Windows Defender Eating 100% CPU While Updating

[Will Rolison [495512]]

Hey,

Does anyone else have an issue with Windows Defender causing svchost.exe to
run at 100% while it updates?

Or better yet, a fix for this problem? Please see the attached screen shots.

You can see that WD causes svchost.exe to use 70MB of ram at one point and
then finally when its done it is still left eating 50MB of RAM.

That and of course as you can see from the screen shots, svchost.exe is
using 100% CPU and for almost six minutes at that while WD updates.

This happens every time WD updates and it is getting very annoying. Well,
thanks for any help!

 

[Dave M]

Hey Will;
This has been reported a few times here, first I'd follow Larry Gardner's
advice and go to the Systems Event log and look at Service Control Manager
Errors that occur at the timeframe when this is happening to you. That
might give you some ideas, but post back here if you want, with what errors
your seeing, if any. On another occasion this problem has been resolved
with just a re-install of Windows Defender.

From: Missy
Subject: Spyware Defender CPU bug: maxes out SVChost.exe @ reboot
Date: Sat, 27 May 2006 01:59:01 -0700
Newsgroups: microsoft.private.security.spyware.general

From: MyComputerDoctorPR.com
Subject: MSASCui.exe Process from Windows Defender stays at 99% of CPU. Fre
Date: Sun, 4 Jun 2006 17:05:02 -0700
Newsgroups: microsoft.private.security.spyware.general

 

[Guest]

Any time that a service consumes 100% of the bandwidth, there is a much
better chance that the service has been compromised. I would recommend doing
a HijackThis scan and submit it for scrutiny to one of the more active
forums. Check out the links and pulldown on the Internet Security URL in my
sig. There are also a couple of "Do-It-Yourself" links for those who have a
reasonable knowledge of what HJT is capable of identifying.

 

[Will Rolison [495512]]

Hey,

Tried a reinstall a few times. Removed old install completely, including reg
entries.

No errors reported in event viewer. Only the normal ones:

1.)

Windows Defender Configuration has changed. If this is an unexpected event
you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature
Updates\ASSignatureVersion = 1.14.1521.63
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature
Updates\ASSignatureVersion = 1.14.1525.2

2.)


Windows Defender Configuration has changed. If this is an unexpected event
you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature
Updates\SignatureLocation = C:\Documents and Settings\All Users\Application
Data\Microsoft\Windows Defender\Definition
Updates\{A62772A6-F36A-44AD-88D7-7E05DC69D7CA}
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature
Updates\SignatureLocation = C:\Documents and Settings\All Users\Application
Data\Microsoft\Windows Defender\Definition
Updates\{F61915E9-2991-4055-8273-D9A716FB1554}

3.)

Windows Defender signature version has been updated.
Current Signature Version: 1.14.1525.2
Previous Signature Version: 1.14.1521.63
Update Source: User
Signature Type: AntiSpyware
Update Type: Delta
User: NT AUTHORITY\SYSTEM
Current Engine Version: 1.1.1481.0
Previous Engine Version: 1.1.1481.0

4.)

Installation Successful: Windows successfully installed the following
update: Definition Update 1.14.1525.2 for BETA Windows Defender (KB915597)

 

[Will Rolison [495512]]

Hey,

Thanks for the idea.

However, I know everything that is on my computer at any given time. Though
to be sure...

I've checked the log and I am clean. Did a full antispyware, anti-virus, and
anti-rootkit sweep as well and nothing unusual.

 

[Will Rolison [495512]]

Hey,

Also, I have tried making svchost.exe a "own" process via:

http://blogs.msdn.com/larryosterman/archive/2005/09/12/464077.aspx

but still svchost.exe is reported as 100% CPU.

Also by using Process Explorer I figured out it is ntdll.dll which is the
problem.

Thread: ntdll.dll!RtlAllocateHeap+0x18c

Here is its stack when using 100% cpu:

ntoskrnl.exe!KiDispatchInterrupt+0x7f
kernel32.dll!LCMapStringW+0x1f6
kernel32.dll!LCMapStringW+0x18d
USER32.dll!CharUpperW+0x30
ole32.dll!CoFreeAllLibraries+0xaf0
ole32.dll!CoFreeAllLibraries+0xb22
ole32.dll!CoFreeAllLibraries+0x986
ole32.dll!CoFreeAllLibraries+0xa1c
ole32.dll!StgOpenStorage+0x3c88
ole32.dll!StgOpenStorage+0x3f7b
ole32.dll!StgOpenStorage+0x3ee2
ole32.dll!CoFreeAllLibraries+0xa95
ole32.dll!StgOpenStorage+0x3e32
msi.dll+0x1a6a30
msi.dll+0x12c97a
msi.dll+0x12dcc8
msi.dll+0x12e1a0
msi.dll+0x13444e
msi.dll!MsiEnumPatchesA+0x1f14
msi.dll!MsiDeterminePatchSequenceW+0x87a
wuaueng.dll!Ordinal3+0x25e
wuaueng.dll!Ordinal3+0x12a8
wuaueng.dll!DllRegisterServer+0x48d2c
wuaueng.dll!DllRegisterServer+0x49611
wuaueng.dll!DllRegisterServer+0x42a05
wuaueng.dll!DllRegisterServer+0x1fbae
wuaueng.dll!DllRegisterServer+0x1ff68
wuaueng.dll!DllRegisterServer+0x19ca4
wuaueng.dll!DllRegisterServer+0x1a06c
wuaueng.dll!DllRegisterServer+0x2e799
wuaueng.dll!DllRegisterServer+0x2fde0
wuaueng.dll!DllRegisterServer+0x1b30b
wuaueng.dll!DllRegisterServer+0xa7b2
wuaueng.dll!DllRegisterServer+0x12a98
wuaueng.dll!DllRegisterServer+0x13646
wuaueng.dll!DllRegisterServer+0x137e6
ntdll.dll!RtlQueueWorkItem+0x239
ntdll.dll!RtlQueueWorkItem+0x71f
ntdll.dll!RtlUpcaseUnicodeString+0x159
ntdll.dll!RtlUpcaseUnicodeString+0x197
ntdll.dll!RtlUpcaseUnicodeString+0x259
ntdll.dll!RtlUpcaseUnicodeString+0x230
kernel32.dll!GetModuleFileNameA+0x1b4

