The terrible SVCHOST.EXE haunts my system.

Well... The CPU load is 100%, with some at most 1 second width drops to, say 80%. I ran an ad antivirus, which ... the name of antivirus contained the word svchost, which makes it suspect of a ad trick. It detected about ten files but it did not proceed to clean because I discovered it was non free-charge.

But I DO NOT clearly remember if I saw the name 'svchost.exe' in the list the antivirus presented when it finished detection. I'll do the following. I'll run one of those ad again and see if the name appears. Until then, thanks for your replies, and regards.

Don't do that!

Tell us what this software is first.

Mark

The keyboard and mouse become almost unusable and this state persist for ever. The name of the antivirus is Paretologic.

Process Explorer is now running. In the Private Bytes column, promiscuous processes are AdobeARM.exe and wuauclt.exe. Since this change in system behavior, I've never remained more than 5 m in WinXP. The disk activity made me fear. But now I see after that time disk activity ceases. For this was the true symptom, and I did not do it explicit, because its aftermath was keyboard and mouse input almost blocked. However, now CPU usage remains in excess of 13% whereas before it stayed at some 4%.

Perhaps it's time to speak about hardware. Motherboard PCCHIPS 758LT-H, Processor Pentium 3 (Tualatin) 1.1GHz running at 733MHz (do not ask me why) and 256MB RAM. This hardware I know makes WinXP just a little big resource consumer. But my machine always ran with a CPU load near 4% after boot. If you like, and you tell me where to, I could save Process Explorer output and send a link to it. Thanks a lot, guys, for your kind feedback.

You can save the output of Process Explorer as a text file using File>>Save As. You could then paste that file here.

processor package. Process Explorer output follows: [code]
Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 36.19 0 K 16 K
Interrupts n/a 32.38 0 K 0 K Hardware Interrupts and DPCs
procexp.exe 1332 15.24 13,304 K 16,396 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
AdobeARM.exe 264 2.86 4,888 K 22,128 K Adobe Reader and Acrobat Manager Adobe Systems Incorporated
WUAUCLT.EXE 1868 2.86 6,628 K 1,188 K Windows Update Microsoft Corporation
WINLOGON.EXE 508 4,548 K 984 K Windows NT Logon Application Microsoft Corporation
SVCHOST.EXE 864 2.86 16,548 K 7,996 K Generic Host Process for Win32 Services Microsoft Corporation
procexp.exe 1208 1.90 11,520 K 4,140 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
EXPLORER.EXE 10 14,100 K 4,796 K Windows Explorer Microsoft Corporation
wmiprvse.exe 1508 2,440 K 4,404 K WMI Microsoft Corporation
wmiprvse.exe 1884 2,476 K 5,000 K WMI Microsoft Corporation
UPHCLEAN.EXE 1724 620 K 216 K User Profile Hive Cleanup Service Microsoft Corporation
TaskSwitch.exe 240 512 K 40 K
System 4 0 K 32 K
SVCHOST.EXE 764 1,820 K 1,184 K Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 720 3,136 K 1,276 K Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 980 1,388 K 100 K Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 1532 1,400 K 76 K Generic Host Process for Win32 Services Microsoft Corporation
SVCHOST.EXE 1088 1,248 K 64 K Generic Host Process for Win32 Services Microsoft Corporation
SUPERAntiSpyware.exe356 117,756 K 720 K SUPERAntiSpyware Application SUPERAntiSpyware.com
SPOOLSV.EXE 1372 3,264 K 476 K Spooler SubSystem App Microsoft Corporation
SMSS.EXE 392 168 K 44 K Windows NT Session Manager Microsoft Corporation
SERVICES.EXE 552 1,768 K 1,092 K Services and Controller app Microsoft Corporation
reader_sl.exe 252 812 K 424 K Adobe Acrobat SpeedLauncher Adobe Systems Incorporated
LSSrvc.exe 1620 0.95 788 K 52 K Hewlett-Packard Company
LSASS.EXE 564 4,012 K 1,228 K LSA Shell (Export Version) Microsoft Corporation
JUSCHED.EXE 216 908 K 52 K Java(TM) Update Scheduler Sun Microsystems, Inc.
JQS.EXE 1592 2,012 K 628 K Java(TM) Quick Starter Service Sun Microsystems, Inc.
CTFMON.EXE 276 1,056 K 1,332 K CTF Loader Microsoft Corporation
CSRSS.EXE 484 3.81 1,548 K 972 K Client Server Runtime Process Microsoft Corporation
BTDNA.EXE 332 0.95 3,912 K 1,152 K DNA BitTorrent, Inc.
ALG.EXE 348 1,260 K 200 K Application Layer Gateway Service Microsoft Corporation
WUAUCLT.EXE 2064 < 0.01 72 K 64 K


[/code]

is malware, get rid of it. I also notice to instances of WUAUCLT.EXE. You should check the file path on those to make sure one isn't malware wearing a false label. The fact that UPHCLEAN.EXE is running suggests something you installed has make some bad changes to the registry.

