Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ashguy on September 15, 2008, 03:29:39 AM
-
Every few days the System and ashWebSv.exe process start using about 40-50% CPU each. I am not sure what starts this problem, but I am using Firefox typically when it happens and suddenly the sites are somewhat accessible with many not working at all. I attempted to search this forum for a similar case but could not find one.
I did notice that I should check to see what it is scanning. I have been using FileMon previously, but did not think of using the "avast! On-Access Scanner" window. Next time it does this I will check.
Unfortunately, I had already attempted to stop the process using the services.msc and using "Stop On-Access Protection" from the right click menu. By the time I checked the On-Access Scanner (I will do this first next time), it showed the process as not running (even though it still was) and the only option was "Terminate" which did not work. Interestingly, after I clicked Terminate it allowed me to click Start again, but that did not seem to have any effect on the running processes.
FYI: I have been using Process Explorer and FileMon to try to determine the cause of the problem. One thing FileMon did show was that AshWebSrv.exe was logging to AshWebSv.ws quite a bit. Even though the size and last modified date of the file was not being updated, the file was getting the following lines over and over:
***Server: too many winsock errors (776). Re-listening the sockets!
***Server: accept() failed with Winsock_Error: Winsock: (10038) An operation was attempted on something that is not a socket.
To give you an idea of how much it is writing these messages, the log file was at 3030 lines when it started and it is now at 7942 all with that same error message over and over (with two empty lines in between each set)
I am still able to use the computer just fine, and generally the Web works fine after I start messing with it. The 100% CPU problem doesn't seem to be slowing the machine down at all.
Here are some details:
Windows XP SP3
Core 2 Duo (maybe why my machine isn't slowing down)
Avast Home 4.8.1229
Virus DB 080914-0
Firefox 2.x
Also, I put my computer in stand-by mode quite regularly.
In closing, the AshWebSv.ws is now at 9687 lines :P
-
Help from Lukas will be welcome...
-
I too have been having 50% CPU usage as viewed in the Task Manager. My computer also has a computer memory leak that gets worse every hour. I end up having to reboot to end the AshWebSv.exe service. This CPU hog is affecting my computers ability to process heavy graphic images and to run multiple applications.
I have a similar computer to the guy in the original post with about 2GB of memory.
I am using Firefox 3.01, IE 7, etc...
This is a serious issue and needs addressing. If this serious flaw cannot be fixed I will have to uninstall and discontinue using apps from avast.
Any help appreciated.
Thanks.
-
Hi, what about firewalls ? Do you guys have any ? I have seen similar problems with Ashampoo.
-
Do you have any other security program installed and running in background? Antispyware?
Thanks for coming Lukas ;)
-
add another report
ashwebsv.exe is using over 50% of the CPU and "system" is now using the balance.
I have shutdown the providers. No change. 3 hours later ashwebsv is still thrashing.
Can't stop the process from task manager.
Moving to reboot as the final option.
-
Update: It took a few days but it occurred again. I checked the avast! On-Access Scanner window and for "Web Shield" it reported that it last scanned www.telegraph.co.uk had scanned 35956 and had a runtime of 3:23:39:22. I tried the "terminate" button first this time, but it did not work. The on-access scanner window appears like the provider is closed, but the process is still running in the background.
However, I did verify that I am able to use the internet again after attempting to terminate the process. While it is still running at 50/50% CPU, I am now access any site and, of course, post to this forum. One thing I will note, however, is that I am able to access computers on my local just fine even before I attempt to terminate the process. I did not try to access a web site by IP, but I can try that next time it happens. I do however typically access computers on my network via a DNS name that resolves from my router.
Since that log was talking about winsock errors, I attempted to disconnect all network devices in the Network Connections window. After doing that, the System process went back down to near 0% CPU usage. However, the ashwebsv.exe process is still using 50% of the CPU. I have a dual core machine so that is why it only uses 50%.
Update (because I don't feel like rewriting this ;D) -- While the System CPU is now at near 0%, my network connection seems completely dead. ((I started saving this post in a text file when I noticed this))
Update again -- TCPView is showing Ashwebsv.exe with a lot of listening connections open. all on port 12080, which is strange as I don't think it should be able to have two entries in TCPView with the same local IP and port. Here is the detail:
ashWebSv.exe:3120 TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING
<<previous line repeats about 150 times>>
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12720 ESTABLISHED
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12722 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12723 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12721 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12724 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12726 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12719 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12735 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12727 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12728 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12718 CLOSE_WAIT
ashWebSv.exe:3120 TCP 127.0.0.1:12080 127.0.0.1:12733 CLOSE_WAIT
As always, the following entry is appearing quickly in the ashwebsv.ws log file:
***Server: too many winsock errors (64368). Re-listening the sockets!
***Server: accept() failed with Winsock_Error: Winsock: (10038) An operation was attempted on something that is not a socket.
