[dba-Tech] Svchost.exe error - Update

Tina Norris Fields tinanfields at torchlake.com
Fri Aug 6 10:52:04 CDT 2010


Thanks Rusty
T

Rusty Hammond wrote:
> Sometimes running just one malware removal tool doesn't get everything.  Vipre 
> has a command line rescue program that you can download for free.  If you want 
> to try it you can find it here:  http://live.sunbeltsoftware.com/
>
> I run a 25 workstation network with Vipre installed on all of them but still had 
> a few machines get infected with a TDSS rootkit a few months ago.  I was able to 
> remove it with a Kaspersky utility designed for that specific infection, but 
> they also have a manual removal tool here:  
> http://support.kaspersky.com/viruses/avptool2010?level=2 that you might want to 
> try.
>
> HTH
>
> Rusty
>
>
>
>
>
> ________________________________
> From: Tina Norris Fields <tinanfields at torchlake.com>
> To: Discussion of Hardware and Software issues <dba-tech at databaseadvisors.com>
> Sent: Fri, August 6, 2010 9:06:40 AM
> Subject: Re: [dba-Tech] Svchost.exe error - Update
>
> Hi again,
>
> Well, the IT crew did not fix the problem.  In fact, by the time they 
> quit, the computer would not boot all the way - it would start and then 
> shut down and restart endlessly.  They did not know how to fix that.  
> There was talk of replacing the computer as less expensive than 
> continuing to pay for IT time.
>
> Yesterday morning, I took my Spin-Rite over to Brad's house, powered up 
> the computer, went into Setup and changed the boot sequence so it would 
> boot from the CD, popped Spin-Rite into the drive and rebooted.  
> Spin-Rite, running at Level 2,  found two sectors where most of the data 
> could be recovered, but not all.  Once Spin-Rite had done its magic, the 
> computer booted, ran Chkdsk and launched Windows.  However, IE would not 
> go to the Interent at all. It would start and then disappear. (There was 
> some other application I tried to launch that also started and 
> disappeared.)  I opened a command window and pinged my own website - 
> that worked.  I pinged the ISP and Microsoft, and both of those efforts 
> timed out.  But, at least I knew I did have a live connection to the 
> Internet.  In IE, I clicked Tools and Internet Options - was denied 
> access to that with a message something like "this action has been 
> canceled because of restrictions on this computer, please contact your 
> system administrator."  That was a real surprise - Brad was signed in as 
> Administrator. 
>
> At this point, I concluded that some Windows components were corrupted, 
> possibly because they had been partially located in the unrecoverable 
> sectors.  I launched the Wizard for adding Windows components - the 
> generic host process error message popped up - using ProcExp.exe set to 
> scroll to new processes, I saw the dwwin.exe process was the one trying 
> to run - I killed it, but the computer still bogged down.
>
> After another reboot, I went to Control Panel and uninstalled IE7.  
> While I was doing that the generic host process error showed up again.  
> This time I just ignored it, and the computer did not bog down.  Once 
> IE7 was uninstalled, the remaining IE 6 would go to the Internet.  So, 
> now we had a functioning computer again, but the error message that had 
> begun all the efforts was still there. 
>
> It turns out Brad has Acronis True Image Home installed and had a full 
> backup of his system from July 27, with incremental backups for most of 
> the succeeding days.  So, I ran a restore of his full backup - after 
> more than an hour of that restore, with 26 seconds to go according to 
> the progress bar, a message popped up asking for the WinXP SP2 disk, 
> because some 'original components' were required - that's what it said.  
> I inserted my CD and clicked 'Retry' - the message box disappeared - but 
> Acronis did not proceed from the 26 seconds remaining status - and I 
> waited a long time until there just wasn't any drive activity at all.  I 
> closed up the Acronis.  I went back to installing optional components 
> from the WindowsXP SP2 disk.  Probably because of the interruption in 
> the Acronis image restore, there were duplicates of virtually all the 
> shortcut links - on the desktop, in all the start menus, anywhere a 
> shortcut existed there was a duplicate without the proper icon.  I 
> cleaned those up manually.
>
> Now, I was finally able to get to the Internet to download a fresh copy 
> of Malwarebytes - which had been where the IT guys' efforts came apart 
> the day before.  Got it downloaded, ran it - it found 3 bad guys and 
> wrote a log file of the findings - I told it to get rid of them and it 
> did.  One name I recall was approximately 'Trojan.Fraudcheck' - don't 
> you just love the irony!?!?  Before John Bartow asks me why Brad isn't 
> using Vipre to protect that computer from such invasions, I will explain 
> - the home office uses AVG by subscription.  It is a 'house rule' that 
> everybody will use the same subscription.  So, AVG is what's guarding 
> that computer.
>
> We had gone for quite some time without getting the svchost.exe error 
> message, but now it did show up again.  Using ProcExp, it was clear that 
> dwwin.exe was still the culprit.  Today, it is my intention to check 
> what dlls dwwin.exe calls and get fresh copies of them plus the executable.
>
> Does anybody have additional advice for me?
>
> Thanks,
> T
>
>
>
> Tina Norris Fields wrote:
>   
>> Hi All,
>>
>> I could use a little help figuring this one out. 
>>
>> My son-in-law, Brad, has this problem:  during some operation, could be 
>> booting up, could be almost anything, he gets the warning "svchost.exe 
>> application error" usually with something like "instruction at 
>> referenced memory at "0x00000010" and "memory could not be read."  It 
>> seems to me I have recently seen this error with a corrupted or faulty 
>> update of some software - I think I had that happen with an HP companion 
>> process, something like "image monitor" that bogged down my whole 
>> system, and in my case the problem was solved by a reinstall and a 
>> disabling of the culprit application (it was hogging my CPU resources, 
>> and I really didn't need it).  Googling the svchost.exe error postings, 
>> I find that it is likely caused by some corrupted dll file that didn't 
>> get to finish whatever it was doing, and nothing else could function 
>> because of that bottleneck.  Several of the postings suggested that it 
>> might be a failed or incomplete or corrupted Windows update, and the 
>> solution could be as easy as doing a manual Windows update and rebooting.
>>
>> When I tried to get to the Windows update site from his computer, I 
>> could not get there - IE consistently reported that it could not display 
>> the page.  This was true whether I used the Windows update command on 
>> the menu or I launched the browser and typed in the URL.  I tried 
>> Googling the Windows update and clicking the link from the Google search 
>> results, too.  Nothing worked. 
>>
>> Because he is doing work, often using a VPN connection with his home 
>> office, he has IT support available.  I told him that while I believe I 
>> can get this figured out and fixed, it will probably be a lot faster to 
>> make use of his IT guys.  Today, they have been working remotely on his 
>> computer - they've uninstalled all his malware protection and 
>> reinstalled fresh copies, they've updated his browser to IE8, they 
>> thought they had it fixed, and then it popped up again, while they were 
>> getting ready to sign off. 
>>
>> Does anybody on this list know what I'm really dealing with here?  I 
>> would love some guidance!
>>
>> Best regards,
>> T
>> _______________________________________________
>> dba-Tech mailing list
>> dba-Tech at databaseadvisors.com
>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>> Website: http://www.databaseadvisors.com
>>
>>  
>>     
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
>
>
>       
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
>   



More information about the dba-Tech mailing list