SUPERAntiSpyware.exe

Why do you think this is malware? I have it installed on my system from http://www.superantispyware.com/ and it is an often recommended anti-malware scanner in these forums.

Are you thinking of something else perhaps?

Mark

But I am guessing that the particular SUPERAntispyware.exe this user has is likely the proper one since he downloaded and installed it on recommendation by us in some other post. See his post here;
http://forums.cnet.com/7726-6142_102-5198180.html

Also, see my image at ImageShack here; http://imageshack.us/f/705/saskq.jpg/

That's mine. You may have to click the magnifier to see the enlarged image.

It may be true that there is a viruse/trojan that is pretending to be SAS, but I reckon this user has got the correct version, if he followed the instructions from that other post he saw correctly.

Mark

Let's see. We have ParetoLogic and now BtiTorrent.

Let's see what else people find amiss.
Bob

BitTorrent. I'll try to uninstall the DNA part. Two things: the 'Interrupts' entry says more than 50% CPU most of the time. This is HDD I/O, which makes the red LED in the front panel to be always on. And secondly: SuperAntispyware together with rkill and MalwareBytes were recommended to some poster by your people. I keep the page with the post.

Please hold on while I see about the possibly offending software mentioned above. Thanks.

Paretologic - Nasty, awful software. We never recommend it. It can be the cause of many problems.

BitTorrent - One of the main distributors of virus and malware infected files. Downloading files from this or any torrent can cause many problems.

SUPERAntiSpyware is fine, and is not malware.

But why are you using those other two suspect and nasty titles? They can be the cause of all your problems, and they can be causing the spikes in CPU activity.

Mark

It will create a lot of activity on the system. To the new user they will write about haunts of SVCHOST and that 50%, Interrupts and more. It's a very busy piece of software.
Bob

Given your choice of baitware and the apps I just noted, why do you think your system it misbehaving? That is, I'd expect this machine to do just what you wrote given these "apps."
Bob

I rebooted and ran Process Explorer. I paste the output below. There is always the ultimate resource: backup non-operanting system files and reformat the partition, a very lengthy process due to the fact I should first determine what to backup.

Process PID CPU Private Bytes Working Set Description Company Name
SVCHOST.EXE 864 74.29 104,500 K 95,852 K Generic Host Process for Win32 Services Microsoft Corporation
Interrupts n/a 9.52 0 K 0 K Hardware Interrupts and DPCs
procexp.exe 1160 8.57 13,672 K 7,952 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
System 4 7.62 0 K 28 K
WUAUCLT.EXE 1880 9,844 K 3,988 K Windows Update Microsoft Corporation
WUAUCLT.EXE 836 2,368 K 388 K Windows Update Microsoft Corporation
wmiprvse.exe 1444 2,440 K 716 K WMI Microsoft Corporation
WINLOGON.EXE 512 3,968 K 460 K Windows NT Logon Application Microsoft Corporation
UPHCLEAN.EXE 1784 620 K 292 K User Profile Hive Cleanup Service Microsoft Corporation
TaskSwitch.exe 236 512 K 176 K
System Idle Process 0 0 K 16 K
SVCHOST.EXE 1536 1,404 K 640 K Generic Host Process for Win32 ServicesMicrosoft Corporation
SVCHOST.EXE 720 3,136 K 828 K Generic Host Process for Win32 ServicesMicrosoft Corporation
SVCHOST.EXE 768 1,800 K 804 K Generic Host Process for Win32 ServicesMicrosoft Corporation
SVCHOST.EXE 968 1,380 K 200 K Generic Host Process for Win32 ServicesMicrosoft Corporation
SVCHOST.EXE 1092 1,248 K 104 K Generic Host Process for Win32 ServicesMicrosoft Corporation
SPOOLSV.EXE 1352 3,268 K 852 K Spooler SubSystem App Microsoft Corporation
SMSS.EXE 428 168 K 36 K Windows NT Session Manager Microsoft Corporation
SERVICES.EXE 556 1,744 K 896 K Services and Controller app Microsoft Corporation
reader_sl.exe 244 812 K 500 K Adobe Acrobat SpeedLauncher Adobe Systems Incorporated
LSSrvc.exe 1624 788 K 84 K Hewlett-Packard Company
LSASS.EXE 568 3,960 K 1,132 K LSA Shell (Export Version) Microsoft Corporation
JUSCHED.EXE 208 908 K 88 K Java(TM) Update Scheduler Sun Microsystems, Inc.
JQS.EXE 1596 1,984 K 1,380 K Java(TM) Quick Starter Service Sun Microsystems, Inc.
EXPLORER.EXE 1236 14,020 K 4,500 K Windows Explorer Microsoft Corporation
CTFMON.EXE 272 1,060 K 1,540 K CTF Loader Microsoft Corporation
CSRSS.EXE 488 1,536 K 856 K Client Server Runtime Process Microsoft Corporation
ALG.EXE 340 1,260 K 448 K Application Layer Gateway Service Microsoft Corporation
AdobeARM.exe 252 4,532 K 680 K Adobe Reader and Acrobat Manager Adobe Systems Incorporated

semoi@darkstar:/xp/pasaje$

I am guessing you want to drop a few SVCHOST but those are used by many apps. Your connection to the internet for example, an antivirus or firewall. Nothing looks amiss here.

