Author Topic: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.  (Read 34689 times)

0 Members and 1 Guest are viewing this topic.

ashguy

  • Guest
Every few days the System and ashWebSv.exe process start using about 40-50% CPU each. I am not sure what starts this problem, but I am using Firefox typically when it happens and suddenly the sites are somewhat accessible with many not working at all. I attempted to search this forum for a similar case but could not find one.

I did notice that I should check to see what it is scanning. I have been using FileMon previously, but did not think of using the "avast! On-Access Scanner" window. Next time it does this I will check.

Unfortunately, I had already attempted to stop the process using the services.msc and using "Stop On-Access Protection" from the right click menu. By the time I checked the On-Access Scanner (I will do this first next time), it showed the process as not running (even though it still was) and the only option was "Terminate" which did not work. Interestingly, after I clicked Terminate it allowed me to click Start again, but that did not seem to have any effect on the running processes.

FYI: I have been using Process Explorer and FileMon to try to determine the cause of the problem. One thing FileMon did show was that AshWebSrv.exe was logging to AshWebSv.ws quite a bit. Even though the size and last modified date of the file was not being updated, the file was getting the following lines over and over:

***Server: too many winsock errors (776). Re-listening the sockets!
***Server: accept() failed with Winsock_Error: Winsock: (10038) An operation was attempted on something that is not a socket.

To give you an idea of how much it is writing these messages, the log file was at 3030 lines when it started and it is now at 7942 all with that same error message over and over (with two empty lines in between each set)

I am still able to use the computer just fine, and generally the Web works fine after I start messing with it. The 100% CPU problem doesn't seem to be slowing the machine down at all.

Here are some details:

Windows XP SP3
Core 2 Duo (maybe why my machine isn't slowing down)
Avast Home 4.8.1229
Virus DB 080914-0
Firefox 2.x

Also, I put my computer in stand-by mode quite regularly.

In closing, the AshWebSv.ws is now at 9687 lines :P

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #1 on: September 16, 2008, 03:58:28 AM »
Help from Lukas will be welcome...
The best things in life are free.

MrFixit

  • Guest
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #2 on: September 19, 2008, 02:41:11 PM »
I too have been having 50% CPU usage as viewed in the Task Manager.  My computer also has a computer memory leak that gets worse every hour.  I end up having to reboot to end the AshWebSv.exe service.  This CPU hog is affecting my computers ability to process heavy graphic images and to run multiple applications.

I have a similar computer to the guy in the original post with about 2GB of memory.
I am using Firefox 3.01, IE 7, etc...

This is a serious issue and needs addressing.  If this serious flaw cannot be fixed I will have to uninstall and discontinue using apps from avast.

Any help appreciated.
Thanks.

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #3 on: September 19, 2008, 03:00:52 PM »
Hi, what about firewalls ? Do you guys have any ? I have seen similar problems with Ashampoo.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #4 on: September 19, 2008, 03:33:47 PM »
Do you have any other security program installed and running in background? Antispyware?

Thanks for coming Lukas  ;)
The best things in life are free.

met00

  • Guest
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #5 on: September 20, 2008, 03:10:46 AM »
add another report

ashwebsv.exe is using over 50% of the CPU and "system" is now using the balance.

I have shutdown the providers. No change. 3 hours later ashwebsv is still thrashing.

Can't stop the process from task manager.

Moving to reboot as the final option.

ashguy

  • Guest
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #6 on: September 20, 2008, 05:03:20 AM »
Update: It took a few days but it occurred again. I checked the avast! On-Access Scanner window and for "Web Shield" it reported that it last scanned www.telegraph.co.uk had scanned 35956 and had a runtime of 3:23:39:22. I tried the "terminate" button first this time, but it did not work. The on-access scanner window appears like the provider is closed, but the process is still running in the background.

However, I did verify that I am able to use the internet again after attempting to terminate the process. While it is still running at 50/50% CPU, I am now access any site and, of course, post to this forum. One thing I will note, however, is that I am able to access computers on my local just fine even before I attempt to terminate the process. I did not try to access a web site by IP, but I can try that next time it happens. I do however typically access computers on my network via a DNS name that resolves from my router.

Since that log was talking about winsock errors, I attempted to disconnect all network devices in the Network Connections window. After doing that, the System process went back down to near 0% CPU usage. However, the ashwebsv.exe process is still using 50% of the CPU. I have a dual core machine so that is why it only uses 50%.

