Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe error message


  • Please log in to reply
7 replies to this topic

#1 aallen

aallen

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 09 March 2009 - 06:33 PM

Hi
Ive been reading on this forum ways to get rid of what I believe is malware on my laptop so I would not have to post for help. However I can not access the internet via my satellite or wireless card to download any of your links that you posted because the malware wont let me access the internet.

BTW Im on my pc trying to get help for my laptop.

I have Windows XP.


When my computer boots up I get this error message; svchost.exe - Application Error The instruction at "0x75606eb5" reference memory at "0x00000008". The memory could not be "read". Click on OK to terminate the program

I have grissoft and I ran that complete scan and it found nothing. I tried running my spybot search and destroy and it wont let me. It wont do a complete shutdown or reboot so I have to unplug it and take out the battery and then boot up again.

I just read this another person post on your forum, http://www.bleepingcomputer.com/forums/t/209089/svchostexe-application-error-0x75606e6a/, and what he is describing is EXACTLY the same as my problem. Except I cant get on the internet.


Any suggestions on what I should try next?

thank you

Edited by aallen, 10 March 2009 - 03:48 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 PM

Posted 10 March 2009 - 08:54 AM

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from .dll's. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual for multiple instances of Svchost.exe running at the same time in Task Manager in order to optimize the running of the various services.

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. Another techinique is for the process to alter the registry and add itself as a Startup program so that it can run automatically each time the computer is booted. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure the spelling is correct. If it's scvhost.exe, then your dealing with a Trojan.

There are several ways to investigate and see what services a Svchost.exe process is controlling:Note: Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

Tools to investigate running processes and gather additional information to identify them and resolve problems:These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

If you cannot use the Internet or download any programs, try downloading from another computer (family member, friend, etc). Save to a flash (usb, pen, thumb, jump) drive or CD, transfer to the infected machine, then install and run the program. If you cannot copy files to your usb drive, make sure its not "Write Protected". Some flash drives have a switch on the side which could have accidentally been moved to write protect.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 aallen

aallen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 10 March 2009 - 03:39 PM

Thank you quietman 7
Using a disk I was able to load the AnVir TaskManager Free to my computer and check files and paths. All the svchost files that appeared, (4), show a path to C:\WINDOWS\system32\svchost.exe

I also copied over the malwarebytes and downloaded that onto my laptop from this stie. It did download but wont run. I deleted it and tried again but it still won't run.

Ive had to reboot a million times as it freezes up.

Ive run msconfig and tried to do a system restore back to an earlier date but after I reboot nothing has changed that I can see. Ive tried unclicking everything under startup and then start my intel wireless to try to connect to the internet, it stays in a connecting mode and never connects.

Update:

I ran Combofix and it resolved the problems, so it seemed. At least I could now connect to the internet, then
when I connected to my hotmail IM and logging onto hotmail again this Spyware protect 2009 tried to download onto my computer. So I ran the malwarebytes program which I could not run before. I had some hiccups in running it but I was able to do 2 scans and found 9 infected files. Im now doing a full system scan with that program to make sure its completely gone. So its seems this all started with Spyware Protect 2009.

thank you for your time and your help.

Edited by aallen, 10 March 2009 - 05:43 PM.


#4 aallen

aallen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 10 March 2009 - 10:13 PM

Well lucky me, this thing just keeps coming back! grrrr! I've run the malware scan twice on the quick scan and 2-3 times for the longer scan and every time it scans it finds more files. I dont understand why the malware its totally removing the problem.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 PM

Posted 11 March 2009 - 07:50 AM

There are no shortcuts or guarantees when it comes to malware removal. Sometimes it takes several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous.

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted.

Please post the results of your first and last MBAM scan for review.

To retrieve the MBAM scan log information, launch MBAB.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format:
      mbam-log-2009-01-12(13-35-16).txt <- your dates will be different from this example
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 aallen

aallen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 11 March 2009 - 03:23 PM

Ok, I will have to post a little later as I have to run.
However, I had to run combo fix again and repeated all I had done before because all the problems came back as soon as I connected to IE. Combofix found rootkill activity and again named two files, one in the drivers and one a dll. Combofix brought me back to where I was before (as fixed) and I repeated mbam again, it again found the malware and removed it. then I ran spybot and immunized and set up a restore back up spot.
I reset up my firewall and then internet limits to really high, but now a proxy server is preventing me from accessing the internet. ...when I have a bit more time to attack this slowly I will post my logs.

The last time I went back on the internet this same malware downloaded right to my system. Im trying to prevent that again and going slower this time.

thanks

#7 aallen

aallen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 PM

Posted 12 March 2009 - 12:35 AM

My logs
very first one
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/10/2009 3:14:48 PM
mbam-log-2009-03-10 (15-14-48).txt

Scan type: Quick Scan
Objects scanned: 62480
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Amy\Local Settings\temp\ie3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Delete on reboot.

-----------------------------------------------------------------------------------------------------------------
My very last one
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/11/2009 11:44:31 AM
mbam-log-2009-03-11 (11-44-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 127570
Time elapsed: 30 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I have a total of 8 logs if you need to see any more.
When my computer got reinfected yesterday, it was after I logged back into MSN messenger and then went into IE and this is where it all started. Ive not gone back into msn messenger or IE on my laptop. (However I'm posting this message via my laptop YIPPEEE) Im in firefox. I think that the best thing for me to do next would be to uninstall MSN messenger and reinstall it just to safe. Im open to your suggestions however.
I also swept my computer with Spybot search and destroy and it also found an IE corrupt file. Its gone now so I cant post what that was here.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:19 PM

Posted 12 March 2009 - 08:07 AM

Your MBAM log indicates you are using an outdated database version 1749. Please update to the most current one (1840) and rescan again. Since you cannot use the Internet, manually download the updates from another computer, save them to a flash (usb, pen, thumb, jump) drive or CD and transfer to the infected machine. Then double-click on mbam-rules.exe to install the update. If you cannot transfer or install from the infected machine, try installing the file directly from the flash drive to your machine.Mbam-rules.exe is not updated daily. Another way to get the most current definitions is to update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

Perform a new Quick Scan in normal mode and make sure you reboot afterwards. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY!
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • Please be patient as the scan may take up to 20 minutes to complete.
  • When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and other security programs before connecting to the Internet.
Download SDFix from another computer, save and transfer to the infected machine the same way you did with MBAM. While you are at it also download these programs so we can use them next.
SUPERAntiSpyware Free
SUPERAntiSpyware Free Definition files - (Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE)
ATF Cleaner
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users