Author Topic: I've got 100% CPU after upgrading to avast 4.8, too  (Read 5786 times)

Offline davorl

  • Newbie
  • *
  • Posts: 7
  • Gender: Male
    • Personal Message (Offline)
I've got 100% CPU after upgrading to avast 4.8, too
« on: April 01, 2008, 09:25:04 PM »
Something is wrong with the latest avast (home) program update [4.8]: approximately 2 minutes after boot, ashServ.exe starts using 100% cpu and the pc becomes unresponsive (it takes 30 seconds to open start menu, for example). After a *lot* of time (more then 20-30 minutes) it goes back to normal.
Interestingly, If I manage to switch off the standard shield, cpu usage remains at 100% but the system becomes responsive (although a little slower than usual).
I tried to completely uninstall Avast and do a fresh install but the result is the same.
OS is Windows XP SP2 (with the latest security updates).
Only standard shield was active, and sensitivity was set to Normal.
The last non-avast antivirus I had was F-Secure, but it was completely removed 3 years ago.
The only other resident security software is Kerio Personal Firewall 2.15, but it coexisted peacefully with avast for years.
No problems detected on windows' event viewer and in avast log files.
No recent software or driver installation other than avast 4.8.

Avast home is free, so I have absolutely no right to ask for a fix, but indeed I hope that this problem will be corrected, since I like avast more than any other free or non-free antivirus :)

Thank you for your patience and please forgive my bad english.
Bye,
 Davide

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #1 on: April 01, 2008, 09:49:16 PM »
Is the avast icon rotating when this is going on ?

It might be helpful to see what is being scanned.

This option, 'Show detailed info on performed actions' is off by default, so you will need to enable it.



How long had you had avast prior to the 4.8 update ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline davorl

  • Newbie
  • *
  • Posts: 7
  • Gender: Male
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #2 on: April 02, 2008, 07:14:30 PM »
Is the avast icon rotating when this is going on ?
It might be helpful to see what is being scanned.
This option, 'Show detailed info on performed actions' is off by default, so you will need to enable it.

Apparently, nothing is being scanned when the ashServ process jumps to 100% cpu. The avast icon is still, and no filename popup appears during the previous and following 15-20 seconds.
So maybe it's not a scan-related problem.

Other things I've just tried:
- setting "disable avast! self defense module", "disable rootkit scan on system startup" and "delay loading of avast! services after other system services".
- adding all drives to the exclusion list
- disabling automatic virus database update

Quote
How long had you had avast prior to the 4.8 update ?

Since october 2005. I've never had a single problem.
Bye,
 Davide

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #3 on: April 02, 2008, 07:26:58 PM »
What you tried in the troubleshooting section has zero bearing to on-access scanning by the standard shield.

Re. excluding drives, there are two exclusion lists, on-demand (Program Settings, Exclusions) and on-access, (Standard Shield, Customize, Advanced, Add), the first has no impact on the second. If you did add it correctly to the standard shield (totally inadvisable, as you are unprotected), then I would have to ask what was the path you put in to exclude the drives ?

Did you try what I suggested on 'Show detailed info on performed actions' to see what is/was being scanned ?

I would suggest a clean reinstall and see if that resolves the problem because for some reason the standard shield seems to have stalled, but it would be nice if you could identify what file it was scanning.

Download the latest version of avast http://www.avast.com/eng/download-avast-home.html and save it to your HDD, somewhere you can find it again. Use that when you reinstall.

Download the avast! Uninstall Utility, find it here and save it to your HDD.
Now uninstall (see below), reboot, run the uninstall utility, reboot, install the latest version, reboot.

It may be necessary to disable the avast! Self-Defence module (Program Settings, Troubleshooting section) if you are unable to uninstall using the Add Remove Programs before running the Uninstall Utility. Or, boot into safe-mode and start aswClear.exe from there.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline davorl

  • Newbie
  • *
  • Posts: 7
  • Gender: Male
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #4 on: April 02, 2008, 08:36:56 PM »
Re. excluding drives, there are two exclusion lists, on-demand (Program Settings, Exclusions) and on-access, (Standard Shield, Customize, Advanced, Add), the first has no impact on the second. If you did add it correctly to the standard shield (totally inadvisable, as you are unprotected), then I would have to ask what was the path you put in to exclude the drives ?

