Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

computer is looking for svhost.exe at startup


  • Please log in to reply
12 replies to this topic

#1 escalante98

escalante98

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 30 June 2005 - 07:55 PM

hello. i have just used advise from your site to remove spysheriff from my computer. now that he is gone, when i boot up, i get 2 error messages:



first one:
Cannot find the file 'svhost.exe' or one of its components. Make sure the path and filename are correct and that all required libraries are available.


second one:
Cannot load or run 'svhost.exe' specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry.



ok, so i ran regedit and don't see the reference to the svhost.exe file anywhere. from what i have read about it, this is from a worm virus that i must have also had on my computer. my computer is running fine again since i ran the sheriff out of town, except for anything online. my outlook won't connect and says 'server could not be found. when i click into explorer, i just get a blank screen. is this a simple registry fix that i am not seeing or is there still remnants of the sheriff / other viruses on my computer? the network is fine and all applications run normal again.

i also got a message that said "error loading rundll. the specified module could not be found" i found this one when i ran regedit and deleted it. now this message doesn't show up anymore.

when i run a search for svhost.exe nothing comes back.

dell
windows 2000
service pack 4

any thoughts?

BC AdBot (Login to Remove)

 


#2 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:59 AM

Posted 30 June 2005 - 08:12 PM

Description of Svchost.exe in Windows 2000
View products that this article applies to.
Article ID : 250320
Last Review : November 20, 2003
Revision : 3.0
This article was previously published under Q250320
For a Microsoft Windows XP version of this article, see 314056.
On this page
SUMMARY SUMMARY
MORE INFORMATION MORE INFORMATION
APPLIES TO APPLIES TO
SUMMARY
Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service
Back to the top Back to the top
MORE INFORMATION
To view the list of services that are running in Svchost:
1. From the Windows 2000 installation CD's Support\Tools folder, Extract the Tlist.exe utility from the Support.cab file.
2. On the Start menu, click Run, and then type cmd.
3. Change folder to the location from which you extracted the Tlist.exe utility.
4. Type tlist -s.
Tlist.exe displays a list of active processes. The -s switch shows the list of active services in each process. For more information about the process, type tlist pid.

The following sample Tlist output shows two instances of Svchost.exe running:
0 System Process
8 System
132 smss.exe
160 csrss.exe Title:
180 winlogon.exe Title: NetDDE Agent
208 services.exe Svcs: AppMgmt,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,LanmanWorkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi
220 lsass.exe Svcs: Netlogon,PolicyAgent,SamSs
404 svchost.exe Svcs: RpcSs
452 spoolsv.exe Svcs: Spooler
544 cisvc.exe Svcs: cisvc
556 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
580 regsvc.exe Svcs: RemoteRegistry
596 mstask.exe Svcs: Schedule
660 snmp.exe Svcs: SNMP
728 winmgmt.exe Svcs: WinMgmt
852 cidaemon.exe Title: OleMainThreadWndName
812 explorer.exe Title: Program Manager
1032 OSA.EXE Title: Reminder
1300 cmd.exe Title: D:\WINNT5\System32\cmd.exe - tlist -s
1080 MAPISP32.EXE Title: WMS Idle
1264 rundll32.exe Title:
1000 mmc.exe Title: Device Manager
1144 tlist.exe
The registry setting for the two groupings for this example are as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
rpcss :Reg_Multi_SZ: RpcSs
Back to the top Back to the top
APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional Edition
http://support.microsoft.com/default.aspx?...kb;en-us;250320

#3 TEB

TEB

  • Banned
  • 449 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 30 June 2005 - 08:16 PM

You cannot disable svchost.exe it is a critical system process used to launch applications.

To maybe fix a few other problems go back to that same dialog box (start click run)
In that dialog box type msconfig. Then click the startup tab in the box that pops up. Here you will find all of the startup applications for your machine. Try disabling as many as possible. Ones you dont absolutely need.

#4 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:59 AM

Posted 30 June 2005 - 08:19 PM

You cannot disable svchost.exe it is a critical system process used to launch applications.

To maybe fix a few other problems go back to that same dialog box (start click run)
In that dialog box type msconfig. Then click the startup tab in the box that pops up. Here you will find all of the startup applications for your machine. Try disabling as many as possible. Ones you dont absolutely need.

