[dba-Tech] Svchost.exe error - Update

Rusty Hammond rustykh at yahoo.com
Fri Aug 6 10:25:26 CDT 2010 

Sometimes running just one malware removal tool doesn't get everything.  Vipre 
has a command line rescue program that you can download for free.  If you want 
to try it you can find it here:  http://live.sunbeltsoftware.com/

I run a 25 workstation network with Vipre installed on all of them but still had 
a few machines get infected with a TDSS rootkit a few months ago.  I was able to 
remove it with a Kaspersky utility designed for that specific infection, but 
they also have a manual removal tool here:  
http://support.kaspersky.com/viruses/avptool2010?level=2 that you might want to 
try.

HTH

Rusty





________________________________
From: Tina Norris Fields <tinanfields at torchlake.com>
To: Discussion of Hardware and Software issues <dba-tech at databaseadvisors.com>
Sent: Fri, August 6, 2010 9:06:40 AM
Subject: Re: [dba-Tech] Svchost.exe error - Update

Hi again,

Well, the IT crew did not fix the problem.  In fact, by the time they 
quit, the computer would not boot all the way - it would start and then 
shut down and restart endlessly.  They did not know how to fix that.  
There was talk of replacing the computer as less expensive than 
continuing to pay for IT time.

Yesterday morning, I took my Spin-Rite over to Brad's house, powered up 
the computer, went into Setup and changed the boot sequence so it would 
boot from the CD, popped Spin-Rite into the drive and rebooted.  
Spin-Rite, running at Level 2,  found two sectors where most of the data 
could be recovered, but not all.  Once Spin-Rite had done its magic, the 
computer booted, ran Chkdsk and launched Windows.  However, IE would not 
go to the Interent at all. It would start and then disappear. (There was 
some other application I tried to launch that also started and 
disappeared.)  I opened a command window and pinged my own website - 
that worked.  I pinged the ISP and Microsoft, and both of those efforts 
timed out.  But, at least I knew I did have a live connection to the 
Internet.  In IE, I clicked Tools and Internet Options - was denied 
access to that with a message something like "this action has been 
canceled because of restrictions on this computer, please contact your 
system administrator."  That was a real surprise - Brad was signed in as 
Administrator. 

At this point, I concluded that some Windows components were corrupted, 
possibly because they had been partially located in the unrecoverable 
sectors.  I launched the Wizard for adding Windows components - the 
generic host process error message popped up - using ProcExp.exe set to 
scroll to new processes, I saw the dwwin.exe process was the one trying 
to run - I killed it, but the computer still bogged down.

After another reboot, I went to Control Panel and uninstalled IE7.  
While I was doing that the generic host process error showed up again.  
This time I just ignored it, and the computer did not bog down.  Once 
IE7 was uninstalled, the remaining IE 6 would go to the Internet.  So, 
now we had a functioning computer again, but the error message that had 
begun all the efforts was still there. 

It turns out Brad has Acronis True Image Home installed and had a full 
backup of his system from July 27, with incremental backups for most of 
the succeeding days.  So, I ran a restore of his full backup - after 
more than an hour of that restore, with 26 seconds to go according to 
the progress bar, a message popped up asking for the WinXP SP2 disk, 
because some 'original components' were required - that's what it said.  
I inserted my CD and clicked 'Retry' - the message box disappeared - but 
Acronis did not proceed from the 26 seconds remaining status - and I 
waited a long time until there just wasn't any drive activity at all.  I 
closed up the Acronis.  I went back to installing optional components 
from the WindowsXP SP2 disk.  Probably because of the interruption in 
the Acronis image restore, there were duplicates of virtually all the 
shortcut links - on the desktop, in all the start menus, anywhere a 
shortcut existed there was a duplicate without the proper icon.  I 
cleaned those up manually.

Now, I was finally able to get to the Internet to download a fresh copy 
of Malwarebytes - which had been where the IT guys' efforts came apart 
the day before.  Got it downloaded, ran it - it found 3 bad guys and 
wrote a log file of the findings - I told it to get rid of them and it 
did.  One name I recall was approximately 'Trojan.Fraudcheck' - don't 
you just love the irony!?!?  Before John Bartow asks me why Brad isn't 
using Vipre to protect that computer from such invasions, I will explain 
- the home office uses AVG by subscription.  It is a 'house rule' that 
everybody will use the same subscription.  So, AVG is what's guarding 
that computer.

We had gone for quite some time without getting the svchost.exe error 
message, but now it did show up again.  Using ProcExp, it was clear that 
dwwin.exe was still the culprit.  Today, it is my intention to check 
what dlls dwwin.exe calls and get fresh copies of them plus the executable.

Does anybody have additional advice for me?

Thanks,
T



Tina Norris Fields wrote:
> Hi All,
>
> I could use a little help figuring this one out. 
>
> My son-in-law, Brad, has this problem:  during some operation, could be 
> booting up, could be almost anything, he gets the warning "svchost.exe 
> application error" usually with something like "instruction at 
> referenced memory at "0x00000010" and "memory could not be read."  It 
> seems to me I have recently seen this error with a corrupted or faulty 
> update of some software - I think I had that happen with an HP companion 
> process, something like "image monitor" that bogged down my whole 
> system, and in my case the problem was solved by a reinstall and a 
> disabling of the culprit application (it was hogging my CPU resources, 
> and I really didn't need it).  Googling the svchost.exe error postings, 
> I find that it is likely caused by some corrupted dll file that didn't 
> get to finish whatever it was doing, and nothing else could function 
> because of that bottleneck.  Several of the postings suggested that it 
> might be a failed or incomplete or corrupted Windows update, and the 
> solution could be as easy as doing a manual Windows update and rebooting.
>
> When I tried to get to the Windows update site from his computer, I 
> could not get there - IE consistently reported that it could not display 
> the page.  This was true whether I used the Windows update command on 
> the menu or I launched the browser and typed in the URL.  I tried 
> Googling the Windows update and clicking the link from the Google search 
> results, too.  Nothing worked. 
>
> Because he is doing work, often using a VPN connection with his home 
> office, he has IT support available.  I told him that while I believe I 
> can get this figured out and fixed, it will probably be a lot faster to 
> make use of his IT guys.  Today, they have been working remotely on his 
> computer - they've uninstalled all his malware protection and 
> reinstalled fresh copies, they've updated his browser to IE8, they 
> thought they had it fixed, and then it popped up again, while they were 
> getting ready to sign off. 
>
> Does anybody on this list know what I'm really dealing with here?  I 
> would love some guidance!
>
> Best regards,
> T
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
>  
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

More information about the dba-Tech mailing list