none
svchost.exe -k netsvcs constantly downloading

    Question

  • I was asked to move this here from Microsoft Answers.
    I am working on an XP Home SP3 computer that constantly downloads using system32\svchost.exe -k netsvcs. It will download as long as the computer is connected. Before I realized the problem, it downloaded 1.4GB. I am using Netbalancer to watch the process.
    Things I've tried:

    >Turn off windows auto updates. The computer was up to date last week.
    >Scan with Malwarebytes, Security Essentials, MFRT, AVG, TDDSkiller in windows and safe mode when possible. Avg found 6 corrupted google toolbar.exe in Temp files. Others found nothing.
    >Turn off system restore and rescan with AVG while the computer was connected.
    >The computer has always had Norton antivirus installed. It found and removed 1 virus in setup_lib_srf[1].exe which contained "Downloader" in 2009.
    >Disabled Backgound Intelligent Transfer service but netsvcs still downloads and the BITS service goes back to Automatic after a reboot.
    >Ran svchost.exe fix from Microsoft which is for high cpu use but thought it might help.
    > The remote ip address netsvcs is contacting belongs to Akamai Technologies when windows auto update is turned off. With auto updates on the other ip addresses belong to Microsoft.

    I ran Hijackthis if you want the log.
    Any help is greatly appreciated.
    Tom
    • <button class="msaActionText">July 8, 2011</button>
    • <button class="msaActionText">Reply with quote</button>
    • <button class="msaActionText msgAbuseBtn">Report abuse</button>
      • Child exploitation or abuse
      • Harassment or threats
      • Inappropriate/Adult content
      • Nudity
      • Profanity
      • Software piracy
      • SPAM/Advertising
      • Virus/Spyware/Malware danger
      • Other Term of Use or Code of Conduct violation
    <input type="button" value="Reply" /> <input type="button" value="Edit" />
    1 Person had
    this question
    <input type="button" value="Me Too" />
    Saturday, July 09, 2011 4:42 PM

Answers

  • Thanks for the reply. I finally found the solution after many hours of searching and trying different things. Process Explorer showed 81 dll's in that process and that seemed like to much work. I made a last search before reinstalling Windows and found this and followed the steps in the last post. The OP had already disabled and stopped the Automatic Updates Service so I did too.

    http://www.winvistatips.com/issue-bits-continually-downloading-internet-sbs-2008-a-t813332.html

    After about 2 minutes of work, no more downloading! I guess BITS was "stuck" on something in the cache and continually trying to download an update in the queue.

    Thanks for the help.

    Tom

    • Marked as answer by trg53 Saturday, July 16, 2011 8:51 PM
    Saturday, July 16, 2011 8:44 PM

All replies

  • Take a look at the response in this thread about using Process Explorer to determine what is responsible for activity within an instance of svchost.

    http://social.technet.microsoft.com/Forums/en-US/w7itproperf/thread/012f6fda-f1ee-4dc1-9748-25a25f34d52f

    Using that method you would expect to see functions from a specific DLL being called in the stack of the netsvcs svchost.exe. Then you would try to figure out what the DLL is from so you ultimately know how to stop it from downloading and/or uninstall it.

    And I would definitely investigate with Process Explorer when BITS is disabled so you are only seeing activity from whatever is responsible for the constant downloading.

    Sunday, July 10, 2011 6:24 AM
  • Thanks for the reply and help. I haven't looked for specific dll's yet but process explorer found "Mutant" files in every instance of svchost including this: Mutant    \BaseNamedObjects\SHIMLIB_LOG_MUTEX.... along with a few or several other mutants. I hope it's ok to post the saved file from one of the svchost instances because it has obvious concerns.

    I need to know if: 1.Deleting the Temp files and Temporary Internet files along with .dat files and cookies listed in the file could clean the system. 2.Is the system to compromised to try to save. It will be interesting to try though.

    Thanks, Tom

    Here is the file:

    Process    PID    CPU    Description    Company Name
    System Idle Process    0    98.48         
     Interrupts    n/a        Hardware Interrupts     
     DPCs    n/a        Deferred Procedure Calls     
     System    4             
      smss.exe    744        Windows NT Session Manager    Microsoft Corporation
       csrss.exe    840        Client Server Runtime Process    Microsoft Corporation
       winlogon.exe    864        Windows NT Logon Application    Microsoft Corporation
        services.exe    912        Services and Controller app    Microsoft Corporation
         ati2evxx.exe    1080        ATI External Event Utility EXE Module    ATI Technologies Inc.
         svchost.exe    1104        Generic Host Process for Win32 Services    Microsoft Corporation
         svchost.exe    1244        Generic Host Process for Win32 Services    Microsoft Corporation
         svchost.exe    1288        Generic Host Process for Win32 Services    Microsoft Corporation
          wscntfy.exe    2716        Windows Security Center Notification App    Microsoft Corporation
          wuauclt.exe    2776        Windows Update    Microsoft Corporation
         svchost.exe    1396        Generic Host Process for Win32 Services    Microsoft Corporation
         svchost.exe    1464        Generic Host Process for Win32 Services    Microsoft Corporation
         spoolsv.exe    1584        Spooler SubSystem App    Microsoft Corporation
         svchost.exe    1660        Generic Host Process for Win32 Services    Microsoft Corporation
         ccsvchst.exe    1868        Symantec Service Framework    Symantec Corporation
          ccsvchst.exe    1128        Symantec Service Framework    Symantec Corporation
         SeriousBit.NetBalancer.Service.exe    1968        SeriousBit.NetBalancer.Service    Microsoft
         svchost.exe    308        Generic Host Process for Win32 Services    Microsoft Corporation
         alg.exe    2468        Application Layer Gateway Service    Microsoft Corporation
        lsass.exe    924        LSA Shell (Export Version)    Microsoft Corporation
    explorer.exe    1932        Windows Explorer    Microsoft Corporation
     GoogleDesktop.exe    652        Google Desktop    Google
     E_FATI9HA.EXE    692        EPSON Status Monitor 3    SEIKO EPSON CORPORATION
     NkMonitor.exe    844        Nikon Transfer Monitor    Nikon Corporation
     GoogleToolbarNotifier.exe    1036        GoogleToolbarNotifier    Google Inc.
     ctfmon.exe    980        CTF Loader    Microsoft Corporation
     DLG.exe    1204        Digital Line Detection    BVRP Software
     procexp.exe    3040    1.52    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com
     