I discovered that on-demand exclusion has no effect on resident protection just after writing the post :)
I've just tried now. I'm using ?:* as a path (it seems to exclude all drives as expected).
About leaving me unprotected: I have to do it, because I can't do anything with my pc until I disable avast. Indeed, I'm going to uninstall the software again after writing this post.
But I'm not too worried, I only got a single virus warning from avast in several years (when deleting a suspect file ;)  ). I'm quite paranoid about security.

Quote
Did you try what I suggested on 'Show detailed info on performed actions' to see what is/was being scanned ?

Yes, as I said before NO FILE is being scanned when ashServ starts sucking processor time. After boot I see several yellow popups in the bottom-right corner, when msoffice quickstart, etc. get executed. Then I wait 120 seconds. During that time a few more popups appear, but when the task manager shows ashServ rising to 100% cpu no poupup appears and the the "A" icon is still.

After adding all drives to the on-access exclusion list I get no yellow popup and no icon rotation AT ALL, so I assume the scanning process is not directly responsible for the high cpu usage (but see below).

Quote
I would suggest a clean reinstall and see if that resolves the problem because for some reason the standard shield seems to have stalled

I already did that, two times. Both times I uninstalled using the normal uninstaller, restarted, then used the uninstall utility and restarted again, just to be sure.

The strange thing is that ashServ uses 100% cpu even when standard shield is NOT running. But, in the latter case, the system is just slower than usual instead of utterly unresponsive as when standard shield is running.

Second strange thing: after approx. 15 minutes cpu usage drops to normal levels. Then I can freely turn on or off standard shield and nothing changes (until I restart windows).
But if I stop and restart the "avast! antivirus" service from administrative tools > services, then after another 120 seconds cpu usage jumps to 100% again.
Bye,
 Davide

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11566
  • Gender: Male
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #5 on: April 02, 2008, 09:04:24 PM »
It's clearly the automatic rootkit scan. It is starting (by default) 2 minutes after the service is launched.

On a "normal" system, it only takes a couple of seconds to complete. If it takes 15 minutes in your case, it is definitely worth investigating.

BTW you can disable this startup scan in avast settings -> Troubleshooting page.


Anyway, let's try running the rootkit scan from the GUI and see what happens (e.g. what files are scanned, why it takes so long etc).
To do this, please run the following:

<avast-path>\ashQuick.exe "<RTK>SUPERQUICK"


Ciao & grazie
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline davorl

  • Newbie
  • *
  • Posts: 7
  • Gender: Male
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #6 on: April 02, 2008, 09:23:38 PM »
It's clearly the automatic rootkit scan. It is starting (by default) 2 minutes after the service is launched.
(...)
<avast-path>\ashQuick.exe "<RTK>SUPERQUICK"

Bingo!
It hangs on "d:\windows\system32\drivers\wudfRd.sys". Even if I click "cancel" the windows vanishes but ashQuick process remains alive and eating 100% cpu.

Quote
BTW you can disable this startup scan in avast settings -> Troubleshooting page.

Uhmmm... it was already disabled (it was one of the first options I tried). Maybe that setting doesn't work very well. ;)

Quote
Ciao & grazie

Grazie a voi che dedicate il vostro tempo ad aiutare gli utenti :D
Bye,
 Davide

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11566
  • Gender: Male
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #7 on: April 02, 2008, 09:41:28 PM »
It's clearly the automatic rootkit scan. It is starting (by default) 2 minutes after the service is launched.
(...)
<avast-path>\ashQuick.exe "<RTK>SUPERQUICK"

Bingo!
It hangs on "d:\windows\system32\drivers\wudfRd.sys". Even if I click "cancel" the windows vanishes but ashQuick process remains alive and eating 100% cpu.

Hmm, it may actually be the file immediately following the one that's displayed on the screen (i.e. the screen shows the last file scanned). Anyway, could you please create a memory dump of the ashQuick.exe process while it's hung? I know that it may be quite difficult if your system only has 1 CPU/core (as ashQuick.exe will be taking all the CPU power) but you'll have 15 minutes ;)

To create the dump, you'll first have to disable the avast self-protection module. Then download this little proggie http://public.avast.com/~vlk/userdump.exe

and once the problem is simulated, run

userdump ashQuick.exe c:\ashQuick.dmp

This will create a file ashQuick.dmp in C:\. Zip it and upload it to ftp://ftp.avast.com/incoming (please note that you won't have READ access to the ftp site, just WRITE).