Update (because I don't feel like rewriting this ;D) -- While the System CPU is now at near 0%, my network connection seems completely dead. ((I started saving this post in a text file when I noticed this))

Update again -- TCPView is showing Ashwebsv.exe with a lot of listening connections open. all on port 12080, which is strange as I don't think it should be able to have two entries in TCPView with the same local IP and port. Here is the detail:

ashWebSv.exe:3120   TCP   127.0.0.1:12080   0.0.0.0:0   LISTENING   
<<previous line repeats about 150 times>>
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12720   ESTABLISHED   
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12722   CLOSE_WAIT   
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12723   CLOSE_WAIT   
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12721   CLOSE_WAIT   
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12724   CLOSE_WAIT   
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12726   CLOSE_WAIT   
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12719   CLOSE_WAIT   
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12735   CLOSE_WAIT   
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12727   CLOSE_WAIT   
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12728   CLOSE_WAIT   
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12718   CLOSE_WAIT   
ashWebSv.exe:3120   TCP   127.0.0.1:12080   127.0.0.1:12733   CLOSE_WAIT   

As always, the following entry is appearing quickly in the ashwebsv.ws log file:

***Server: too many winsock errors (64368). Re-listening the sockets!
***Server: accept() failed with Winsock_Error: Winsock: (10038) An operation was attempted on something that is not a socket.

The log is now at over 26000 lines. I think I might set up a 'tail -f' to cronolog to get an idea of when these entries are appearing. If they have been appearing over the last week, it may be something that has to build up over a few days to take effect.

((Edit: I did not restart my computer until after I finished the entire above post. Made a small edit to make sure it did not seem like I saw the TCPView errors after I restarted, when in-fact I saw them before I restarted.))
« Last Edit: September 20, 2008, 05:16:17 AM by ashguy »

ashguy

  • Guest
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #7 on: September 20, 2008, 05:17:34 AM »
@lukor & Tech: I use the Windows firewall. I am running no other security software except for PeerGuardian which I have had disabled for a few weeks (it is running though). I am also running Hamachi.

After I installed SP3 I stopped being able to use remote desktop. Not sure if that's related.

Also, I am running a tail -f on that .ws log file with cronolog to get an idea of how early these entries start appearing.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #8 on: September 20, 2008, 06:16:12 AM »
Quote
Update again -- TCPView is showing Ashwebsv.exe with a lot of listening connections open. all on port 12080, which is strange as I don't think it should be able to have two entries in TCPView with the same local IP and port.

I think that is a reasonable assumption.

How about you give us a baseline screen shot of your TCPView before the problem occurs.

met00

  • Guest
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #9 on: September 20, 2008, 07:33:04 AM »
Tail of the AshWebSv.ws file:

###
***Server: too many winsock errors (17796). Re-listening the sockets!
***Server: accept() failed with Winsock_Error: Winsock: (10038) An operation was attempted on something that is not a socket.

###

Filesize is: 3,354KB and growing...

is there a way to stop this without a reboot?

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #10 on: September 20, 2008, 08:06:04 AM »
Are you using any P2P software on your system or any streaming connection?

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #11 on: September 20, 2008, 09:49:15 AM »
Hi,
definitely something went fairly wrong.

The "re-listening the sockets!" error line appears when the accept( ) in webshield gives many errors - which usually means, something (from our experience it frequently was a LSP based firewall (propably not now) or other LSP plugin) has corrupted the listening socket inside webshield. WebShield tries to accept connections in the cycle, blocking on accept() - well it is select()  but that does not make a big difference - when no connections are waiting. Since the socket is probably corrupted, this happens very quickly with an error code. After a bunch of error results, WebShield concludes that the sockets it listens at is corrupted and tries to recover by closing all its sockets and listening again (on a new one).

To me it seems that the same "thing" that corrupts the listening sockets also prevents the socket from being completely closed and this is why it stays in the TcpView log. It seems to me like a corrupted Winsock stack in WebShield's memory. This can happen Winsock plugins (LSP), but surely it may be a memory corruption of some sort from a different source.

Could you please create a memory dump of WebShield and upload to avast ftp? (you will have to disable avast self-protection to do it).

Quote
Have you also tried userdump.exe? (the command-line program)
Sometimes, it works better.

http://public.avast.com/~vlk/userdump.exe

The syntax is
userdump.exe ashWebSv.exe c:\ashWebSv.dmp
(producing dump file in the root of C:\ drive)

Also, make sure you're logged on as administrator before doing this.

I assume, WebShield will be cycling in the listen/accept/error/re-listing branch eating all available CPU it gets, but at if will at least tell us what other (if any) software is loaded inside WS.
thanks.

lukas

met00

  • Guest
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #12 on: September 20, 2008, 10:23:27 AM »
C:\>userdump.exe ashWebSv.exe c:\ashWebSv.dmp
User Mode Process Dumper (Version 1.0)
Copyright (c) 1999 Microsoft Corp. All rights reserved.

Dumping process 1640 (ashWebSv.exe) to
c:\ashWebSv.dmp...
The process could not be dumped.
Access is denied.

###

I was logged in as administrator

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #13 on: September 20, 2008, 11:23:23 AM »
Self protection turned off ?

met00

  • Guest
Re: High CPU from System/ashWebSv.exe. Has strange AshWebSv.ws log messages.
« Reply #14 on: September 20, 2008, 07:57:33 PM »
Dump is 357,073 lines.... is there somewhere I should e-mail it?