• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos0

after failed IntelligentUpdater update svchost.exe memory leak

I have been working on this problem for several days now.  I have finally tied the IntelligentUpdater failed update to the exact time when the issue began to occur.

Hardware & OS:  Dell, Vista SP2 32bit

Issue:  one of the svchost.exe processes, the one that runs "netsvc" starts and uses up a lot of CPU but, more importantly, keeps consuming memory until the box crashes.  Although the process is needed, I have been able to keep more or less working (limping, actually) if I kill it, and continue killing it every time it restarts.

Research and fixes:

(1) I've looked for all kinds of things in blogs and Microsoft site, but nothing I tried has fixed the issue, including running several antispy programs and correcting anything found.

I also run NEP.exe, and it found a couple of things it fixed, but the problem still exists.

(2) Found what I think may be the culprit since the issue reported in Log.IntelligentUpdater.txt coincides exactly with the start of this issue.  Here is an excerpt from the log (please find it attached):

Mon May 28 18:04:36 2012 : PROCESSING ENTRY: VIRSCAN.zip - Virus Definitions

Mon May 28 18:04:36 2012 : Entry details:

Mon May 28 18:04:36 2012 : Update-File: VIRSCAN.zip

Mon May 28 18:04:36 2012 : Update-Desc: Virus Definitions

Mon May 28 18:04:36 2012 : Auth DLL Name: Norton X64 AuthDLL

Mon May 28 18:04:36 2012 : Auth DLL Location: local

Mon May 28 18:04:36 2012 : Auth Content-Type: VirusDefs

Mon May 28 18:04:36 2012 : Deploy Content-Type: VirusDefs

Mon May 28 18:04:36 2012 : Deplo DLL Name: Norton X64 DeployDLL

Mon May 28 18:04:36 2012 : Deploy DLL Location: local

Mon May 28 18:04:36 2012 : AUTH DLL LOCATION: IU will read the DLL location from registry - Norton X64 AuthDLL

Mon May 28 18:04:36 2012 : REG SUCCESS: Success while opening key

Mon May 28 18:04:36 2012 : REG FAILURE: Failed while reading the value for key named

Mon May 28 18:04:36 2012 : DEPLOY DLL LOCATION: IU will read the DLL location from registry - Norton X64 DeployDLL

Mon May 28 18:04:36 2012 : REG SUCCESS: Success while opening key

Mon May 28 18:04:36 2012 : REG FAILURE: Failed while reading the value for key named

Mon May 28 18:04:36 2012 : IGNORE ENTRY: Ignoring entry for VIRSCAN.zip because of registry read failure. Error occurred while reading the path for the Authorization DLL from the registry.

Mon May 28 18:04:36 2012 : IU failed while deploying V because a compatible product could not be found on the system. Please make sure that a compatible Symantec product is installed on the system.

I found http://www.symantec.com/business/support/index?page=content&id=TECH122906 but it seems to apply to a "client" on a network, which I am not.  The reported error is the same though.

IN ADDITION, OBSERVED THAT WHEN THE BOX IS STARTING UP, THE svchost.exe WITH THE MEMORY LEAK STARTS ACTUALLY EATING UP MEMORY WHEN THE ccsvchst.exe PROCESS STARTS . . .

QUESTION #1:  Is "Norton X64" in the log referring to the 64-bit version?  And if it is, why would my Norton Antivirus 2012 (all up to date) loaded on my 32-bit box be getting a 64-bit error?

QUESTION #2:  I really, really, really don't want to reload my PC, and if I do maybe I will run into the same issue anyway . . . I am afraid to proceed with the TECH122906 fix because it does not seem to be the exact same setup.  Can you help with this issue?  HELP!!!

File Attachment: 

Replies

Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

I have been working on this problem for several days now.  I have finally tied the IntelligentUpdater failed update to the exact time when the issue began to occur.

Hardware & OS:  Dell, Vista SP2 32bit

Issue:  one of the svchost.exe processes, the one that runs "netsvc" starts and uses up a lot of CPU but, more importantly, keeps consuming memory until the box crashes.  Although the process is needed, I have been able to keep more or less working (limping, actually) if I kill it, and continue killing it every time it restarts.

