Over the last two or three days my Windows XP machine has become unusable since the CPU usage hovers around 100%. I see two threads here describing similar problems <Possibly infected machine - Please help> and <"ccSvcHst.exe" Issues with Norton Internet Security>. Before I start trying to follow the suggestions in these conversations, I was wondering if there was a FAQ anywhere on the topic of "What to do if NIS Full System Scan finds no security risks and you still think your system may be infected?" [If not, maybe one should be created??]
Here are some additional details in case they shed any light on the situation:
Running NIS 17.5.0.127
I used msconfig to restart in Diagnostic Startup mode and ran a full system scan overnight. Found and fixed 50 threats. Restarted in normal mode and no change in symptoms.
There is no problem in Diagnostic mode or after booting into Safe Mode. When the problem occurs in Normal mode some of the processor hogs are: nassvc.exe (38%), nvsvc32.exe (7%), ccsvchst.exe(SYSTEM) (10-50%), SERVICES (?-60%), lsass.exe(5%). [These numbers come from different times but have seen all of these for minutes at a time, much longer for ccsvchst.exe.]
One other oddity is that I first noticed the problem while using FireFox (and Outlook, etc.). Thinking it might be a FF problem I switched to IE. Seemed to run OK for a while, but the same problem observed under IE. Now, the problem occurs whether or not I'm running a browser (using a different computer for this msg.). This may well be a red herring caused by my perception of the problem--but maybe it means something. The fact that it seems to be getting worse is one of the things that makes me suspect this is an infection. On the other hand, the fact that the processor hogs seem to be mostly Norton executables makes me think it's a bug. [On days like this I wonder how I've survived 30+ years working as a Software Engineer :-)]
At this moment I am doing a Full System Scan after booting into Safe Mode (w/ Networking) and so far it has found zero security threats after scanning 400k items. My epectation is that this will not change anything so I'm hoping someone will be able to give me a pointer to instructions on where to go next.
Although I'm not using it (and thought it wasn't loading) we do have a Buffalo NAS and I loaded their SW initially. I will uninstall that SW (and make sure it's uninstalled this time!) and post the results.
Aside: The Full System Scan I started yesterday was still running this morning. I was wondering why it was taking so long until I realized that it is now scanning that very same NAS device since it's mapped to a drive letter.
I uninstalled the Buffalo SW and confired that nassvc.exe is not running after restarting in normal mode. Alas, no change; CPU usage still at 100%.
Since I installed Acronis True Image Home 2010 relatively recently, I ran services.msc and stopped the two services whose names began with Acronis. No change in CPU usage.
Per a comment in thread "CCSvcHost.exe Hijacks My Computer!" I tried stopping the NIS service and found that the Stop button is disabled.
Snapshot of processes shows the top 5 as these SYSTEM processes: ccsvchst.exe (26%), spoolsv.exe (11%), csrss.exe (10%), nvsvc32.exe (9%), and lsass.exe (6%). I can't easily check the source of these at the moment (UniBlue ProcessLibrary.com keeps telling me "An internal error has occurred, please try again" (running on a different computer than the one having problems)).
Over the last two or three days my Windows XP machine has become unusable since the CPU usage hovers around 100%. I see two threads here describing similar problems <Possibly infected machine - Please help> and <"ccSvcHst.exe" Issues with Norton Internet Security>. Before I start trying to follow the suggestions in these conversations, I was wondering if there was a FAQ anywhere on the topic of "What to do if NIS Full System Scan finds no security risks and you still think your system may be infected?" [If not, maybe one should be created??]
Here are some additional details in case they shed any light on the situation:
Running NIS 17.5.0.127
I used msconfig to restart in Diagnostic Startup mode and ran a full system scan overnight. Found and fixed 50 threats. Restarted in normal mode and no change in symptoms.
There is no problem in Diagnostic mode or after booting into Safe Mode. When the problem occurs in Normal mode some of the processor hogs are: nassvc.exe (38%), nvsvc32.exe (7%), ccsvchst.exe(SYSTEM) (10-50%), SERVICES (?-60%), lsass.exe(5%). [These numbers come from different times but have seen all of these for minutes at a time, much longer for ccsvchst.exe.]
One other oddity is that I first noticed the problem while using FireFox (and Outlook, etc.). Thinking it might be a FF problem I switched to IE. Seemed to run OK for a while, but the same problem observed under IE. Now, the problem occurs whether or not I'm running a browser (using a different computer for this msg.). This may well be a red herring caused by my perception of the problem--but maybe it means something. The fact that it seems to be getting worse is one of the things that makes me suspect this is an infection. On the other hand, the fact that the processor hogs seem to be mostly Norton executables makes me think it's a bug. [On days like this I wonder how I've survived 30+ years working as a Software Engineer :-)]
At this moment I am doing a Full System Scan after booting into Safe Mode (w/ Networking) and so far it has found zero security threats after scanning 400k items. My epectation is that this will not change anything so I'm hoping someone will be able to give me a pointer to instructions on where to go next.
@Paul: Thanks for the suggestions. By disabling all the functionality in NIS, I got the CPU usage down to ~50% and that convinced me that the root of the problem probably wasn't NIS.
After using sysinternals' Autoruns program to disable various things from starting, I eventually focused on the process csvss.exe that was using about 30% of the processor. Using sysinternals' Process Explorer I saw that this process had five high-usage threads. All of these had a start address like "CSRSRV.dll!CsrValidateMessageString+0x179". I suspended all five of these threads and the Sys Idle time went 95%. Searched the web on various combinations of this information and eventually found a fair number of postings that suggested this was due to a corrupted profile. Tried logging in as a different user with no change so ruled this out. Searched some more and found a couple of postings where people had solved similar problems by updating their video drivers.
Since I had at one point seen high CPU usage in the "NVIDIA Driver Helper Service" I followed this lead and installed the latest driver from the manufacturer's site (Dell). The version number for this service went from 84.29 to 174.31!! I suspect that I never updated the video driver after reinstalling XP about a year ago. In any event, I've re-enabled all the NIS functionality [aside: didn't see the "default all" selection at the bottom of the page until after I'd gone through all of the "use section defaults" items :-( ] and my CPU usage now seems to have gone back to it's normal low levels (5% +/- when nothing running).
Hope this helps someone else in the future! Guess my new rule is: keep your drivers updated (or else!).
The changes in my previous post seemed to work yesterday but, alas, back to having high CPU usage today. Behavior is a little different than original one in that system doesn't go to 100% immediately. May be related to when I run some program? But processes with high cpu usage seem somewhat different than what I was seeing yesterday. So...I removed the "solution" tag from the previous post [and perhaps an admin can remove the "kudo" that was given to me :-( ]. -James
@Phil_D: Sorry, I missed your request for this info. I think I was too interested in doing the other search you suggested
Do you have tools that allow you to examine the attached mcf file? If so, the timeframe of interest is Mar 23-25 (I did a couple of scans during those days). If there is a different way I should determine the threats NIS detected and post them please advise.
That said, my CPU usage returned to a low level yesterday (after my post) without me (intentionally) making any additional changes. So now I'm thinking that maybe the video driver was the problem after all and yesterday's performance issue was just some "background" tasks catching up on things they needed to do?? Will provide an update in a couple of days.
I have marked my earlier posting (of 03-31-201007:57 PM) as the solution to this problem. Although I some similar problems for a short period after updating my video driver, these quit occurring within a few days without my taking any further action. Sorry for the long delay in posting this final update. Take care & thanks to everyone for their help and encouragement!