    Process: svchost.exe Pid: 1660
     
    Type    Name
    Desktop    \Default
    Directory    \KnownDlls
    Directory    \Windows
    Directory    \BaseNamedObjects
    File    C:\WINDOWS\system32
    File    \Device\KsecDD
    File    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202
    File    \Device\NamedPipe\net\NtControlPipe9
    File    \Device\WMIDataDevice
    File    \Device\WMIDataDevice
    File    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202
    File    \Device\WebDavRedirector
    File    \Device\WebDavRedirector
    File    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    File    C:\Documents and Settings\LocalService\Cookies\index.dat
    File    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
    File    \Device\WebDavRedirector
    File    \Device\WebDavRedirector
    File    \Device\NamedPipe\DAV RPC SERVICE
    File    \Device\NamedPipe\DAV RPC SERVICE
    Key    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Key    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Key    HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Key    HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
    Key    HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
    Key    HKLM\SOFTWARE\Policies
    Key    HKU\S-1-5-19\Software\Policies
    Key    HKU\S-1-5-19\Software
    Key    HKLM\SOFTWARE
    KeyedEvent    \KernelObjects\CritSecOutOfMemoryEvent
    Mutant    \BaseNamedObjects\SHIMLIB_LOG_MUTEX
    Mutant    \BaseNamedObjects\_!MSFTHISTORY!_
    Mutant    \BaseNamedObjects\c:!documents and settings!localservice!local settings!temporary internet files!content.ie5!
    Mutant    \BaseNamedObjects\c:!documents and settings!localservice!cookies!
    Mutant    \BaseNamedObjects\c:!documents and settings!localservice!local settings!history!history.ie5!
    Mutant    \BaseNamedObjects\WininetStartupMutex
    Mutant    \BaseNamedObjects\WininetProxyRegistryMutex
    Process    svchost.exe(1660)
    Section    \BaseNamedObjects\C:_Documents and Settings_LocalService_Local Settings_Temporary Internet Files_Content.IE5_index.dat_81920
    Section    \BaseNamedObjects\C:_Documents and Settings_LocalService_Cookies_index.dat_16384
    Section    \BaseNamedObjects\C:_Documents and Settings_LocalService_Local Settings_History_History.IE5_index.dat_16384
    Semaphore    \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
    Semaphore    \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
    Thread    svchost.exe(1660): 1720
    Thread    svchost.exe(1660): 1664
    Thread    svchost.exe(1660): 1716
    Thread    svchost.exe(1660): 3052
    Thread    svchost.exe(1660): 1724
    Token    NT AUTHORITY\LOCAL SERVICE:3e5
    WindowStation    \Windows\WindowStations\Service-0x0-3e5$
    WindowStation    \Windows\WindowStations\Service-0x0-3e5$

     

    Sunday, July 10, 2011 8:25 PM
  • Internal to Windows, a mutex is referred to as a mutant. A mutex (mutant) provides mutually exclusive access so only one thread can own it at one time.

    In other words, those mutants referenced by Process Explorer are normal Windows objects used by the kernel for synchronization.

    You can certainly clear out temporary internet files but I'm not sure that would do much because again, those mutants are expected.

    I haven't seen enough of the issue to know if that Windows install is able to be cleaned up.

    Turn off BITS, and while the unexplained downloading is still happening, look at the stack in the properties of that high CPU svchost in Process Explorer to see what function from what DLL is being called (you may only see the DLL name and not the function if it is a third-party DLL).

    Monday, July 11, 2011 2:54 AM
  • Thanks for the reply. I finally found the solution after many hours of searching and trying different things. Process Explorer showed 81 dll's in that process and that seemed like to much work. I made a last search before reinstalling Windows and found this and followed the steps in the last post. The OP had already disabled and stopped the Automatic Updates Service so I did too.

    http://www.winvistatips.com/issue-bits-continually-downloading-internet-sbs-2008-a-t813332.html

    After about 2 minutes of work, no more downloading! I guess BITS was "stuck" on something in the cache and continually trying to download an update in the queue.

    Thanks for the help.

    Tom

    • Marked as answer by trg53 Saturday, July 16, 2011 8:51 PM
    Saturday, July 16, 2011 8:44 PM
  • Thanks trg53, thanks to you I've found the solution to my problem. I was afraid that my PC have some malware installed but your link has the right solution.

    Sunday, December 04, 2011 4:53 AM