Research and fixes:

(1) I've looked for all kinds of things in blogs and Microsoft site, but nothing I tried has fixed the issue, including running several antispy programs and correcting anything found.

I also run NEP.exe, and it found a couple of things it fixed, but the problem still exists.

(2) Found what I think may be the culprit since the issue reported in Log.IntelligentUpdater.txt coincides exactly with the start of this issue.  Here is an excerpt from the log (please find it attached):

Mon May 28 18:04:36 2012 : PROCESSING ENTRY: VIRSCAN.zip - Virus Definitions

Mon May 28 18:04:36 2012 : Entry details:

Mon May 28 18:04:36 2012 : Update-File: VIRSCAN.zip

Mon May 28 18:04:36 2012 : Update-Desc: Virus Definitions

Mon May 28 18:04:36 2012 : Auth DLL Name: Norton X64 AuthDLL

Mon May 28 18:04:36 2012 : Auth DLL Location: local

Mon May 28 18:04:36 2012 : Auth Content-Type: VirusDefs

Mon May 28 18:04:36 2012 : Deploy Content-Type: VirusDefs

Mon May 28 18:04:36 2012 : Deplo DLL Name: Norton X64 DeployDLL

Mon May 28 18:04:36 2012 : Deploy DLL Location: local

Mon May 28 18:04:36 2012 : AUTH DLL LOCATION: IU will read the DLL location from registry - Norton X64 AuthDLL

Mon May 28 18:04:36 2012 : REG SUCCESS: Success while opening key

Mon May 28 18:04:36 2012 : REG FAILURE: Failed while reading the value for key named

Mon May 28 18:04:36 2012 : DEPLOY DLL LOCATION: IU will read the DLL location from registry - Norton X64 DeployDLL

Mon May 28 18:04:36 2012 : REG SUCCESS: Success while opening key

Mon May 28 18:04:36 2012 : REG FAILURE: Failed while reading the value for key named

Mon May 28 18:04:36 2012 : IGNORE ENTRY: Ignoring entry for VIRSCAN.zip because of registry read failure. Error occurred while reading the path for the Authorization DLL from the registry.

Mon May 28 18:04:36 2012 : IU failed while deploying V because a compatible product could not be found on the system. Please make sure that a compatible Symantec product is installed on the system.

I found http://www.symantec.com/business/support/index?page=content&id=TECH122906 but it seems to apply to a "client" on a network, which I am not.  The reported error is the same though.

IN ADDITION, OBSERVED THAT WHEN THE BOX IS STARTING UP, THE svchost.exe WITH THE MEMORY LEAK STARTS ACTUALLY EATING UP MEMORY WHEN THE ccsvchst.exe PROCESS STARTS . . .

QUESTION #1:  Is "Norton X64" in the log referring to the 64-bit version?  And if it is, why would my Norton Antivirus 2012 (all up to date) loaded on my 32-bit box be getting a 64-bit error?

QUESTION #2:  I really, really, really don't want to reload my PC, and if I do maybe I will run into the same issue anyway . . . I am afraid to proceed with the TECH122906 fix because it does not seem to be the exact same setup.  Can you help with this issue?  HELP!!!

Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

I am running Norton Antivirus 2012 v.19.7.1.5

Sorry for the misspell, yes, I run Norton Power Eraser.  Two things were fixed, but I don't know what they were and cannot find a  log . . .  Do you know where this would be located?

Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

To read the logs, follow the instructions at this link.

You should be able to copy the XML file and save as a .txt file (Notepad) and attach to your next post.

"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

See the attached log created by the NPE run.

File Attachment: 
Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

I am sorry, but there is virtually nothing there to read.

Did you copy the entire xml file and paste it into notepad?

"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

this is weird . . . when I click on the link in the post, it brings up the file with contents, and I also see the text in the file I saved.  So, to make it easier, I'm going to include the last part of the log in here, where you can see the things that were fixed (or where I thought they were described last).  (If you'd like to see the entire file, I can try again to attach the file or maybe send it to you via email--let me know).