And you didn't write what is wrong now.

After all these posts you could have some XP machine with an IDE drive that has suffered from the old XP DMA BUG and is now slow as a dog. But here's the deal. No one can guess that. I have no reason to guess that.
Bob

and I apologize. At present I have only one machine able to host XP. This machine has (the disk) two partitions: Linux and XP, of equal size: lin and xp. These two are the names I give the boot loader. I write to cnet from lin.

I think you are saying you, guys, cant assert what the trouble with xp is now. Well, very simple. The same problem that originated this thread, namely, the tremendous hdd activity during the first half an hour after booting. So high, that it almost freezes keyboard and mouse, making the machine useless. The last shot sent, shows or should show this activity. The first process listed, an instance of SVCHOST.EXE, takes 74.29% of CPU time. Humm... this makes the machine slow but I was speaking of disk I/O. Well, in the table interrupts are only at ~ 10%, but are generally over 50%. This is disk I/O.
I have a program, and I ran it: ioTop.exe. I transcribe from the manual:

ioTop shows a list with all processes, which did some read- or write operations since the start of ioTop. The list contains the following columns:

PID, A = process is active / X = process is terminated, name of process, number of read and write operations since the start of ioTop, usage in percent. The usage is calculated as follows: Once per second the counters of all processes are read. If a process did at least one read or write operation within this interval, it counts as active. The usage in percent is 100 * active_intervalls / total_intervalls. After a process terminates those values are kept constant. Wenn run on Windows 2000 the handle count will always be zero (Windows 2000 does not export that value).

I list the last two columns for the first two processes listed by ioTop:

process | # R/W operations | usage
======================
WUAUCLT.EXE 6426 RW 100%
LSASS.EXE 199 RW 50%

Unfortunately I did not copy the third line, making thus the first column a bit meaningless. As WUAUCLT.EXE has to do with updates and I haven't done updates for a long time, maybe the problem has to do with updating. Regards.

Hi:

I booted in safe mode, and in C.Panel>Automatic Updates, I found radio button 'Download updates for me, but ...' selected. I selected 'Turn off automatic updates' instead. Rebooted in Normal Mode and in a few seconds after XP showed the desktop, hard disk activity ceased and the task manager (not the downloaded one) showed its typical CPU usage = 4%.

Yesterday when shutting down the system, in the middle of the operation the OS began making updates. He was saying 'Update 5 of 98'. I was terrified because it would last until judgment day. So I manually reset the machine. What is remarkable is that this was not the first time the OS did that and I responded the same way.

Anyways, it was the fact that WUAUCLT.EXE was doing disk I/O at a high rate during so long a time, that gave me the clue, together with a google search with string 'WUAUCLT.EXE'.

Now, I have to courses of action. Let things as they are now or, enable updates when I go to sleep. But how much space in my hard disk will the Window updates steal? The system does not say. So, what shall I do?

Better activate it!

You can easily clean most of the used disc space (the $NTUninstall folders and the system restore area), so that shouldn't be an argument.

Kees

Here it may steal a few gigabytes. But given the price of 500GB drives that's about 50 cents of disk space. Not a big deal.

BUT that disk IO could be a sign of the old XP DMA BUG. Again, I'll drop a hint that I can't call that out since not much is known about the machine. Is this machine a secret?
Bob

From my post near the start of this thread:

Perhaps
it's time to speak about hardware. Motherboard PCCHIPS 758LT-H,
Processor Pentium 3 (Tualatin) 1.1GHz running at 733MHz (do not ask me
why) and 256MB RAM. This hardware I know makes WinXP just a little big
resource consumer. But my machine always ran with a CPU load near 4%
after boot. If you like, and you tell me where to, I could save Process
Explorer output and send a link to it. Thanks a lot, guys, for your
kind feedback. <div class="inter-pagination collapsable"> </div> [QUOTE END]

And from post #1, "Windows XP Service Pack 3, v5.1.2600.5512". To this I could add:

HDD: 40GB
XP partition: 20GB

Please feel free to ask for any further information. Regards.

There is no cure for this machine. It's from over a decade ago and nothing will cure it to your satisfaction.

You might want to forget Windows or any Windows past 2000. XP is definitely not for this machine and you.

I would check into that DMA issue and then wish you the best of luck.
Bob

I'd run a trial copy of Hitman Pro on the system. It's a good 2nd opinion software for identifying nasties....

Look at that and you find a problem.