long sytem freeze

[lesiofamily]

ok, I in search I have found 3 svchost.exe with locations as follows:

C:\WINDOWS\$NtServicePackUninstall$
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\system32

does it mean that first 2 are fake/malicious?
if it is malware -
how do I remove them ? - just go to the folder and delete them?
how do I protect my PC in the future ?
I already have NIS (AV, firewall etc)

next interesting thing:
in my task manager I see 6 (six) svchost.exe )
3 from system
2 from network service
1 from local service
they all using 0% CPU and peak mem usage below 6000K
except for one from system which had 181000K and is using currently 26788K
???

I will reboot my PC now to give you feedback if it still takes time to
reboot

 

[lesiofamily]

have P4 3.2 GHz with win xp pro installed
2 GB RAM
I have 2 HD IDE - partitioned to 4 C,D,E,F and 1 SATA
my C is total 58 and free space 22 Gb
?

--
lb

NIS 2008 Minimum System Requirements
http://snipurl.com/9g1yp [solutions_symantec_com]

It should not be an issue for you.

AVG Internet Security 8.0
http://snipurl.com/9g268 [www_avg_com]

The RAM requirements SEEM to be the same. The disk space requirements are
dramatically different.

--



Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Daave , thanks for your comments
The problem was constant for a few days - now it looks like it is
sporadic ( although I keep my PC running to avoid 30 min start ups )
recently no freezes during normal operation
when it did happen - during this 20-30 sek freeze I was not able to do
anything
will process explorer show the culprit few seconds later - but when I
can use my PC again everything is back to normal, or is it?
I ran malwarebytes program - no malware found
I have win pro ver. 2002 with sp3 installed all other updates are done
regularly
I will definitely check svchost and let you know
I will also do a clean boot with out Norton and see how it goes

re NIS 2008 - I agree - that's why usually I do not install all the
newest programs I could install (because of CPU + RAM usage)
except for my security program which is NIS
thank you

 

[lesiofamily]

rebooted under 2 min with NIS on

--
lb

Daave , thanks for your comments
The problem was constant for a few days - now it looks like it is sporadic
( although I keep my PC running to avoid 30 min start ups )
recently no freezes during normal operation
when it did happen - during this 20-30 sek freeze I was not able to do
anything
will process explorer show the culprit few seconds later - but when I can
use my PC again everything is back to normal, or is it?
I ran malwarebytes program - no malware found
I have win pro ver. 2002 with sp3 installed all other updates are done
regularly
I will definitely check svchost and let you know
I will also do a clean boot with out Norton and see how it goes

re NIS 2008 - I agree - that's why usually I do not install all the newest
programs I could install (because of CPU + RAM usage)
except for my security program which is NIS
thank you

 

[Gerry]

Yes I knew your figures before posting. I just thought it useful for
others to see the System Requirements involved.

--



Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

have P4 3.2 GHz with win xp pro installed
2 GB RAM
I have 2 HD IDE - partitioned to 4 C,D,E,F and 1 SATA
my C is total 58 and free space 22 Gb
?

NIS 2008 Minimum System Requirements
http://snipurl.com/9g1yp [solutions_symantec_com]

It should not be an issue for you.

AVG Internet Security 8.0
http://snipurl.com/9g268 [www_avg_com]

The RAM requirements SEEM to be the same. The disk space
requirements are dramatically different.

--



Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Daave , thanks for your comments
The problem was constant for a few days - now it looks like it is
sporadic ( although I keep my PC running to avoid 30 min start ups
) recently no freezes during normal operation
when it did happen - during this 20-30 sek freeze I was not able to
do anything
will process explorer show the culprit few seconds later - but when
I can use my PC again everything is back to normal, or is it?
I ran malwarebytes program - no malware found
I have win pro ver. 2002 with sp3 installed all other updates are
done regularly
I will definitely check svchost and let you know
I will also do a clean boot with out Norton and see how it goes

re NIS 2008 - I agree - that's why usually I do not install all the
newest programs I could install (because of CPU + RAM usage)
except for my security program which is NIS
thank you


using process explorer
I can see few svchost but they use 0% CPU
the highest is system idle process with 99-100% CPU usage
command line is blank, description blank, company name blank

I checked my other PC
system idle process takes approx 86- 97% CPU - for me it looks
high but it 10% less than my first PC
any comments?

Are we talking about a sporadic problem? That is, perhaps you were
not experiencing the "long system freeze" during the above
timeframe? Does your problem present itself during bootup usually?

If it is sporadic, Process Explorer will give you useful
information, but you need to be looking at it *during* the grinding
of the gears (not afterward). And since in another post you
indicated that one of your instances of svchost was through the
roof memory-wise, the Bleeping Computer tutorial should be helpful.

There have been reports of svchost.exe run amok after a particular
security update was applied. How up-to-date are you with your
Windows Updates? What Service Pack level are you at? Can you
recall when you started experiencing this particular problem as
well as anything significant that occurred at around that time?