" i found this one when i ran regedit and deleted it. now this message doesn't show up anymore.

when i run a search for svhost.exe nothing comes back."

Looks like he did delete it.

#5 TEB

TEB

  • Banned
  • 449 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 30 June 2005 - 09:22 PM

He probably just deleted the reference to the registry. Go to C:\windows\system 32\svchost.exe if svchost.exe is in the system 32 folder you didnt delete it. Check the task manager to see if its still running.

#6 Herk

Herk

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:05:59 AM

Posted 30 June 2005 - 09:48 PM

Assuming you've typed 'svhost.exe' correctly, that probably refers to a virus that may no longer be on your computer. Most likely this one. There are others that it could be. There's a variant of the rbot worm that uses that filename.

#7 escalante98

escalante98
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 01 July 2005 - 01:02 PM

Assuming you've typed 'svhost.exe' correctly, that probably refers to a virus that may no longer be on your computer. Most likely this one. There are others that it could be. There's a variant of the rbot worm that uses that filename.

thanks for responding. yes, i did mean to type 'svhost.exe' and not 'svchost.exe'. seems the computer looks for it on start up still. i ran viruscan & adaware again this morning and everything seems fine. it's just that i have no access to outlook or the internet. something must have gotten cleaned off of the hard drive that will not allow me to the internet when i was getting rid of spysheriff. something in the registry maybe? maybe there is a file missing now? will i need to reinstall windows? might this fix the problem?

any thoughts?

#8 TEB

TEB

  • Banned
  • 449 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 01 July 2005 - 01:34 PM

oh ......svhost.exe

Well if that much damage has been taken, just reinstall windows.

#9 escalante98

escalante98
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 01 July 2005 - 01:44 PM

yeah i guess a reinstall would fix it. will look into it. do you know of a file (.exe, .dll, etc) that is related to online applications that i could search for to see if it is missing that i could paste back into its proper file, before i would reinstall windows?

#10 Herk

Herk

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:05:59 AM

Posted 01 July 2005 - 07:18 PM

You've probably got a broken winsock. There can be entries in there that got removed by one of your spyware killers and left a blank space. This needs to be repaired and isn't hard to do.

I'd try LSPfix first, since it usually does the trick. Download it and unzip it (extract it) and run it. It's very simple: it examines your computer to see if all the modules listed are still around and if not will list them in the second pane. Or it may be that there are simply blank entries, in which case nothing will be listed in the second pane.

It shouldn't be necessary to check the "I know what I'm doing box."

Note: sometimes, the "Finish" button at the bottom is not visible and you need to enlarge the window slightly to see it.

You can get it here.

#11 escalante98

escalante98
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 05 July 2005 - 10:40 AM

i ran the lspfix program you recommended, but nothing seemed to happen. here is what it said when i ran it:

rnr20.dll tcpip
winrnr.dll NTDS
CSLSP.DLL (protocall handler)
msafd.dll (Protocall handler)
rsvpsp.dll (protocall handler)

these were on the 'keep' side, and the 'remove' side was blank. i didn't click the i know what i'm doing box.

rebooted and still getting the error where it is looking for svhost.exe. still no outlook or internet. just a black explorer window. can access outlook, but it says 'cannot connect to server' when i click send/receive. would reinstalling outlook fix anything? just looking for options before i would have to reinstall windows 2000.

thanks.

#12 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:04:59 AM

Posted 05 July 2005 - 10:52 AM

In order to delete the virus app C:\Windows\svhost.exe you first need to search the Windows Registry for svhost.exe (not svchost)

Find and then delete the entry of C:\Windows\System32\svhost.exe -start

Re-boot the computer and then delete the file C:\Windows\svhost.exe

The registry entry runs the virus on boot-up preventing you from deleting the file. By deleting the registry entry and re-booting the computer the virus doesn't run on boot up so you can delete it.

#13 escalante98

escalante98
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 05 July 2005 - 11:24 AM

i have searched everywhere for any reference to the svhost.exe file but nothing ever comes up. not in the registry, not on the hard drive, nothing. only on booting up. man, i'm stumped.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users