Two instances Network Service, one Computer

Discussion in 'other software & services' started by Ponnfar, Jan 13, 2005.

Thread Status:
Not open for further replies.
  1. Ponnfar

    Ponnfar Registered Member

    Joined:
    Dec 4, 2003
    Posts:
    6
    Location:
    Philadelphia PA
    I have an interesting thing happen to my internet access from time to time. I both Spywareblaster and Spywareguard on duty. After I have been working with other porgrams and then want to use something other than AOL to access the internet ( like all of the time) I get an error message Page cannot be displayed. I thought it may just be low resources so at that point I usually just reboot and then I can get to the internet, no problem. As you can imagine, this is frustrating. I looked into Windows task manager and saw 2 instances of Svchost.exe - Network Service one about 4,876K the other a little less. Oh, I am on a stand alone computer with no network or other users. I deleted the one using the least memory, 3,860K as an example. Then I was able to get to the internet as if I never had a problem in the first place. Using Mozilla, IE (yuk) or any other prog. What is happening? Is the second instance of Svchost.exe - Network Service related to my Wilder software protection. If not, how do I get rid of these multiple instances? Do I want to, meaning is it part of the protection built in to the system configuration by Windows...yeah right?
    Any Helpo_O
    Thanks!
    :D
     
    Last edited: Jan 14, 2005
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Ponnfar, and welcome to Wilders.

    Svchost.exe is a legitimate Microsoft file and having multiple instances of it (2 and even up to 4) showing in your TaskManager is normal. But this file can also be vulnerable to exploits and infected with a virus, one of them being the W32.Welchia.Worm. There is also a CWS variant that uses the name Network Services and runs a svchost.exe file.

    Could you tell us what your version of Windows is and what other security apps, for example anti-virus, anti-spyware, firewall, etc. you have used to scan your computer with and if any of those programs have identified an infection.

    If you do not have any of those programs, you can go through our General Cleaning Instructions and use the steps and programs listed there to scan your computer with.

    For more information:
    WinTasks Process Library - svchost
    Symantec - W32.Welchia.Worm.
    CastleCops Startup List - Network Services/svchost

    Regards,

    snap

    Note, based on your reply to the above, I will be moving your thread into a more suited forum.
     
  3. Ponnfar

    Ponnfar Registered Member

    Joined:
    Dec 4, 2003
    Posts:
    6
    Location:
    Philadelphia PA
    Well now, Thanks for the response! :D
    I am running, XP Pro SP/2 with Norton Systemworks (Anitivirus), Zonalarm (free edition), your spyware suite (gaurd/ blaster), SpyBot v1.3.1TX, also have a program called Internet Cleanup v 3.0, Adware SE Personal, Adware 6.0 ( for unattended autorun feature purposes), Spy Sweeper, from Steve Gibson's (author of SpinRite, I use to love that program) Website - 3 GREAT individual utilities that:
    1. closes Net Bios
    2. closes Plug and Play networking
    3. DCOM port componet Object Module closing of port 135 (used by Remote Call Procedure re: Port not needed and allows a vulnerablity)
    I also run from the Panda website, a trojan scan once every 6 weeks on average.
    Most importantly, all above mentioned programs are updated and kept current on a regular basis and run on a schedlued basis from task manager if not at system startup like your programs for example.
    No programs have identified any infection trojan or virus. I am still very much open to that posibility (yikes!) however I do not suspect so. I have installation of Java (Sun Micro 4.2_06) and ActivX plug-in installations on "Prompt" and cookies are set to High and individually allowed for websites by me then remembered by Internet Cleanup, not allowed or are deleted at close of session. Memory load at time of not being able to use Internet Explorer, Mozilla or any other program other than AOL9.0(and sometimes not even that, although I can always get to and use the AOL sites and features...oh joy...) to get to the internet is usually at less than 50% (not good) but still have at least 150M of physical ram available on a 512M Ram System and over 1.9G pagefile, 95% avail. at the time of the problem. Again after I delete one of the usually two existing "Schvhost - Net... Ser..." taking the least memory, or reboot I have access to internet as though ther was never a problem.
    As I write this, it is starting to sound to me like a resource issue but I do not want to admit that :doubt:
    I hope I have given you a good background and I hope you can help solve this one for me. Please let me know where on the forum this will be placed so I can subscribe to it.
    Thanks for your help!! :D
    Ponnfar
     
    Last edited: Jan 15, 2005
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Ponnfar,

    I won't move your thread just yet since we haven't ruled out possible program conflicts, but if, or when I do move your thread, I will send you a PM with the link to it's location so you can easily find it. :)

    I am unfamiliar with the program, Internet Cleanup 3.0. and there may be a possible program conflict there since Internet Cleanup does have a real time scanner and browserguard. You could try disabling SpywareGuard for a bit, connect to the internet and surf as you normally would and see if you get the "Page cannot be displayed" error message. Then try the reverse, disabling Internet Cleanup's browserguard and enabling SpywareGuard's protection. If you do not get the "Page cannot be displayed" message while using the programs individually, then we could narrow that error message down a bit to possibily program conflicts between the two. At least we'll see if there is an overlap in protection there, or rule that out completely.

