• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3684
  • Last Modified:

High CPU usage by "System" process

Hi Folks:

   I have a Windows XP pro system (SP2) which seems to have 86% plus CPU usage by the "System" process at all times - even with no other programs running. Under Task manager another "System" entry seems to pop up and then disappear about every couple of seconds. There also seems to be constant network activity of a few packets about every couple of seconds.

I have run antivirus programs and anti adware programs to no avail ... (norman anti-virus has been running constantly & Spybot S&D (resident) and also tried Ad-Aware).

Any thoughts on what is going on or how to find the "pest" that may have infected this system would be greatly appreciated.

Best regards, Dave Melnyk
0
d_melnyk
Asked:
d_melnyk
  • 12
  • 8
  • 7
  • +5
5 Solutions
 
maramomCommented:
Hi Dave,
Try ewido: http://www.ewido.net/en/
0
 
trueluck3Commented:
You should also try shutting down all Norton programs / activity, as well as any anti-spyware programs that may run in the background.  Then check your system processes again.  I don't think that this may be the problem (unless Symantec has some process that run through the 'System' process as a child process) but you'll want to start eliminating the simple suspects first.  However I've had so many issues with Symantec programs (specifically "Norton Antivirus", not the corporate version so much) eating up all my resources that I've switched to CA EZ Antivirus, great program.  So try that and if you need help shutting down those process, let me know.

-- Mike
0
 
d_melnykAuthor Commented:
Mike:

   Thanks for the input ... I am not using "Norton" but "Norman Data Defense" - I know that symantec's Norton product causes all kinds of grief. I'll try ditching other anti-spyware items etc.

Dave
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
maramomCommented:
Have you tried Ewido?

If the problem isn't malware, it may be drivers competing for interrupt requests. Check your system event log to see if there are any errors.
0
 
PeregianCommented:
Get process explorer from sysinternals and you can look more closely at the system proceess.  This will show what threads are useing up the cpu
0
 
Dushan De SilvaTechnology ArchitectCommented:
0
 
d_melnykAuthor Commented:
I got process explorer and checked things out - seems that ACPI.SYS is the item that is eating about 50% of the CPU usage - not sure what this means...

regards, Dave Melnyk
0
 
d_melnykAuthor Commented:
Just another quick note -- seems that the DPCs (deferred procedure calls) are also using alot of CPU time 30 to 50% at times.

 Also checked the system event log - seems that there have been some errors detected by the driver on hardisk 1 - is this a sign that the drive is failing and could this be the cuase of the high CPU usage?

Regards,... Dave Melnyk
0
 
maramomCommented:
This all points to faulty drivers, in my opinion. Infections can corrupt drivers and sytem files, so it's not out of the question a bug is involved. ACPI handles power management, DPC's handle procedures and interrupt requests and the drive error was for a driver.

If you haven't tried Ewido, do so. You can also try an online scan from:

http://housecall.trendmicro.com/

http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest

http://www.bitdefender.com/scan8/ie.html

Once it's established your system is clean, install updated drivers for your system.
Mainboard/chipset drivers, all pci cards, video card (if not onbaord), etc, get them from your manufacturer's.
You can use Sisoftware Sandra or Everest to identify your hardware, if needed.

http://www.majorgeeks.com/SiSoftware_Sandra_Lite_d4664.html
http://www.majorgeeks.com/download4181.html

If none of this solves your problem, an install/repair may be in order (for system corruption) http://www.michaelstevenstech.com/XPrepairinstall.htm
0
 
maramomCommented:
Your 2nd hard drive (1) could be failing. That's probably where you should start. Do diagnostics on the drive, and back up the data. If the system is trying to read from the drive and having trouble accessing it, it can lock up and spike the cpu.
If you want to simply disconnect the drive temporarily to see if there's a change in cpu usage, try it.
You can get diagnostics for your drive from the manufacturer, or use the Ultimate Boot CD: http://www.ultimatebootcd.com/
0
 
maramomCommented:
Although hard drive warnings can cause concern, there can be other reasons, such as faulty ide/sata cables or cables and power connections not firmly attached, and even ide/sata channel faults on the motherboard. Or it can just be a matter of using chkdsk to fix errors. This may not be the problem, but, it's important to rule out a problem with the hard drive with the diagnostics.
0
 
PeregianCommented:
I agree a faulty driver can do this, try running sfc /scannow from the run box
0
 
d_melnykAuthor Commented:
Hi guys:

    I ran sfc / scannow - it turned up nothing - I downloaded and ran Ewido - it found a few tracking cookies but other than that, nothing major. I disabled hard disk 1 - it is in a drive tray, and problem still seems to exist with high CPU usage in the "System" item. By the way - the 'analysis" portion of Ewido shows 2 "System" process running - one with a PID (Not sure what that is) of 0 and another with a PID of 4.) - I am about to try checking all cables etc. to see if this is an issue.

