyg]

Forgot to mention that now after the PC has been running for 30-60 mins in regular or safe mode, a nasty error pops up that says NT Authority/System is shutting down the PC because the DCOM Service Process Launcher has terminated unexpectedly.

[Ztruker]

When you uninstalled McAfee, did the system run any better or did you reinstall it immediately.

[willyg]

At first I thought it was running better. For the first 5-10 mins after reboot, CPU was still high but bouncing around between 40%-90%. However after that initial period it went to 100% and stayed there. Same 2 svchost instances as mentioned before we're the problem.