Uhmmm... it was already disabled (it was one of the first options I tried). Maybe that setting doesn't work very well. ;)


Hmm, well this means that there's probably some bug with this setting. I'll have this checked. Thanks.


Grazie a voi che dedicate il vostro tempo ad aiutare gli utenti


OK now not that I don't understand what you're saying but my sorry Italian doesn't allow me to follow up amusingly enough so let me just say "Buona notte" and log off. :) BTW you're from Milano?


Cheers
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline davorl

  • Newbie
  • *
  • Posts: 7
  • Gender: Male
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #8 on: April 03, 2008, 07:29:24 PM »
Anyway, could you please create a memory dump of the ashQuick.exe process while it's hung? I know that it may be quite difficult if your system only has 1 CPU/core (as ashQuick.exe will be taking all the CPU power) but you'll have 15 minutes ;)

Ok, I managed to do that by lowering the priority of the cmd window before launching quickscan.
I'm uploading the dump right now.
I added a log of quickscan's I/O, recorded using SysInternals' FileMon; I don't know if it can help or not.
Filename is "davorl-ashQuick_rtk_scan_hangs-20080403_b.zip".
UPDATE: You will find an incomplete file (without "_b"): my connection died for a few seconds and the "write only" settings of the server prevented me from resuming the transfer or deleting the partial file.

Quote
BTW you're from Milano?

I was born in Milano, but I currently live in Salsomaggiore (a small town near Parma) since... well, a lot of time. :)

I'm curious, how did you discover I'm from Italy? By checking the IP or is it just so apparent from my english?

Bye,
 Davide
Bye,
 Davide

Offline pjb

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #9 on: May 13, 2008, 09:40:01 PM »
I am experiencing the same problem. Namely a few minutes after starting up Windows x65 SP 2 hangs.  Task manager shows ashserv.exe using 100% cpu.  This high cpu usage lasts around five of minutes.

After upgrading to 4.8.1195 I have disabled the rootkit scan and the problem does not occur (so the disable option does work in the latest version).

Running "..\ashQuick.exe"  "<RTK>SUPERQUICK" I see the scan appears to hang scanning wudfrd.sys and then again on SVC: {92628D44-060B-4E8F-84BE-0D6FE0C861D9}.

I performed a logged antivirus scan and it also hangs in the same places.  Here is an extract from the log so you can see the files that come before and after the ones mentioned:

C:\WINDOWS\system32\DRIVERS\WudfPf.sys  is OK
C:\WINDOWS\system32\DRIVERS\wudfrd.sys  is OK -- long hang here
C:\WINDOWS\system32\svchost.exe  is OK
C:\WINDOWS\System32\svchost.exe  is OK
C:\WINDOWS\System32\svchost.exe  is OK
SVC: {02D1D56D-2CFD-43E7-BB2E-471D959891C8}  is OK
SVC: {116CA12C-2BE3-4C96-96BB-306CF86A09A6}  is OK
SVC: {6B53E385-8DB0-4CA4-9D56-6CBC18C3F252}  is OK
SVC: {772142AA-53A3-46EC-A5F8-BE29EC00238C}  is OK
SVC: {92628D44-060B-4E8F-84BE-0D6FE0C861D9}  is OK -- long hang here
Disk C: Boot Record is OK
Disk 0 Master Boot Record is OK
C:\ad2mcmpgdec.dll  is OK
C:\ad2mpegin.dll is OK

I have also sent a mini dump (from hangrep) of ashQuick while it was scanning wudfrd.sys to the incoming ftp site.  The file name is "RTKSUPERQUICK cpu hog ashQuick.exe.zip"

Please let me know if I can provide any more assistance.
« Last Edit: May 13, 2008, 09:49:51 PM by pjb »

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11566
  • Gender: Male
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #10 on: May 13, 2008, 10:32:44 PM »
Wow, that's what I call a comprehensive report. Thanks. :)

Now, we took a look at the dump and it seems it's not really _stuck_ anywhere - the code is simply parsing some registry structures (which it is supposed to do).

It may be that your registry is somehow strange, causing the parser to take a long time to complete. Could you please try sending us the system hive file of your registry so that we can try to simulate the problem in our lab?

It's the file called C:\Windows\System32\Config\SYSTEM (with no extension). The problem is that the file is locked (even for read access) at all times while Windows is active. One way to access (copy) the file is to boot from an external medium (e.g. a bootable CD) - however, I'm not sure how proficient you're with computers and if you have such a bootable CD that you could use (e.g. the BART PE one).