Regards, Dave Melnyk
0
 
nobusCommented:
you can disconnect or disable devices to test from a hard point of view.
For the soft side, disable programs at startup :
in the run box, type msconfig + enter
in the startup tab, click disable all
in the services tab, click hide MS services, then click disable all.
Now reboot and test
0
 
PeregianCommented:
Now that the hard disk is disabled is there any errors in the event logs
0
 
prasanna_lakkundiCommented:
This might be coz of "firewall".

Check the firewall settings in Start->Settings->Control Panel. Disable the firewall settings and check the CPU utilization.
0
 
d_melnykAuthor Commented:
Hi Guys:

   I disabled all items in startup with msconfig - no difference - also disabled hard disk 1 and still no difference. Also changed out the IDE cable to a known good cable - stil the same problem. Haven't had a chance to check event logs regarding drive errors with hard disk 1 disabled but will try later. For the moment I am reinstalling XP on another drive in the same system - so far it seems to be operating normally - CPU usage just sitting there is 98% for system idle and only about 1% for the "System" entry.

I'll put the old drive back in later (the joy of drive trays) and check the logs.

Regards, Dave
0
 
maramomCommented:
This sounds like a bug to me. Ewido catches what spybot may miss, but it sounds like you need a heavy-duty virus scan. Try one (or more) of the online scans.

Corrupted drivers can create problems with interrupt requests, so updating all drivers (from Manufacturer) may be your fix. Try the scans, first.
0
 
nobusCommented:
you can also run sfc /Scannow from the run box - may help too
0
 
d_melnykAuthor Commented:
An update for all those helping out ...

   I am now scanning with bit defender web scan - but looks like it will take over 13 hours to finish! (174,000 plus files to scan...).
I had downloaded and installwed AWSPS (Atelier Wep Security Port scanner) as I had noticed that I had constant network activity on the system. It indicates that the local machine (IP 192.168.0.2 has a connection established with my router at 192.168.0.1:5678. the Local address "port" number is incrementing approximately each second to two seconds ... Not sure how to interpret this, but certainly looks suspicious as if something is trying to get in or out. I set the router to block port 5678 to all traffic, but the incrementing of the port number continues - occaissionally the "connection" with the 5678 port on 192.168.0.1 is lost, but it is quickly re-established and the local addres continues to increment through the ports (TCP connection according to AWSPS). If anyone has any info on what this may mean or how to interpret this info I could really use the help.

Best regards, Dave Melnyk
0
 
PeregianCommented:
Sounds like you may have a rootkit.
Get this http://skads.org/special/rkfiles.zip
unzip it to a folder then reboot into safe mode and run the batch file it contains. Takes a little while but be patient. When finished it will display a text file of the hidden files that are running. Ignore the degfrag entry if its there. NOT ALL THE ENTRIES WILL BE BUGS. Post the contents here first so we can verify what they are.
0
 
nobusCommented:
could be; here a good one too : www.sysinternals.com/Utilities/RootkitRevealer.html
0
 
d_melnykAuthor Commented:
Hi Guys:
   here are the results:

C:\rootkit
 
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2
C:\WINDOWS\system32\Stamin32.Tlb: +]FileSpec2WWW
 
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

I know that the Stamin32.tlb file is legit - it is part of the Stamina toolkit that I use for development. (Unless something has corrupted the file - not sure what the "+]filespec2www" means.

regards, Dave Melnyk
0
 
PeregianCommented:
I think the divx.dll is ok too and dfrg is always there. Try downloading icesword http://xfocus.net/tools/200509/1085.html it will give you a better analysis of the port communication.  The program is in english but the website and helpfile are in chinese. Hopefully it will help identify whats making the connection and to where.
0
 
d_melnykAuthor Commented:
Peregian:

   Downloaded Icesword and ran it ... the 192.168.0.2:5678 lists "C:\WINDOWS\SYSTEM32\SVCHOST.EXE" as the path name. There are another of other items with the same path name - checked the PID for that item and killed it intask manager - seems to have gotten rid of the constant network activity, but CPU usage is still 100%. not sure what this means ...

Dave
0
 
PeregianCommented:
Do you have a HP printer? They install a java package that uses that port.
0
 
d_melnykAuthor Commented:
Peregian:

   No HP printer.