The log is now at over 26000 lines. I think I might set up a 'tail -f' to cronolog to get an idea of when these entries are appearing. If they have been appearing over the last week, it may be something that has to build up over a few days to take effect.
((Edit: I did not restart my computer until after I finished the entire above post. Made a small edit to make sure it did not seem like I saw the TCPView errors after I restarted, when in-fact I saw them before I restarted.))
-
@lukor & Tech: I use the Windows firewall. I am running no other security software except for PeerGuardian which I have had disabled for a few weeks (it is running though). I am also running Hamachi.
After I installed SP3 I stopped being able to use remote desktop. Not sure if that's related.
Also, I am running a tail -f on that .ws log file with cronolog to get an idea of how early these entries start appearing.
-
Update again -- TCPView is showing Ashwebsv.exe with a lot of listening connections open. all on port 12080, which is strange as I don't think it should be able to have two entries in TCPView with the same local IP and port.
I think that is a reasonable assumption.
How about you give us a baseline screen shot of your TCPView before the problem occurs.
-
Tail of the AshWebSv.ws file:
###
***Server: too many winsock errors (17796). Re-listening the sockets!
***Server: accept() failed with Winsock_Error: Winsock: (10038) An operation was attempted on something that is not a socket.
###
Filesize is: 3,354KB and growing...
is there a way to stop this without a reboot?
-
Are you using any P2P software on your system or any streaming connection?
-
Hi,
definitely something went fairly wrong.
The "re-listening the sockets!" error line appears when the accept( ) in webshield gives many errors - which usually means, something (from our experience it frequently was a LSP based firewall (propably not now) or other LSP plugin) has corrupted the listening socket inside webshield. WebShield tries to accept connections in the cycle, blocking on accept() - well it is select() but that does not make a big difference - when no connections are waiting. Since the socket is probably corrupted, this happens very quickly with an error code. After a bunch of error results, WebShield concludes that the sockets it listens at is corrupted and tries to recover by closing all its sockets and listening again (on a new one).
To me it seems that the same "thing" that corrupts the listening sockets also prevents the socket from being completely closed and this is why it stays in the TcpView log. It seems to me like a corrupted Winsock stack in WebShield's memory. This can happen Winsock plugins (LSP), but surely it may be a memory corruption of some sort from a different source.
Could you please create a memory dump of WebShield and upload to avast ftp? (you will have to disable avast self-protection to do it).
Have you also tried userdump.exe? (the command-line program)
Sometimes, it works better.
http://public.avast.com/~vlk/userdump.exe
The syntax is
userdump.exe ashWebSv.exe c:\ashWebSv.dmp
(producing dump file in the root of C:\ drive)
Also, make sure you're logged on as administrator before doing this.
I assume, WebShield will be cycling in the listen/accept/error/re-listing branch eating all available CPU it gets, but at if will at least tell us what other (if any) software is loaded inside WS.
thanks.
lukas
-
C:\>userdump.exe ashWebSv.exe c:\ashWebSv.dmp
User Mode Process Dumper (Version 1.0)
Copyright (c) 1999 Microsoft Corp. All rights reserved.
Dumping process 1640 (ashWebSv.exe) to
c:\ashWebSv.dmp...
The process could not be dumped.
Access is denied.
###
I was logged in as administrator
-
Self protection turned off ?
-
Dump is 357,073 lines.... is there somewhere I should e-mail it?
-
Dump is 357,073 lines.... is there somewhere I should e-mail it?
Yes, mail it. Better, zip the file and send the archive ;)
-
The dump is a binary file, so I'm not sure how you count the number of "lines". I'd say it should be rather big to be sent by e-mail...
I suggest to upload it to to our FTP: ftp://ftp.avast.com/incoming
-
I want to report High CPU use from ashWebSv, but only of Avast! 4.8. ashWebSv of Avast! 4.7 is just working fine, with normal CPU use.
-
uploaded to incoming FTP 97.03MB :-) Have fun with it.
-
my money is on a p2p program that is starting those connections.
