[dba-Tech] Svchost.exe error - Update 2

Tina Norris Fields tinanfields at torchlake.com
Sat Aug 7 08:16:11 CDT 2010


Back again,

After looking at the huge number of dlls and other processes that 
appeared to be connected to dwwin.exe, I opted for a different approach.

Acting on Rusty's comment, I used the Vipre rescue and had it run a deep 
scan.  It found and cleaned 4 threat traces in the Registry.
IE7 would still not allow access to Windows update - I could get to lots 
of Internet places, including microsoft.com, but anything that got close 
to updating Windows resulted in the notice that IE could not display 
that page, that I might not be connected to the Internet, etc. - not the 
common page I usually see when IE really can't reach the Internet, but 
one with messages in red font and enclosed in black-bordered boxes.  
Also, the errant redirect continued to happen - there are about three 
different ones that I saw more than once
- one looked like a local news page, but it is not something Brad chose 
(http://www.news9today.net/money-news/latest-news.php?ex=002&tid=AOXUS1) 
I've followed up on that one now, myself - it is an advertisement entry 
point, if you try to select news, or politics, or anything from its 
navigation bar, you are sent to a page to sign up for making lots of 
money (http://www.quickcashkit.net/index2/?hop=inet2aff2&ex=002).
- one is a 'find single mates' invitation 
(http://matelocal.com/2273/?subid=directcpv-preferred-1&affid=7167)
- one was an urgent notice that the PC is infected, click here to fix it 
(looked very similar to the AntivirXP2009 that got my Dad's computer a 
couple years ago). 
Attempting to reach the Internet Options still yielded the message that 
that operation was "canceled due to security restrictions on this 
computer, please contact your system administrator."

Persuaded that something was hijacking Brad's IE7, I downloaded 
HiJackThis and ran that - I am not experienced at reading that log, but 
I really didn't spot the culprit.  If one of you is knowledgeable about 
analyzing that log, and would be willing to look it over, please let me 
know and I will pass it along to you.

Since I could get to the Internet, I went to mozilla.com and downloaded 
the current Firefox, installed it and used it to get to microsoft.com 
where I downloaded IE8 for manual installation.  Once IE8 was installed, 
we had access to the Tools > Internet Options dialog box.  Yay!  But, we 
still could not get to Windows update!  And, the redirect still popped up. 

His OS was WinXP SP2, whose support ended July 13, 2010 - so, I searched 
for how to get SP3 when I couldn't get to Windows update.  I did finally 
find a way to download that for manual installation.  SP3 was 
successfully installed yesterday after supper.  But, guess what - this 
morning, the redirect is still there, and IE cannot get to Windows 
update, and, of course the old bugaboo "generic service host error" is 
still popping up. 

This syndrome has to be an infection of some kind I'm thinking.  Unless, 
as Jim suggested, the corruption is in a location that cannot be 
substituted and the only real solution is to get a new hard drive.  Or, 
perhaps this is a combination of things 1) a corruption at the boot 
tracks, and 2) a hijacker of some sort.

I'm ready to start pricing good SATA hard drives for Brad's computer.  
He has to have a functional and reliable computer for his business 
(don't we all?).  But, it's very difficult for me to let go of a mystery 
like this - I really want to solve it.  Do you wizards have any more 
good thoughts for me?  What is redirecting Brad's IE browser?  What is 
preventing IE from getting to Windows update?  What is calling the 
svchost.exe error?

