Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe and lsass.exe errors at shutdown


  • Please log in to reply
16 replies to this topic

#1 triggerhappypappy

triggerhappypappy

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North port,Florida
  • Local time:05:48 PM

Posted 12 September 2009 - 08:02 AM

when I try to shut down my computer(windows xp home) a message comes up ..
"svchost.exe - Application Error : The instruction
at "0x1000e765" referenced memory at "0x00000000". The memory could
not be "read". Click on OK to terminate the program"
the message is similar to this,

when I click on ok to terminate program it switches to another message stating the same thing except it is refering to the lsass.exe program.when I click ok to terminate it goes back to the svchost.exe message.
Everytime I click ok the numbers change in the memory reference.
To sum it up I can not shut down my machine without pulling the plug!
Please help.I have a HP pavillion a867c.
Thanks
Freedom Is Not Free !! Pray For our Troops

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,726 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:48 PM

Posted 12 September 2009 - 09:36 AM

Seems to be varying, unknown causes.

I would run chkdsk /r.

Start/Run...type chkdsk /r (with space between k and /) and hit Enter. Type Y in response to onsreen query and hit Enter. Reboot the system, let command execute, system will reboot when done.

I would then defrag same partition.

I would also check Event Viewer for possible pertinent error messages, How To Use Event Viewer - http://www.bleepingcomputer.com/forums/t/40108/how-to-use-event-viewer/

FWIW: Lsass.exe errors are often malware-related, IMO.

http://www.fileinspect.com/fileinfo/lsass-exe/

Louis

#3 triggerhappypappy

triggerhappypappy
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North port,Florida
  • Local time:05:48 PM

Posted 12 September 2009 - 05:40 PM

Thank you louis...
I opened the event viewer and it seems there are many errors from the crypt32 source. I ran checkdisk and the defrag to no avail.The first time I opened the event viewer I received the same error message box,but it was an application error in waucault.exe.
something is very wrong.It looks like a Possible infection of some sort.I am thinking about reformating my drive,but I would prefer not to, if I don't have to. any advice would be greatly appreciated.
Freedom Is Not Free !! Pray For our Troops

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,726 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:48 PM

Posted 12 September 2009 - 06:19 PM

I am going to have this thread moved to one of the malware forums, based on what I have read concerning crypt32.

http://www.superantispyware.com/definition/crypt32/

From this point onward, take all instructions/suggestions from a bona fide member of our malware forums.

Louis

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 PM

Posted 12 September 2009 - 07:50 PM

Hello I am moving this as suggested from XP to Am I Infected..
Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 triggerhappypappy

triggerhappypappy
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North port,Florida
  • Local time:05:48 PM

Posted 15 September 2009 - 09:31 AM

here is a copy of the requested log. this program"ICONLOVER" referenced in the log has been on my computer for a long time and IMO is not the cause of my troubles.It might be a false positive,but not really sure.
It is apparent that nothing has changed,I am still having the same svchost.exe errors at shutdown.
Any more Ideas?
Thanks for your time
Pete


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/13/2009 at 05:09 AM

Application Version : 4.28.1010

Core Rules Database Version : 4096
Trace Rules Database Version: 2036

Scan type : Complete Scan
Total Scan Time : 04:01:32

Memory items scanned : 254
Memory threats detected : 0
Registry items scanned : 5924
Registry threats detected : 0
File items scanned : 88027
File threats detected : 1

Trojan.Unclassified/Loader-Suspicious
C:\PROGRAM FILES\ICONLOVER\LOADER.EXE
Freedom Is Not Free !! Pray For our Troops

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 PM

Posted 15 September 2009 - 11:59 AM

we still should run these to be sure there is not malware at fault.

Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 triggerhappypappy

triggerhappypappy
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North port,Florida
  • Local time:05:48 PM

Posted 15 September 2009 - 05:22 PM

I went into safemode again and cleaned with ATF and rescanned with SAS as instructed.But nothing was found.
The results are pasted below. When I rebooted my machine I had some more error messages,at startup.This has never happened before.Usually they appear at shutdown.This time they were wauaclt.exe(not sure about the exact spelling).
While in safe mode there are no errors shutdown.
as you can see I am very confused.Do you know what is going on here?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/15/2009 at 05:30 PM

Application Version : 4.28.1010

Core Rules Database Version : 4101
Trace Rules Database Version: 2041

Scan type : Complete Scan
Total Scan Time : 04:03:53

Memory items scanned : 259
Memory threats detected : 0
Registry items scanned : 5911
Registry threats detected : 0
File items scanned : 88151
File threats detected : 0
Freedom Is Not Free !! Pray For our Troops

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 PM

Posted 15 September 2009 - 08:12 PM

Hi it appears to be a clean machine. The wauaclt.exe is related to windows update. I will ask that you run this next.
We need to repair some of windows' internal registration settings
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
    Posted Image
  • When the window looks like this, press the GO button in the bottom of the window.
    Posted Image
  • Exit/Close Dial-A-Fix

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 triggerhappypappy

triggerhappypappy
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North port,Florida
  • Local time:05:48 PM

Posted 15 September 2009 - 08:57 PM

i ran dial a fix and it produced many errors. "error 127 c\windows\system32\iesetup.dll is not registerable or file corrupted.
that was an example of one error.I did not get all the errors noted on paper.
Freedom Is Not Free !! Pray For our Troops

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 PM

Posted 15 September 2009 - 09:13 PM

OK, now you have me ????
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 triggerhappypappy

triggerhappypappy
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North port,Florida
  • Local time:05:48 PM

Posted 16 September 2009 - 09:55 AM

I ran kaspersky and found nothing.so there was no report generated to paste on this log
Freedom Is Not Free !! Pray For our Troops

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 PM

Posted 16 September 2009 - 10:10 AM

Ok this is not a malware issue. You may end up ‘redoing’ (reinstalling) Windows on your system.
If you have the time, take out some recently installed programs and see if it comes up. If you are planning on upgrading your RAM or HDD soon, it may solve it for you.
Ask how to tes RAM up top again.

SFC (System File Checker) is a utility that will let Windows ‘check itself’ for many files and see if they are in their proper forms and readable. If not, it will ask for the CD and replace some files that Windows uses.

Run sfc /scannow
NOTE for Vista users..The command needs to be run from an elevated Command Prompt.
Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 triggerhappypappy

triggerhappypappy
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North port,Florida
  • Local time:05:48 PM

Posted 16 September 2009 - 06:08 PM

I did not receive a cd with my computer.it was pre installed when I bought it.it is a hp
Freedom Is Not Free !! Pray For our Troops

#15 triggerhappypappy

triggerhappypappy
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North port,Florida
  • Local time:05:48 PM

Posted 17 September 2009 - 08:43 AM

ok I ran the program sfc /scannow and it did not ask for a cd so I imagine everything checked out ok.I ran it twice to be sure.
Freedom Is Not Free !! Pray For our Troops




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users