-
that would be a good guess... if I ran a P2P program on my systems. I run
1) secure shell
2) firefox 3.0
3) thunderbird
4) FTP.
Heck I don't even run yahoo or aim much less a p2p.
-
Hello again. This is how ashwebsv looks by me. Also, I've upload my firewall log, that you can see what ashwebsv trying to do.
-
I experienced this problem against last night at home, but I had decided not to post about it.
However, today I have experienced this problem at work. Also Windows XP but SP2 and very different hardware and software installed. The avast! On-Access Scanner reported that it had last scanned www.veoh.com/dwr/exec (it may have been longer but this is all I could see).
The same entires are appearing in the AshWebSv.ws log and TCPView shows the same odd number of listening entires all on the same IP/port.
-
I have been facing this problem for some days now and thought i could live with it until it got fixed or something but now it starts getting really irritating. It happens every day now and the only solution is to restart my computer. It always happens when i have firefox 3 (almost all the time) open and as other people said i have lots of connections in netstat when this occurs. It seems that this number keeps increasing (because i have connections like this even before ashwebsv starts hitting 50% cpu usage) and at some point when this becomes really big the problem occurs.
TCP 127.0.0.1:12080 127.0.0.1:42233 CLOSE_WAIT
TCP 127.0.0.1:12080 127.0.0.1:42234 CLOSE_WAIT
TCP 127.0.0.1:12080 127.0.0.1:42235 CLOSE_WAIT
TCP 127.0.0.1:12080 127.0.0.1:42236 CLOSE_WAIT
TCP 127.0.0.1:12080 127.0.0.1:42237 CLOSE_WAIT
TCP 127.0.0.1:12080 127.0.0.1:42238 CLOSE_WAIT
TCP 127.0.0.1:12080 127.0.0.1:42239 CLOSE_WAIT
TCP 127.0.0.1:12080 127.0.0.1:42245 CLOSE_WAIT
TCP 127.0.0.1:12080 127.0.0.1:42250 CLOSE_WAIT
TCP 127.0.0.1:12080 127.0.0.1:42256 CLOSE_WAIT
and so on.
I currently disabled avast (not uninstalled) hoping that you are looking into the problem. Can you please confirm you are looking into the problem and if you think it can/will be solved some time soon?
Thanks.
-
Firefox will keep the connections open to increase speed.
High memory and CPU consumption is one of the reasons I do not use Firefox.
IE7 with IE7Pro works just as good without the Firefox problems.
By the way, TCPView will show you more information:
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
-
So, let me see if I understand this.
It's not a problem with avast webshield. Even though it didn't happen in a priopr version and does in the latest version.
It is a problem with Firefox even though the problem didn't exist in the old version with Firefox, but does in the new version.
Wow! Thanks for clearing that up.
Firefox doesn't change, webshield does, and the problem is Firefox's fault.
As a former CTO, you don't mind if I say that is the weakest excuse I have ever heard and I feel that it is a totally bogus response.
-
Couldn't Lukas drop some light here?
-
I want to report, that i have same problem, but taskmanager gives me 80-90% of CPU usage and proccess ashWebSV.exe takes all resources.
only reboot solves problem for a while.
Could somebody give us a recommendation for solving this problem
i'm using Dell inspiron 6400, T2300, 2GB RAM , progs: firefox 3.01. chrome, IE7. emule.
-
Can somebody to answer to this problem? avast tech. stuff are u here????
-
avast tech. stuff are u here????
Couldn't Lukas drop some light here?
It's beyond my knowledge. I need Lukas here...
-
on September 20, 2008 I uploaded the dump file to the FTP site. Did anyone even try to see what it showed?
If this is a FF issue with the latest version of avast, the answer seems to be "stop using webshield", but that's just a kluge. The real answer may be hidden in the dump I sent, but since no one ever said if they grabbed it or looked at it, it seems we will never know.
That's too bad. :-[
-
Hello Met,
sorry, we have indeed looked at the dump. WebShield cycles in the listen / accept code, with errors returned by WinSock. The reason why WinSock (or some other component) refuses to provide sockets for WebShield is beyond the dump. :(
Lukas
-
Thank you for letting me know that it was not a dump in vain.
-
right now, avast's ashwebsv.exe takes 62,590K and CPU 39-78
i stopped all proccesses and switched them again. but pc slows down , sites are didn't opened right away. only reboot will solve the problem.
