Tina Norris Fields
tinanfields at torchlake.com
Fri Aug 6 10:52:04 CDT 2010
Thanks Rusty T Rusty Hammond wrote: > Sometimes running just one malware removal tool doesn't get everything. Vipre > has a command line rescue program that you can download for free. If you want > to try it you can find it here: http://live.sunbeltsoftware.com/ > > I run a 25 workstation network with Vipre installed on all of them but still had > a few machines get infected with a TDSS rootkit a few months ago. I was able to > remove it with a Kaspersky utility designed for that specific infection, but > they also have a manual removal tool here: > http://support.kaspersky.com/viruses/avptool2010?level=2 that you might want to > try. > > HTH > > Rusty > > > > > > ________________________________ > From: Tina Norris Fields <tinanfields at torchlake.com> > To: Discussion of Hardware and Software issues <dba-tech at databaseadvisors.com> > Sent: Fri, August 6, 2010 9:06:40 AM > Subject: Re: [dba-Tech] Svchost.exe error - Update > > Hi again, > > Well, the IT crew did not fix the problem. In fact, by the time they > quit, the computer would not boot all the way - it would start and then > shut down and restart endlessly. They did not know how to fix that. > There was talk of replacing the computer as less expensive than > continuing to pay for IT time. > > Yesterday morning, I took my Spin-Rite over to Brad's house, powered up > the computer, went into Setup and changed the boot sequence so it would > boot from the CD, popped Spin-Rite into the drive and rebooted. > Spin-Rite, running at Level 2, found two sectors where most of the data > could be recovered, but not all. Once Spin-Rite had done its magic, the > computer booted, ran Chkdsk and launched Windows. However, IE would not > go to the Interent at all. It would start and then disappear. (There was > some other application I tried to launch that also started and > disappeared.) I opened a command window and pinged my own website - > that worked. I pinged the ISP and Microsoft, and both of those efforts > timed out. But, at least I knew I did have a live connection to the > Internet. In IE, I clicked Tools and Internet Options - was denied > access to that with a message something like "this action has been > canceled because of restrictions on this computer, please contact your > system administrator." That was a real surprise - Brad was signed in as > Administrator. > > At this point, I concluded that some Windows components were corrupted, > possibly because they had been partially located in the unrecoverable > sectors. I launched the Wizard for adding Windows components - the > generic host process error message popped up - using ProcExp.exe set to > scroll to new processes, I saw the dwwin.exe process was the one trying > to run - I killed it, but the computer still bogged down. > > After another reboot, I went to Control Panel and uninstalled IE7. > While I was doing that the generic host process error showed up again. > This time I just ignored it, and the computer did not bog down. Once > IE7 was uninstalled, the remaining IE 6 would go to the Internet. So, > now we had a functioning computer again, but the error message that had > begun all the efforts was still there. > > It turns out Brad has Acronis True Image Home installed and had a full > backup of his system from July 27, with incremental backups for most of > the succeeding days. So, I ran a restore of his full backup - after > more than an hour of that restore, with 26 seconds to go according to > the progress bar, a message popped up asking for the WinXP SP2 disk, > because some 'original components' were required - that's what it said. > I inserted my CD and clicked 'Retry' - the message box disappeared - but > Acronis did not proceed from the 26 seconds remaining status - and I > waited a long time until there just wasn't any drive activity at all. I > closed up the Acronis. I went back to installing optional components > from the WindowsXP SP2 disk. Probably because of the interruption in > the Acronis image restore, there were duplicates of virtually all the > shortcut links - on the desktop, in all the start menus, anywhere a > shortcut existed there was a duplicate without the proper icon. I > cleaned those up manually. > > Now, I was finally able to get to the Internet to download a fresh copy > of Malwarebytes - which had been where the IT guys' efforts came apart > the day before. Got it downloaded, ran it - it found 3 bad guys and > wrote a log file of the findings - I told it to get rid of them and it > did. One name I recall was approximately 'Trojan.Fraudcheck' - don't > you just love the irony!?!? Before John Bartow asks me why Brad isn't > using Vipre to protect that computer from such invasions, I will explain > - the home office uses AVG by subscription. It is a 'house rule' that > everybody will use the same subscription. So, AVG is what's guarding > that computer. > > We had gone for quite some time without getting the svchost.exe error > message, but now it did show up again. Using ProcExp, it was clear that > dwwin.exe was still the culprit. Today, it is my intention to check > what dlls dwwin.exe calls and get fresh copies of them plus the executable. > > Does anybody have additional advice for me? > > Thanks, > T > > > > Tina Norris Fields wrote: > >> Hi All, >> >> I could use a little help figuring this one out. >> >> My son-in-law, Brad, has this problem: during some operation, could be >> booting up, could be almost anything, he gets the warning "svchost.exe >> application error" usually with something like "instruction at >> referenced memory at "0x00000010" and "memory could not be read." It >> seems to me I have recently seen this error with a corrupted or faulty >> update of some software - I think I had that happen with an HP companion >> process, something like "image monitor" that bogged down my whole >> system, and in my case the problem was solved by a reinstall and a >> disabling of the culprit application (it was hogging my CPU resources, >> and I really didn't need it). Googling the svchost.exe error postings, >> I find that it is likely caused by some corrupted dll file that didn't >> get to finish whatever it was doing, and nothing else could function >> because of that bottleneck. Several of the postings suggested that it >> might be a failed or incomplete or corrupted Windows update, and the >> solution could be as easy as doing a manual Windows update and rebooting. >> >> When I tried to get to the Windows update site from his computer, I >> could not get there - IE consistently reported that it could not display >> the page. This was true whether I used the Windows update command on >> the menu or I launched the browser and typed in the URL. I tried >> Googling the Windows update and clicking the link from the Google search >> results, too. Nothing worked. >> >> Because he is doing work, often using a VPN connection with his home >> office, he has IT support available. I told him that while I believe I >> can get this figured out and fixed, it will probably be a lot faster to >> make use of his IT guys. Today, they have been working remotely on his >> computer - they've uninstalled all his malware protection and >> reinstalled fresh copies, they've updated his browser to IE8, they >> thought they had it fixed, and then it popped up again, while they were >> getting ready to sign off. >> >> Does anybody on this list know what I'm really dealing with here? I >> would love some guidance! >> >> Best regards, >> T >> _______________________________________________ >> dba-Tech mailing list >> dba-Tech at databaseadvisors.com >> http://databaseadvisors.com/mailman/listinfo/dba-tech >> Website: http://www.databaseadvisors.com >> >> >> > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com > > > > > _______________________________________________ > dba-Tech mailing list > dba-Tech at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-tech > Website: http://www.databaseadvisors.com > >