Finally, I don't recall whether or not you confidently ruled out
malware. Sometimes an instance of svchost.exe running *is*
malicious. Svchost.exe is a valid file *if* it is in the correct
location, which should be: C:\WINDOWS\system32

If you have another svchost.exe in another loaction, it's surely
malware. Search your entire C: drive for svchost.exe. In "More
advanced options," be sure to check "Search system folders" and
"Search subfolders." Again, if you see another instance of
svchost.exe where it doesn't belong, you have a malware infection!

Last idea: You stated you had NIS 2008. Norton is well-known for
producing the kind of behavior you are describing. Configure a
clean boot (which means, among other things, you will be
temporarily disabling NIS 2008) and see if your problem goes away.
For more info: http://support.microsoft.com/kb/310353

If your problem does go away, you should be able to use the process
of elimination to determine the cause. It wouldn't surprise me if
it's Norton.

 

[Daave]

ok, I in search I have found 3 svchost.exe with locations as follows:

C:\WINDOWS\$NtServicePackUninstall$
C:\WINDOWS\ServicePackFiles\i386
C:\WINDOWS\system32

does it mean that first 2 are fake/malicious?

No, sorry I wasn't more clear. Those other two instances are
installation files. Nothing to be concerned with.

how do I protect my PC in the future ?

Your best bet is to read the following:

http://www.elephantboycomputers.com/page2.html#Viruses_Malware

I already have NIS (AV, firewall etc)

Is your Windows firewall running concurrently with the NIS firewall? If
so, that could be causing conflicts. You should only be running one
firewall. As mentioned earlier, many people have reported problems
stemming from running Norton products. I'm not saying that this is the
case for you; I'm just putting it on the table. Also keep in mind that
running NIS 2008 is not an absolute guarantee you are malware-free; no
one program can guarantee that.

next interesting thing:
in my task manager I see 6 (six) svchost.exe )
3 from system
2 from network service
1 from local service
they all using 0% CPU and peak mem usage below 6000K

That's normal.

except for one from system which had 181000K and is using currently
26788K
???

The memory usage for that one instance seems very high. I would still
use the technique mentioned earlier on the Bleeping Computer site to
determine what's going on.

 

[Daave]

If it hardly happens now, it will be more difficult to troubleshoot.

If you have 2GB RAM, there is no need to worry unless you do tons of
video or image editing, etc.

A quick way to determine if you do have enough RAM is to open Task
Manager (Ctrl+Alt+Del) and click the Performance tab. Then note the
three values under Commit Charge (K): in the lower left-hand corner:
Total, Limit, and Peak.

The Total figure represents the amount of memory you are using at that
very moment. The Peak figure represents the highest amount of memory you
used since last bootup. If both these figures are below the value of
Physical Memory (K) Total, then you probably have plenty of RAM.

Also click on the Processes tab. Click Mem Usage once or twice until the
highest figures are at the top. What are the top five processes? What
are the Mem USage figures for them?

rebooted under 2 min with NIS on

Well, so much for that theory!

If the bulk of your problems center around thirty minutes to boot up and
that's no longer happening, I'm not sure what to do. Maybe all is well
now!

 

[Gerry]

C:\WINDOWS\system32 is the copy in use

C:\WINDOWS\ServicePackFiles\i386 is a spare copy of the copy in use.

C:\WINDOWS\$NtServicePackUninstall$ is the file to be restored if you
decide to uninstall the current copy.

None are fake/ malicious unless one came as a result of malware
activity. You should not attempt to remove unless you have specific
grounds for knowing that one is an impostor. This seems unlikely.

The problem could still be malware for the reasons I have indicated in
another post. The problem in my opinion is not svchost.exe. It could be
something that is using svchost.exe. This is why if you see excessive
CPU usage involving svchost.exe it is important to identify the Command
Line because you can then identify the Service causing the usage.

Six copies of svchost.exe running in Task Manager / Process Explorer is
normal. In Process Explorer you will see that each has a different
Command Line i.e start up item. Thus one is
C:\WINDOWS\system32\svchost -k DcomLaunch. On my computer this handles
the services DCOM Process Server Launcher and Terminal Services. Another
has the Command Line C:\WINDOWS\System32\svchost.exe -k netsvcs, which
covers a number of services including Automatic updates.

I am not sure what Daave has in mind but the above should help you
understand a little more about the role of svchost.exe. It is an
intermediary or enabler.

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[lesiofamily]

in process explorer I do not know which svchost peaked to 181000K
so I will post command line for all listed svchost
if all of them look OK so I guess we can close the case for now....
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService

they are all in system32 folder so .........
guys you've been very helpful and patient for a newbie like me, thanks a lot

I have another question re hibernation but I will start new post to keep it
clean

lb

 

[Gerry]

In Process Explorer you can add columns. Place the cursor on the column
headers row, right click and click on Select Columns. Click on the
Process Memory tab and check the boxes before Virtual Size and Peak
Working Set Size. You can increase or reduce column widths by dragging
the column divider in the column headers row either to left or right.

Your high peak of 181,000 is likely to be:
C:\WINDOWS\System32\svchost.exe -k netsvcs

Don't my post about Rootkit Revealer some 9 hours ago.

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~