-
right now, avast's ashwebsv.exe takes 62,590K and CPU 39-78
i stopped all proccesses and switched them again. but pc slows down , sites are didn't opened right away. only reboot will solve the problem.
It is only using 12,140K currently with a Peak Mem Usage of 35,264K for me but then I do not use Firefox.
-
I'm having much the same problem with Avast! eating up tonnes of CPU time and making browsing in Firefox less than ideal. So far the only solution is a reboot. Not all that cool when I'm having to do this multiple times a week.
I demoed this product for a couple weeks and didn't see any real issue with this and thus purchased a bunch of licenses for the machines here at work.
All machines running XP current, of varying hardware specs. All running Firefox 3.0.x, and Internet Explorer has been banned from use as per corporate policy (my policy).
I need a resolution sharpish.
For what it's worth, I've reinstalled the software about 3 billion times (it feels) and the problem seems to be getting worse. This seems to be affecting FF a whole lot more than IE (I can't say I've heard complaints about it affecting IE, but the users know that they aren't to use IE for anything other than one specific task). Disabling the webshield wouldn't be an optimal solution as that was one of the reasons I went with Avast.
I will perform a dump of the process the next time it inevitably happens.
-
At this point, we have shown a number of users are having the problem. We have shown the it is happening on XP platforms using FF We have shown that it is NOT intermittent
And now we know that it is not just us freebe's, but the same problem is showing up in the purchased product.
Now, I don't work at Avast, but I am a former CTO. If I was the Avast CTO I would get a few computers with configurations that matched those that have reported the problem and set them up to duplicate it. Then I would take a few of my top engineers and look at the changes that were made in the CVS to see what portions of the code that were changed could be generating the defect. This is what you do when you have a baseline that works, and then a release that doesn't. It's not rocket science, it's computer science and it's why we have change control systems. They allow us to see just what was changed to take a working system and make it a broken one.
What is not going to work, for our friend in Canada or for many others, is taking a head in the sand attitude that somehow the changes made to the code are the users fault, and that the failure is on our part.
No anger here, just a deep sense of frustration that it has been over two months and it appears that Avast is saying to us "Too bad, learn to live with it." :-X
-
Does the latest beta (http://forum.avast.com/index.php?topic=39392.0) behave better?
-
Can't say I've tried. I don't like running beta on production machines, especially ones that do real work.
-
Can't say I've tried. I don't like running beta on production machines, especially ones that do real work.
Which avast version are you using?
-
Doesn't really matter... I know the behavior of the beta has been changed slightly. Whether it helps - is unknown (as it's certainly not reproducible here)... so you'll see after the final release is out.
-
I'm running dd-wrt firmware on a Linksys WRT 300n v1.0 router as well as Firefox 3.0, Google Chrome, IE7 and Avast 4.8.1335.
I've been having problems with an excessive number of TCP connections being opened, which has been bringing the router down - around 2-2,500 at a time. I had atttributed this to P2P software - Torrents, but investigation with WallWatcher logging the router's activity showed TCP ports being opened continually.
Running SysInternals TCPCview on the pc which was causing the problem - an up-to-date XP SP3 box - showed the culprit to be Avast (Process: [System]:0, Local Address: 127.0.0.1:12080) cycling through every TCP port (Remote Address in TCPView) from 127.0.0.1:1000 - 4999 and opening connections.
The router is set to close unused TCP connections after 90 seconds, but sometimes that isn't fast enough.
Closing Firefox stopped the problem. I was also running Google Chrome and IE7. Stopping Chrome also appeared to reduce the problem; IE7 is still running with one tab. Stopping Avast (and leaving IE7) cut the number of TCP connections (mostly 127:0.0.1:12080 and State TIME_WAIT) by about 115 to 45 or so.
Running Avast with IE7 and a couple of tabs seems fine. I had a lot of tabs open in Chrome and Firefox.
-
I don't have a problem with high CPU from system on any of my systems but I have adequate RAM and enough CPU power to run IE8 with several tabs open.
Looks like I have 6 open IE sessions on Vista and 6 on XP Pro but I have tweaked IE to use 10 sessions when needed.
I don't use the P2P monitoring module as I don't need it nor any P2P application as they are the easiest way for an infection to slip in attached to a torrent file:
Read:
Perils of P2P File Sharing
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/305923-perils-p2p-file-sharing.html
I don't use Google Chrome nor Firefox as they use too many open connections to achieve speed plus I just don't like them.