AvastSvc.exe 8min after Boot

Does anybody know what process or service is running in the file around 8 minutes after boot? Started having an issue 3 weeks ago with this. Went away for about for a week or two but came back today. Re-installation had no effect. About 8 minutes after booting this file will start to use a huge amount of CPU resources constantly: AvastSvc.exe /runassvc

I tried disabling everything one by one and finally ran Avast in passive mode and after 8 minutes there still was a little CPU usage from this file but it shut down after a few seconds. Why would there by activity from anything in passive mode? Turned everything back on, now no problems. Any clues??

I think it’s a rootkit scan that’s done 8 min after bootup.

I see that this can be disabled in the core shield settings but I already tried disabling each shield individually and then all the shields together and it had no effect. If it starts doing it again I’ll try disabling just the rook kit and see what happens. Thanks for you help!

The anti-rootkit scan shouldn’t have a great impact on the system, certainly not on mine (as and when I do a system restart).

Although the time frame 8 minutes after boot falls in line with when the anti-rootkit scan I’m not sure about the AvastSvc.exe /runassvc is directly related to the anti-rootkit scan but simply the path and command to run the service immediately on boot.

“C:\Program Files\AVAST Software\Avast\AvastSvc.exe” /runassvc see attached image, I assume this is where you got this from.

If this is the anti-rootkit scan check these files using notepad (see attached image) I believe these are related to the anti-rootkit scan and see what stats are there, runtime number of files scanned, etc.

Definitely not, something is wrong. Feels like it’s completely loading one of my i7 cores and debilitating the system. Happened again this morning when I booted up. Tried disabling the Anti-Rookit scan, restarted and same problem. So did what I did yesterday and activated passive mode, restarted then no problems. Re-enabled all protection, restarted and now it’s fine.

LOG FILE CONTENT

arpot.log (these are today’s entries only)
2021-03-10 11:44:42 AVAVER: 21.1.2449 AR2: 210304 defs: 21030800
2021-03-10 11:44:57 AVAVER: 21.1.2449 AR2: 210309 defs: 21031004
2021-03-10 11:44:58 AVAVER: 21.1.2449 AR2: 210309 defs: 21031004
2021-03-10 12:04:21 AVAVER: 21.1.2449 AR2: 210309 defs: 21031004
2021-03-10 12:25:04 AVAVER: 21.1.2449 AR2: 210309 defs: 21031004
2021-03-10 12:34:52 AR2CFG: 210309
2021-03-10 12:34:52 AR2DEV: Start 1 Driver: 210129

aswAr.log
Avast Antirootkit, version 21.1.2449
Scan started: Wednesday, March 10, 2021 1:07:54 PM

Scan finished: Wednesday, March 10, 2021 1:07:58 PM
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

aswAr1.log (this appears to be a record from a scan I did last night)
Avast Antirootkit, version 21.1.2449
[Full] Scan started: Tuesday, March 09, 2021 5:11:36 PM

Scan finished: Tuesday, March 09, 2021 5:13:24 PM
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

Well I was somewhat sceptical that it would be the anti-rootkit scan

I think the contents of the arpot.log reflect the Virus definitions updates as they may or may not include data for the anti-rootkit scanner/service.

The other logs basically only record the last scan or they could get very large.
The aswAr1.log does show a scan of just under two minutes and the aswAr.log only 4 seconds, and I really don’t know the difference (in scan/recording) between the two.

Fingers crossed, now that it is more what I would consider normal, no real impact on normal system operations.

Ok when it happens again I’ll try to pull the aswAr.log contents right away to see if there is anything more telling.

OK, but I think the log would be the same, if there wasn’t a detection, in which case I would have expected Avast to have alerted.

I just want to see if the scan takes longer when the CPU is being taxed constantly because that only shows the last scan which was done after I got it fixed today.

Yep the issue occurred again this morning and it does appear to be related to the Anti-rookit scan. Here are the entire contents of my aswAr.log file, the scan starts right at the time the CPU load goes through the roof and even after 4 minutes or more there is no scan completion note in the log:

Avast Antirootkit, version 21.1.2449
Scan started: Thursday, March 11, 2021 9:51:06 AM

Process [4]
Process C:\Windows\System32\smss.exe [392]
Process C:\Windows\System32\csrss.exe [564]
Process C:\Windows\System32\wininit.exe [624]
Process C:\Windows\System32\csrss.exe [656]
Process C:\Windows\System32\services.exe [680]
Process C:\Windows\System32\lsass.exe [724]
Process C:\Windows\System32\winlogon.exe [732]
Process C:\Windows\System32\lsm.exe [740]
Process C:\Windows\System32\svchost.exe [864]
Process C:\Windows\System32\svchost.exe [940]
Process C:\Windows\System32\svchost.exe [184]
Process C:\Windows\System32\svchost.exe [476]
Process C:\Windows\System32\svchost.exe [820]
Process C:\Windows\System32\svchost.exe [484]
Process C:\Windows\System32\igfxCUIService.exe [1188]
Process C:\Windows\System32\svchost.exe [1240]
Process C:\Program Files\Avast Software\Avast\AvastSvc.exe [1308]
Process C:\Windows\System32\spoolsv.exe [1800]
Process C:\Windows\System32\svchost.exe [1840]
Process C:\Program Files\Avast Software\Avast\aswEngSrv.exe [1072]
Process C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [632]
Process C:\Windows\System32\svchost.exe [2616]
Process C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe [3108]
Process C:\Program Files\Avast Software\Avast\aswidsagent.exe [3148]
Process C:\Windows\System32\WUDFHost.exe [3416]
Process C:\Windows\System32\wbem\unsecapp.exe [3596]
Process C:\Windows\System32\SearchIndexer.exe [3948]
Process C:\Windows\System32\svchost.exe [2704]
Process C:\Windows\System32\svchost.exe [3408]
Process C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [5852]
Process C:\Windows\System32\taskeng.exe [3996]
Process C:\Windows\System32\SearchProtocolHost.exe [4272]
Process C:\Windows\System32\SearchFilterHost.exe [4364]
Process C:\Windows\System32\LogonUI.exe [5112]
Process C:\Windows\System32\LogonUI.exe [6008]

Rebooted into passive mode, and the scan appears to complete in 4 seconds… and yes the scan is STILL being done despite Avast allegedly being passive mode!