Any ideas?

 

[Guest]

The oldest trick in the malware cookbook is to name your files the same as
valid system files (e.g., explorer.exe, iexplore.exe, services.exe, ... ad
nauseam). The second oldest is to inject code into valids system files in
order to accomplish your evil goals. The third (actually the prime
directive) is to disable any anti-threat software that would reveal the
compromise.

I repeat: any time that 100% of the CPU bandwidth is being used (for no
apparent reason), it is most likely that your system has already been
comprimised.

Understand on thing. If your system has been compromised, the chances are
exceedingly high that your anti-threat tools have also been compromised.
Thus, all appears "normal" except that performance is sluggish. A good test
is to run a series of online threat scans that need to install Active-X or
Java components. If one or more fails to install ... you ARE infected!

--
Scott D

Internet Security: http://SecorConsulting.net/pages/security.html
CIS Benchmark: http://SecorConsulting.net/pages/benchmark.html

Hey,

Thanks for the idea.

However, I know everything that is on my computer at any given time. Though
to be sure...

I've checked the log and I am clean. Did a full antispyware, anti-virus, and
anti-rootkit sweep as well and nothing unusual.

--

Take Care,

Will

Any time that a service consumes 100% of the bandwidth, there is a much
better chance that the service has been compromised. I would recommend
doing
a HijackThis scan and submit it for scrutiny to one of the more active
forums. Check out the links and pulldown on the Internet Security URL in
my
sig. There are also a couple of "Do-It-Yourself" links for those who have
a
reasonable knowledge of what HJT is capable of identifying.

--
Scott D

Internet Security: http://SecorConsulting.net/pages/security.html
CIS Benchmark: http://SecorConsulting.net/pages/benchmark.html

Hey Will;
This has been reported a few times here, first I'd follow Larry Gardner's
advice and go to the Systems Event log and look at Service Control
Manager
Errors that occur at the timeframe when this is happening to you. That
might give you some ideas, but post back here if you want, with what
errors
your seeing, if any. On another occasion this problem has been resolved
with just a re-install of Windows Defender.

From: Missy
Subject: Spyware Defender CPU bug: maxes out SVChost.exe @ reboot
Date: Sat, 27 May 2006 01:59:01 -0700
Newsgroups: microsoft.private.security.spyware.general

From: MyComputerDoctorPR.com
Subject: MSASCui.exe Process from Windows Defender stays at 99% of CPU.
Fre
Date: Sun, 4 Jun 2006 17:05:02 -0700
Newsgroups: microsoft.private.security.spyware.general

--

Regards, Dave


Will Rolison [495512] wrote:
Hey,

Does anyone else have an issue with Windows Defender causing
svchost.exe
to
run at 100% while it updates?

Or better yet, a fix for this problem? Please see the attached screen
shots.

You can see that WD causes svchost.exe to use 70MB of ram at one point
and
then finally when its done it is still left eating 50MB of RAM.

That and of course as you can see from the screen shots, svchost.exe is
using 100% CPU and for almost six minutes at that while WD updates.

This happens every time WD updates and it is getting very annoying.
Well,
thanks for any help!

 

[Guest]

Please, check this article:
http://support.microsoft.com/kb/916089

 

[Guest]

this is happening too on my dell latitude d800 every time an update is stated
auto or manual. there are no error messages but you can't do a thing since
svchost.exe has eaten up 100% cpu processes.

i'm interested on a solution to this issue or i'll totally dump the idea of
using windows defender.

 

[Guest]

Did you actually READ my messages?

YOUR SYSTEM HAS BEEN COMPROMISED! IT IS NO FAULT OF DEFENDER!

I cannot make it any clearer than that. Run HijackThis! and submit the HJT!
log to an HJT! forum for analysis. Links to 18 online scanners and HJT!
tools are in the Internet Security link in my sig.

--
Scott D

Internet Security: http://SecorConsulting.net/pages/security.html
CIS Benchmark: http://SecorConsulting.net/pages/benchmark.html