Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AXWIN Frame Window: svchost.exe - Application Error


  • This topic is locked This topic is locked
16 replies to this topic

#1 mashenden

mashenden

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:07:58 AM

Posted 07 February 2010 - 03:59 PM

I am having a problem with the following error:

AXWIN Frame Window: svchost.exe - Application Error, etc.
Generic Host Process for Win 32 Services, Windows has closed this program. Data Execution Prevention etc.
System by NT/Authority/System DCOM Server Process, etc.

Then the PC begins to shutdown. I have been able to stop the shutdown by using Run Shutdown -a.

Other symptoms earlier included not being able to do an Alt/Ctrl/Del, followed by an hourglass. In the lower right I could see that Task Manager had opened but there was no way to get it on the screen to review/stop processes. End result - a hard reboot was needed to go further.

System restores even back to the initial restore point (which was only about 4 months ago) have not been successful.

I am to the point of wanting to run combofix (I have never done this before) but the warnings seemed very clear that I should post and get help first.

Thank you in advance.

mashenden

BC AdBot (Login to Remove)

 


#2 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:07:58 AM

Posted 08 February 2010 - 10:52 AM

Using Norton, I disabled svchost and all is good (with the huge exception being I cannot get out to the Interent), but the PC is not autoshutting down or getting hung up with the hour glass and Alt/Ctrl/Del always works. Point being, it must be some rogue program that is using svchost to send info over the internet as well as rendering my PC undable to exit without a firm reboot.

Norton, Defender, Malwarebytes and SUPERAntiSpyWare have not removed this problem.

Any ideas? Can someone help me use ComboFix?

mashenden

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 08 February 2010 - 01:12 PM

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
  • A log file will be created and saved to the root directory, C:\rkill.log
  • Copy and paste the contents of rkill.log in your next reply.
Note: If you get an alert that Rkill is infected, ignore it. The alert is just a fake warning given by the rogue software which tries to terminate programs that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.

Now try performing a Quick Scan in normal mode with Malwarebytes Anti-Malware and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:07:58 AM

Posted 08 February 2010 - 05:12 PM

Rkill appeared to run in that the DOS box showed up, and then a log was displayed to the screen. When I closed the log, the PC showed an hourglass and appears to be stuck there. While I could reboot to see if I can get the log to post, I was not sure.

Alt/Ctrl/Del will not work - A reboot would have to be a hard one.

Edited by mashenden, 08 February 2010 - 05:15 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 08 February 2010 - 05:24 PM

Then reboot and try repeating the instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:07:58 AM

Posted 08 February 2010 - 05:37 PM

Given how sluggish the PC is (it took almost an hour just to get it to navigate to the bleepingcomputer forum webpage to use rkill), if the rkill log is there from the last run, can I post it? I doubt I'll ever be able to get the PC to behave long enough to do all of the instructions without needing to be rebooted.

Update - Here is the posted log from the initial run in case it is of value:


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as HP_Owner on 02/08/2010 at 15:55:04.

Processes terminated by Rkill or while it was running:

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Documents and Settings\HP_Owner\Desktop\rkill.com

Rkill completed on 02/08/2010 at 15:55:27.


Sorry if there is a better way to attached logs - I'll search after this post.

Edited by mashenden, 08 February 2010 - 05:46 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 08 February 2010 - 05:50 PM

I still cannot tell if you ran MBAM immediately after running Rkill. Without doing that attempting to remove any malware is much more difficult.

There are no guarantees or shortcuts when it comes to malware removal, especially when dealing with backdoor Trojans and rootkits. Infections will vary and some will cause more harm to your system then others as a result of it having the ability to download more malicious files. Thus, sometimes it takes several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:07:58 AM

Posted 08 February 2010 - 05:56 PM

I had not ran MBAM. I was at the last bullet where I was to post the Rkill log, but since there was a reboot in between I wanted to make sure I was not wasting our time.

I can most likely run Rkill, get a log and run MBAM Quick scan as long as the PC is not hooked to the network - Any value in that approach?

Edited by mashenden, 08 February 2010 - 05:57 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 08 February 2010 - 06:02 PM

I can most likely run Rkill, get a log and run MBAM Quick scan as long as the PC is not hooked to the network - Any value in that approach?

Yes. No rebooting after running Rkill and don't worry about the log. Go directly to a Quick scan with MBAM, then reboot afterwards.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:07:58 AM

Posted 08 February 2010 - 06:50 PM

With the network disconnected, I ran Rkill, verified the Rkill log was the same as the one I posted earlier, ran MBAM Quick Scan (with updated definitions) - It found no malicious items. Log as follows:

Malwarebytes' Anti-Malware 1.44
Database version: 3703
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/8/2010 5:35:06 PM
mbam-log-2010-02-08 (17-35-06).txt

Scan type: Quick Scan
Objects scanned: 120624
Time elapsed: 12 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I still did a reboot even though it did not finding anything.

I then connected to the network. I opened Explorer and will try to navigate to bleeepingcomputers. Update forthcoming.

#11 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:07:58 AM

Posted 08 February 2010 - 06:56 PM

So far so good, although I must admit I am wondering how it could have fixed it yet reported nothing found. Is that posssible??

[Update]
:thumbsup: Oh, oh I just got the same error although things are still working better than they have in a while.

[Update 2]
I just got a pop up - Message from webpage. Warning! Your PC contains signs of a virus...etc. System Security will perform a quick and free scan...etc.

I selected Cancel and of course it goes to do the scan anyways.

This has happened in recent times but not every time following a reboot.

[Update 3] Just noticed that I am not able to do an Alt Ctrl Del although I can see them in the tray next to the clock. Things are starting to spiral downward. I suspect at some point I will get a system auto shutdown.

Any ideas?

Edited by mashenden, 08 February 2010 - 07:24 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 09 February 2010 - 08:26 AM

My reaserch indicates that many users with the AXWIN Frame Window: svchost.exe - Application Error have machines where the atapi.sys file is infected. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:07:58 AM

Posted 09 February 2010 - 02:41 PM

Will do. Thank you for your help.

Any thoughts on how likely it is to recover from this type of infection or should I cut my losses and jump to a reformat HD and reload everything (tempting)?

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:58 AM

Posted 09 February 2010 - 09:37 PM

You can always reformat but I would wait until confirmation of the infection which will show after posting your logs and trying stronger tools.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 mashenden

mashenden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Richmond, VA, USA
  • Local time:07:58 AM

Posted 10 February 2010 - 09:32 AM

Sounds good. I have completed Step 1 - 6 and starting Step 7 next. Again, thank you for your help. It is in my nature to want to idenitfyand remove the problem.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users