Thanks again,
T


Tina Norris Fields wrote:
> Hi again,
>
> Well, the IT crew did not fix the problem.  In fact, by the time they 
> quit, the computer would not boot all the way - it would start and then 
> shut down and restart endlessly.  They did not know how to fix that.  
> There was talk of replacing the computer as less expensive than 
> continuing to pay for IT time.
>
> Yesterday morning, I took my Spin-Rite over to Brad's house, powered up 
> the computer, went into Setup and changed the boot sequence so it would 
> boot from the CD, popped Spin-Rite into the drive and rebooted.  
> Spin-Rite, running at Level 2,  found two sectors where most of the data 
> could be recovered, but not all.  Once Spin-Rite had done its magic, the 
> computer booted, ran Chkdsk and launched Windows.  However, IE would not 
> go to the Interent at all. It would start and then disappear. (There was 
> some other application I tried to launch that also started and 
> disappeared.)  I opened a command window and pinged my own website - 
> that worked.  I pinged the ISP and Microsoft, and both of those efforts 
> timed out.  But, at least I knew I did have a live connection to the 
> Internet.  In IE, I clicked Tools and Internet Options - was denied 
> access to that with a message something like "this action has been 
> canceled because of restrictions on this computer, please contact your 
> system administrator."  That was a real surprise - Brad was signed in as 
> Administrator. 
>
> At this point, I concluded that some Windows components were corrupted, 
> possibly because they had been partially located in the unrecoverable 
> sectors.  I launched the Wizard for adding Windows components - the 
> generic host process error message popped up - using ProcExp.exe set to 
> scroll to new processes, I saw the dwwin.exe process was the one trying 
> to run - I killed it, but the computer still bogged down.
>
> After another reboot, I went to Control Panel and uninstalled IE7.  
> While I was doing that the generic host process error showed up again.  
> This time I just ignored it, and the computer did not bog down.  Once 
> IE7 was uninstalled, the remaining IE 6 would go to the Internet.  So, 
> now we had a functioning computer again, but the error message that had 
> begun all the efforts was still there. 
>
> It turns out Brad has Acronis True Image Home installed and had a full 
> backup of his system from July 27, with incremental backups for most of 
> the succeeding days.  So, I ran a restore of his full backup - after 
> more than an hour of that restore, with 26 seconds to go according to 
> the progress bar, a message popped up asking for the WinXP SP2 disk, 
> because some 'original components' were required - that's what it said.  
> I inserted my CD and clicked 'Retry' - the message box disappeared - but 
> Acronis did not proceed from the 26 seconds remaining status - and I 
> waited a long time until there just wasn't any drive activity at all.  I 
> closed up the Acronis.  I went back to installing optional components 
> from the WindowsXP SP2 disk.  Probably because of the interruption in 
> the Acronis image restore, there were duplicates of virtually all the 
> shortcut links - on the desktop, in all the start menus, anywhere a 
> shortcut existed there was a duplicate without the proper icon.  I 
> cleaned those up manually.
>
> Now, I was finally able to get to the Internet to download a fresh copy 
> of Malwarebytes - which had been where the IT guys' efforts came apart 
> the day before.  Got it downloaded, ran it - it found 3 bad guys and 
> wrote a log file of the findings - I told it to get rid of them and it 
> did.  One name I recall was approximately 'Trojan.Fraudcheck' - don't 
> you just love the irony!?!?  Before John Bartow asks me why Brad isn't 
> using Vipre to protect that computer from such invasions, I will explain 
> - the home office uses AVG by subscription.  It is a 'house rule' that 
> everybody will use the same subscription.  So, AVG is what's guarding 
> that computer.
>
> We had gone for quite some time without getting the svchost.exe error 
> message, but now it did show up again.  Using ProcExp, it was clear that 
> dwwin.exe was still the culprit.  Today, it is my intention to check 
> what dlls dwwin.exe calls and get fresh copies of them plus the executable.
>
> Does anybody have additional advice for me?
>
> Thanks,
> T
>
>
>
> Tina Norris Fields wrote:
>   
>> Hi All,
>>
>> I could use a little help figuring this one out. 
>>
>> My son-in-law, Brad, has this problem:  during some operation, could be 
>> booting up, could be almost anything, he gets the warning "svchost.exe 
>> application error" usually with something like "instruction at 
>> referenced memory at "0x00000010" and "memory could not be read."  It 
>> seems to me I have recently seen this error with a corrupted or faulty 
>> update of some software - I think I had that happen with an HP companion 
>> process, something like "image monitor" that bogged down my whole 
>> system, and in my case the problem was solved by a reinstall and a 
>> disabling of the culprit application (it was hogging my CPU resources, 
>> and I really didn't need it).  Googling the svchost.exe error postings, 
>> I find that it is likely caused by some corrupted dll file that didn't 
>> get to finish whatever it was doing, and nothing else could function 
>> because of that bottleneck.  Several of the postings suggested that it 
>> might be a failed or incomplete or corrupted Windows update, and the 
>> solution could be as easy as doing a manual Windows update and rebooting.
>>
>> When I tried to get to the Windows update site from his computer, I 
>> could not get there - IE consistently reported that it could not display 
>> the page.  This was true whether I used the Windows update command on 
>> the menu or I launched the browser and typed in the URL.  I tried 
>> Googling the Windows update and clicking the link from the Google search 
>> results, too.  Nothing worked. 
>>
>> Because he is doing work, often using a VPN connection with his home 
>> office, he has IT support available.  I told him that while I believe I 
>> can get this figured out and fixed, it will probably be a lot faster to 
>> make use of his IT guys.  Today, they have been working remotely on his 
>> computer - they've uninstalled all his malware protection and 
>> reinstalled fresh copies, they've updated his browser to IE8, they 
>> thought they had it fixed, and then it popped up again, while they were 
>> getting ready to sign off. 
>>
>> Does anybody on this list know what I'm really dealing with here?  I 
>> would love some guidance!
>>
>> Best regards,
>> T
>> _______________________________________________
>> dba-Tech mailing list
>> dba-Tech at databaseadvisors.com
>> http://databaseadvisors.com/mailman/listinfo/dba-tech
>> Website: http://www.databaseadvisors.com
>>
>>   
>>     
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
>   



More information about the dba-Tech mailing list