    Another option is to re-check ZoneAlarms settings and make sure there is nothing conflicting there as sometimes that can happen with the install of new programs.

    It does looks like you have kept up-to-date on your security tools, so I'm less suspicious of a malware infection at this point (though I never rule that out completely given how well malware can hide itself now). To be on the safe side, we can check a few things manually. Click on Start --> Run --> type in msconfig then click OK. The "System Configuration Utility" box will pop up. Under the Startup tab, check the list of startup items and confirm for me there is not a "svchost" listed there (there shouldn't be). Also, do a search of your harddive and confirm that the path to svchost.exe is as follows:
    C:\WINDOWS\System32\svchost.exe

    Regarding the two instances of Svchost.exe showing in your TaskManger, I also have two instances and one is usually higher than the other (one hovers around 12,392K and the other around 2,672K depending on what programs I am using.) So the two instances of Svchost.exe you are seeing is quite normal. Since Svchost.exe does handle a "group of services", shutting down one instance of Svchost.exe will result in shutting down that particular group of services, some of which you may need to have running in order for your system to run smoothly. That is why it is recommended to leave the Svchost.exe itself alone and check through your list of Services to see which one's are necessary or not, and disable the unnecessary ones individually. A little bit of reading but well worth it, you can check through the list of services at BlackViper's site where you can find information listed on each service. Again, taking great care not to turn off services that are critical to the OS.

    We've got a few ideas to try first, and hopefully we will be able to find the problem and help you resolve it. :)

    Regards,

    snap
     
  5. Ponnfar

    Ponnfar Registered Member

    Joined:
    Dec 4, 2003
    Posts:
    6
    Location:
    Philadelphia PA
    Oh MAN!!!!! are you on my Christmas list!
    I have only looked at the BlackViper stite and made no changes or anything yet, but that site alone is great! I have for years made changes to the services section of MSCONFIG by trial and error thinking " I should not need this" and now I have a reference to see!! I am glad to see that many of the choices of things I have disabled (Net logon, Net. provisioning, Netmeeting, Remote Registry, and a couple of others) are ok to do.
    Oh, even after coming out of hibernation the problem may occur.
    To clarify, the problem is not with any individual website. If the problem happens, then I have no access ot the internet - period, until I do one of the "fixes". It does not happen while surfing. Could the svchost network service delete "fix" be deleting some of my security settings? Also I have only disabled these services by unchecking the box in MSCONFIG, should I go to the policy editor and make the corresponding changes for each of those functions as well? If so, where do I go - Services, Maintenance, Local Security? You get the idea.
    Thanks for the link and your help!!!
    Ponnfar
     
    Last edited: Jan 16, 2005
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Ponnfar,

    This is defintely a possibility, and I'm thinking the problem may be system or program configuration more and more. (I'll move this thread over into Software & Services <-- done )

    It is not advised to use msconfig to disable services (BlackViper has a warning on his page about that too) but rather go to the service list itself by clicking "Start -> Run -> type in services.msc and go through the list, reading carefully what each service does, and individually change the settings (automatic, manual, or disable) for each service. But before you do anything like that, please read the information on each service carefully as many services will have other services that depend on them to be running. Plus, you don't want to mistakenly disable something critical to booting your computer.

    Regards,

    snap
     
    Last edited: Jan 16, 2005
  7. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Not to get too sidetracked from your initial problem. Ponnfar, could you confirm for me the results of the first questions I asked in Post #4, just so we are sure we are not dealing with something nasty, and overlooked it while talking about services. ;)

    Regards,

    snap
     
  8. Ponnfar

    Ponnfar Registered Member

    Joined:
    Dec 4, 2003
    Posts:
    6
    Location:
    Philadelphia PA
    There is no instance of Svchost listed. How can I see if there is a problem with Zonealarm. It seems to be functioning and I do not see any error messaages pop up or entires in the program. I am not archiving logs but can re-enable. No problems in log viewer. Would re-enabling log archives list the conflicts you mentioned if they did occur? Since I cannot make the problem happen on demand, I will use the steps you recommend the next time it occurs.
    Hopefully that will not be for a while...
    Thanks
    Ponnfar
     
    Last edited: Jan 16, 2005
Loading...
Thread Status:
Not open for further replies.