What we could also try is to have regedit do an export of the hive. Right-click HKLM\System, and select Export; in the Save As Type field, select "Registry Hive Files".

Unfortunately, this doesn't create a 1:1 copy of the original hive file, but it is possible that even with this "filtered" hive the problem would be reproducible in our lab.

BTW you can upload the hive file to our ftp site, just as you did in case of the dump.


Thanks!
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11566
  • Gender: Male
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #11 on: May 13, 2008, 10:44:25 PM »
BTW could you please check out what's inside the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediumCache key?

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline pjb

  • Newbie
  • *
  • Posts: 2
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #12 on: May 14, 2008, 09:45:07 PM »
Sorry for the delay...

I have had a look under the MediumCache key and found a lot of subkeys, here is the top of the exported key file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediumCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediumCache\{174dacfe-14c3-44a8-b426-d61980a79634}-E98B7FA8-0]
"\\\\?\\PCI#VEN_109E&DEV_036E&SUBSYS_13EB0070&REV_02#4&1c88b56&0&00A4#{a799a801-a46d-11d0-a18c-00a02401dcd4}\\GLOBAL"=dword:00000001
"\\\\?\\PCI#VEN_109E&DEV_036E&SUBSYS_13EB0070&REV_02#4&1c88b56&0&00A4#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\\GLOBAL"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediumCache\{174dacfe-14c3-44a8-b426-d61980a79634}-E9A56668-0]
"\\\\?\\PCI#VEN_109E&DEV_036E&SUBSYS_13EB0070&REV_02#4&1c88b56&0&00A4#{a799a801-a46d-11d0-a18c-00a02401dcd4}\\GLOBAL"=dword:00000001
"\\\\?\\PCI#VEN_109E&DEV_036E&SUBSYS_13EB0070&REV_02#4&1c88b56&0&00A4#{65e8773d-8f56-11d0-a3b9-00a0c9223196}\\GLOBAL"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediumCache\{174dacfe-14c3-44a8-b426-d61980a79634}-E9C5A668-0]
"\\\\?\\PCI#VEN_109E&DEV_036E&SUBSYS_13EB0070&REV_02#4&1c88b56&0&00A4#{a799a801-a46d-11d0-a18c-00a02401dcd4}\\GLOBAL"=dword:00000001

Basically it goes on like that for 34893 lines!

I exported the MediumCache key, deleted it and then recreated it.

Running ashQuick.exe "<RTK>SUPERQUICK" no longer hangs at wudfrd.sys it flys through to SVC: {92628D44-060B-4E8F-84BE-0D6FE0C861D9} where it hangs as before.

I have sent a dump from hangrep of the process at this point, the file is named "RTKSUPERQUICK cpu hog part 2 ashQuick.exe.zip" - hope that this helps.

Update...

After rebooting to get the system hive, I retried ashQuick.exe "<RTK>SUPERQUICK"  and it completed in a few seconds!

So it looks like the excessive number of entries under MediumCache was the cause.
Tracked the multiple entries down to the btwincap driver for x64 - every reboot was generating another duplicate set of entries under MediumCache.  I uninstalled the driver and now I don't have any entries under MediumCache so I think that it should be a permenant fix.


Thanks for your help resolving this Vlk.
« Last Edit: May 14, 2008, 11:36:41 PM by pjb »

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11566
  • Gender: Male
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
    • Personal Message (Offline)
Re: I've got 100% CPU after upgrading to avast 4.8, too
« Reply #13 on: May 15, 2008, 07:18:46 AM »
Update...

After rebooting to get the system hive, I retried ashQuick.exe "<RTK>SUPERQUICK"  and it completed in a few seconds!

So it looks like the excessive number of entries under MediumCache was the cause.
Tracked the multiple entries down to the btwincap driver for x64 - every reboot was generating another duplicate set of entries under MediumCache.  I uninstalled the driver and now I don't have any entries under MediumCache so I think that it should be a permenant fix.

Actually, in the last VPS update, we made some changes so that we actually skip these unnecessary keys. So it may not be a coincidence that after a reboot (and a VPS update), everything went now smoothly.

Thanks for your help :)
Vlk
If at first you don't succeed, then skydiving's not for you.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now