Dave
0
 
PeregianCommented:
Can you reboot so all processes are running and open icesword at the port page then go to dump--current list and post contents
0
 
d_melnykAuthor Commented:
Here is the dump from ICEsword:

Port£º

Protocol  Local Address           Foreign Address         State               PID       PathName
TCP       192.168.0.2 : 1259      192.168.0.1 : 5678      ESTABLISHED         948       C:\WINDOWS\System32\SVCHOST.EXE
TCP       192.168.0.2 : 1252      192.168.0.143 : 139     TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4454      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4450      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4446      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4455      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4447      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4451      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4448      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4452      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4449      TIME_WAIT           0         ----
TCP       192.168.0.2 : 2869      192.168.0.1 : 4453      TIME_WAIT           0         ----
TCP       0.0.0.0 : 2868          0.0.0.0 : 0             LISTENING           760       C:\Norman\BIN\Njeeves.exe
TCP       127.0.0.1 : 1032        0.0.0.0 : 0             LISTENING           1752      C:\WINDOWS\System32\alg.exe
TCP       0.0.0.0 : 445           0.0.0.0 : 0             LISTENING           4         NT OS Kernel
TCP       0.0.0.0 : 135           0.0.0.0 : 0             LISTENING           884       C:\WINDOWS\System32\SVCHOST.EXE
TCP       0.0.0.0 : 2869          0.0.0.0 : 0             LISTENING           1236      C:\WINDOWS\System32\SVCHOST.EXE
TCP       192.168.0.2 : 139       0.0.0.0 : 0             LISTENING           4         NT OS Kernel
UDP       192.168.0.2 : 137       * : *                                       4         NT OS Kernel
UDP       0.0.0.0 : 1124          * : *                                       1040      C:\WINDOWS\System32\SVCHOST.EXE
UDP       0.0.0.0 : 500           * : *                                       648       C:\WINDOWS\System32\LSASS.EXE
UDP       0.0.0.0 : 1125          * : *                                       1040      C:\WINDOWS\System32\SVCHOST.EXE
UDP       192.168.0.2 : 138       * : *                                       4         NT OS Kernel
UDP       192.168.0.2 : 123       * : *                                       948       C:\WINDOWS\System32\SVCHOST.EXE
UDP       127.0.0.1 : 123         * : *                                       948       C:\WINDOWS\System32\SVCHOST.EXE
UDP       192.168.0.2 : 1900      * : *                                       1236      C:\WINDOWS\System32\SVCHOST.EXE
UDP       127.0.0.1 : 1900        * : *                                       1236      C:\WINDOWS\System32\SVCHOST.EXE
UDP       0.0.0.0 : 4500          * : *                                       648       C:\WINDOWS\System32\LSASS.EXE
UDP       0.0.0.0 : 445           * : *                                       4         NT OS Kernel
UDP       127.0.0.1 : 1040        * : *                                       948       C:\WINDOWS\System32\SVCHOST.EXE
RAW       ---                     ---                     ---                 4         NT OS Kernel
RAW       ---                     ---                     ---                 4         NT OS Kernel
RAW       ---                     ---                     ---                 648       C:\WINDOWS\System32\LSASS.EXE

I alsow checked with tasklist - i.e. Tasklist /v /fi "PID EQ 948"

and got the following:

Image Name                   PID Session Name     Session#    Mem Usage Status
        User Name                                              CPU Time Window T
itle
========================= ====== ================ ======== ============ ========
======= ================================================== ============ ========
================================================================
SVCHOST.EXE                  948 Console                 0     16,184 K Running
        NT AUTHORITY\SYSTEM                                     0:00:09 N/A

Not terribly meaningful.

Regards, Dave
0
 
PeregianCommented:
That looks clean no external connections and the 5678 port is connecting to the gateway, I wonder if it could be universal plug and play if the port keeps incrementing. I think we'll have to go back to faulty driver. I've got to go out and do a couple of jobs so I'll be back in a few hours.
0
 
d_melnykAuthor Commented:
Hi folks:

   I 'm beginning to think the problem is hardware - I just did a clean load of Windows XP on a new drive in this system as a test and the problem has occurred again. Given that I seem to have constant network activity, I think it may be a bad NIC (or one that is about to fail). I am gogin to replace it with another one and see if the problem resolves itself.

0
 
maramomCommented:
Did you install updated drivers?
0
 
onlinerackCommented:
Have you also tried windows updates. I have seen it once and windows updates fixed it.
0
 
d_melnykAuthor Commented:
hi folks:

   Just an update.... appears it was motherboard hardware starting to fail. Couldn't upgrade memory on the system with out it going nuts - failing to boot, rebooting etc. Changed out power supply, all cards, memory and even the processor - but the wierdness remained - in the ned -- new motherboard and processor and momory - the $600.00 fix!

Thanks to all who offered advice - I will award split points to those that hung in there trying to helps solve this - also some great diagnostic programs and links .. thanks again

Dave Melnyk
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 12
  • 8
  • 7
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now