Avast Antirootkit, version 21.1.2449
Scan started: Thursday, March 11, 2021 10:05:07 AM

Service .NET CLR Data [???]
Service .NET CLR Networking [???]
Service .NET CLR Networking 4.0.0.0 [???]
Service .NET Data Provider for Oracle [???]
Service .NET Data Provider for SqlServer [???]
Service .NET Memory Cache 4.0 [???]
Service .NETFramework [???]
Service 1394ohci [C:\Windows\system32\drivers\1394ohci.sys]
Service ACPI [C:\Windows\system32\drivers\ACPI.sys]
Service AcpiPmi [C:\Windows\system32\drivers\acpipmi.sys]
Service Adobe LM Service [C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe]
Service adp94xx [C:\Windows\system32\DRIVERS\adp94xx.sys]
Service adpahci [C:\Windows\system32\DRIVERS\adpahci.sys]
Service adpu320 [C:\Windows\system32\DRIVERS\adpu320.sys]
Service adsi [???]
Service AeLookupSvc [C:\Windows\System32\aelupsvc.dll]
Service AFD [C:\Windows\system32\drivers\afd.sys]
Service agp440 [C:\Windows\system32\drivers\agp440.sys]
Service ALG [C:\Windows\System32\alg.exe]
Service aliide [C:\Windows\system32\drivers\aliide.sys]
Service amdide [C:\Windows\system32\drivers\amdide.sys]
Service AmdK8 [C:\Windows\system32\drivers\amdk8.sys]
Service AmdPPM [C:\Windows\system32\drivers\amdppm.sys]
Service amdsata [C:\Windows\system32\drivers\amdsata.sys]
Service amdsbs [C:\Windows\system32\DRIVERS\amdsbs.sys]
Service amdxata [C:\Windows\system32\drivers\amdxata.sys]
Service AppID [C:\Windows\system32\drivers\appid.sys]
Service AppIDSvc [C:\Windows\System32\appidsvc.dll]
Service Appinfo [C:\Windows\System32\appinfo.dll]
Service AppMgmt [C:\Windows\System32\appmgmts.dll]
Service arc [C:\Windows\system32\DRIVERS\arc.sys]
Service arcsas [C:\Windows\system32\DRIVERS\arcsas.sys]
Service asComSvc [C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe]
Service AsIO [C:\Windows\SysWow64\drivers\AsIO.sys]
Service ASP.NET [???]
Service ASP.NET_4.0.30319 [???]
Service aspnet_state [C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe]
Service aswArDisk [C:\Windows\system32\drivers\aswArDisk.sys]
Service aswArPot [C:\Windows\system32\drivers\aswArPot.sys]
Service aswbdisk [???]
<ect… ect>
Scan finished: Thursday, March 11, 2021 10:05:11 AM
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

What I think is interesting is now there are 3 questions marks in the instead of numbers (which this forum changes to smiley faces lol…) should be time in milliseconds right??

Well I would say that the anti-rootkit scan like other on-demand scans wouldn’t be prevented from running whilst in passive mode.
In roughly the same way as when you installed Avast, then MS Defender is disabled/passive (by default), but it can still run periodic scans.

In passive mode (not that I ever use it) I guess that you still have the avast tray icon displayed ?

Yes that’s correct. As I understand it passive mode is supposed to shut off all real time features and enable Avast to be used solely for manual scans… and if disabling rook kit detection from the core shield won’t disable it, where does this leave me? At this point not really sure what to do other than uninstall it.

Reported to Avast. Let’s see if that helps to get an answer.

Thank You!

I’m afraid we’d need some more info to find out what’s going on there.
If possible, please do the following:

  1. Wait for the CPU usage to appear and give it some time (say one minute)
  2. From an elevated prompt, execute the following command
sc.exe control "avast! Antivirus" 254
  1. It will take a moment - and a dump of the AvastSvc.exe process will be created in C:\ProgramData\Avast Software\Avast\log folder; it will be a file called unpXXXXXXX-manual.mdmp (where X are some numbers) and will probably have hundreds of megabytes in size.
  2. Compress the dump (7-Zip, ZIP, RAR, … whatever) and upload it under a unique name to ftp://ftp.avast.com/incoming
  3. Post the name of the uploaded file here; I’ll check if the code seems to be stuck in some weird place
    Thanks.

I think I can handle that but I don’t see anyway to upload on that page, there are no buttons?

https://support.avast.com/en-ww/article/FTP-file-upload/

If I remember correctly, Chrome no longer supports ftp
I tried accessing the ftp server in Chrome without success.

It used to be possible to upload via Windows Explorer (not Internet Explorer) - opening the address and dropping the file on the buttom/content panel.
If you have a preferred upload service, you can upload the dump there - just note that theoretically, there may be some private data in the dump (say some of the pages being visited), so you may want to password-encrypt the archive and PM me the password (or the link itself).