========================

<Analyze DateAndTime="Saturday, 02 June 2012 Time: 09:40"><Infections_Detected><DRIVERS Count="0"/><SERVICES Count="1"><Service ID="1"><File_Information><Path>c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe</Path><FileVersion><></FileVersion><ProductVersion><></ProductVersion><ProductName><></ProductName><Company><></Company><Copyrights><></Copyrights><MD5>BC7E53021A58F10197C098D651A71405</MD5><SHA256>AC4704233F057167B9610D722B498E930D3C3DA20BC1A987F9772BD8E772D13B</SHA256><FileSize>753504</FileSize></File_Information><SideEffectsa Count="2"><File>c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe</File><RegistryKey>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPFFontCache_v0400</RegistryKey></SideEffects></Service></SERVICES><PROCESSESp Count="0"/><LAYERED_SERVICE_PROVIDERS Count="0"/><DESKTOP_SHORTCUTS Count="0"/><AUTORUN_FILES Count="0"/><STARTUP_ITEMS Count="0"/><BROWSER_HELPER_OBJECTS Count="0"/><BROWSER_TOOLBARS Count="0"/><BROWSER_PLUGINS Count="0"/><SHELL_EXTENSIONS Count="0"/><EXPLORER_PLUGINS Count="0"/><DIRECTORIES Count="0"/><FILES Count="0"/><SYSTEM_SETTINGS Count="0"/></Infections_Detected></Analyze><RemoteScan DateAndTime="Saturday, 02 June 2012 Time: 09:40"><Infections_Detected_By_Remote_Scan><DRIVERS Count="0"/><SERVICES Count="0"/><PROCESSES Count="0"/><LAYERED_SERVICE_PROVIDERS Count="0"/><DESKTOP_SHORTCUTS Count="0"/><AUTORUN_FILES Count="0"/><STARTUP_ITEMS Count="0"/><BROWSER_HELPER_OBJECTS Count="0"/><BROWSER_TOOLBARS Count="0"/><BROWSER_PLUGINS Count="0"/><SHELL_EXTENSIONS Count="0"/><EXPLORER_PLUGINS Count="0"/><DIRECTORIES Count="0"/><FILES Count="0"/><SYSTEM_SETTINGS Count="0"/></Infections_Detected_By_Remote_Scan></RemoteScan><Remediate DateAndTime="Saturday, 02 June 2012 Time: 09:40"><Infections_Selected_For_Remediation><DRIVERS Count="0"/><SERVICES Count="1"><Service ID="1"><File_Information><Path>c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe</Path><FileVersion><></FileVersion><ProductVersion><></ProductVersion><ProductName><></ProductName><Company><></Company><Copyrights><></Copyrights><MD5>BC7E53021A58F10197C098D651A71405</MD5><SHA256>AC4704233F057167B9610D722B498E930D3C3DA20BC1A987F9772BD8E772D13B</SHA256><FileSize>753504</FileSize></File_Information><SideEffectso Count="2"><File>c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe</File><RegistryKey>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPFFontCache_v0400</RegistryKey></SideEffects></Service></SERVICES><PROCESSES: Count="0"/><LAYERED_SERVICE_PROVIDERS Count="0"/><DESKTOP_SHORTCUTS Count="0"/><AUTORUN_FILES Count="0"/><STARTUP_ITEMS Count="0"/><BROWSER_HELPER_OBJECTS Count="0"/><BROWSER_TOOLBARS Count="0"/><BROWSER_PLUGINS Count="0"/><SHELL_EXTENSIONS Count="0"/><EXPLORER_PLUGINS Count="0"/><DIRECTORIES Count="0"/><FILES Count="0"/><SYSTEM_SETTINGS Count="0"/></Infections_Selected_For_Remediation></Remediate></Session0></Norton_Power_Eraser_Information>

========================

Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

I forgot to mention that, since yesterday when I killed the "svchost.exe -k netsvcs" offending service (as it was eating up memory), it has not restarted by itself again, as it did since Monday.  This has not happened in spite of me opening many applications (i.e., IE, Quicken, Outlook, Notebook, WordPad, Excel).  Also, I did not change anything, and I am really afraid to reboot or change something - maybe if I keep the box up forever it will stay this way ;-)    I do have some security patches to install, though . . .

Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

Hello nora-b,

The Norton Power Eraser is a very aggressive tool and has the potential to generate false positives.

I cannot tell from your log if the items removed were infected or legitimate.

I will try to call in some other help to better determine if you have a serious infection.

" I do have some security patches to install, though . . ."   What security patches need to be installed?

"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

Security pathes:

- a bunch of .NET ones that I have not been able to install even before the issue being discussed here

- MS Office patches that recently were distributed, but which I could not install in this past few days because the "svchost.exe -k netsvcs" process would consume memory faster than the patch installation could finish

BTW, I stated that there was no "svchost.exe -k netsvcs" process running after the last time I killed it yesterday, but it is not correct.  It actually is running but now without consuming memory.

Thanks so much for your help!

Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

I have no idea I don't use NPE unless it is like a FakeAV on it's own (you are lucky)  or like the old TDL3, TDL4 which I think is actually dead now.

Quads

Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

I would like to report that my box is stable:

- since I run NPE yesterday, and it fixed what I sent in the log, the "svchost.exe -k netsvcs" has not run crazy consuming memory until the system crashes

- I re-run NPE today, and there was nothing to be fixed

- I also was concerned about the failure reported in the Intelligent Updater log, which coincided with when the system started having the svchost memory issue, and as I said in my original message, did not understand why Norton would try to update a 64-bit version on my box which is 32-bit.  So I looked around and downloaded the following from Norton:

      http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=n95

      20120602-009-v5i32.exe

I installed it and it reported everything was fine; however, there was no entry in the Log.IntelligentUpdater . . . so I will have to believe it is actually fine.

TWO THINGS THAT I TAKE FROM THIS ISSUE:

(1) Something weird happened on Monday, 05/28 at 6 p.m. when Norton Antivirus tried ty install a 64-bit VIRSCAN.zip set.  Maybe this is something that needs to be looked at by Norton/Symantec.

(2) Norton Power Eraser worked in getting rid of some corruption, which allowed my box to run without the memory leak.

Finally, because I no longer had the memory leak, applying patches worked fine.  Note:  I also was able to fix a .NET (older) issue and apply all related patches.  So my box is now completely up-to-date.

Thanks so much for your help, and I hope somebody looks into item #1 above.

Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

Good to hear you have things under control again.

The link in your last post goes to a page with 32 bit updates. Is it possible you inadvertently downloaded a 64 bit version?

Things happen. Export/Backup your Identity Safe data.
Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

No, no, no . . .   The page lilnk I sent has files for both 32- and 64-bit.  I *NEVER* had updated this manually until several days after the initial problem, when the log reported a failed norton x64 install.  I did it only to see I could update the VIRSCAN set of files with the 32-bit version and whether the log would show a successful process.  Unfortunately, as I said in a previous message, it seemed to work but nothing was written to the log (does this mean that only failed attempts are logged?).

The VIRSCAN install on Monday 05/28 around 6 p.m. was done automatically by the Norton program, and it coincided with the start of the problem with a "svchost.exe -k netsvcs" process consuming more and more memory (leak) leading to my PC crashing.

I again suggest somebody at Norton take a look at what happened.

Kudos0

Re: after failed IntelligentUpdater update svchost.exe memory leak

Hello nora-b,

Could you clarify which Norton Product (NIS, NAV, 360) and Version you are running?  (Main UI, Support > About - version number should be right there)

"I also run NEP.exe, and it found a couple of things it fixed, but the problem still exists."  Do you mean the Norton Power Eraser?  If so, what items did it present as needing to be fixed? This is important.

The support document you cite is for Symantec Endpoint Protection which is a corporate version. Please disregard that document unless you are using SEP.

Thanks!

"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow

Replies are locked for this thread.