svchost.exe has generated errors - a sneakier strain

By dragin99
Aug 5, 2005
Topic Status:
Not open for further replies.
  1. Hello all,
    This is a pain of a problem and haven't gotten much help elsewhere but thought I would try here. I sure hope so I can't get any work done!!!
    A few days ago I started getting "svchost.exe has generated errors ..." Those of you that has experienced this know the drill.
    FYI - I have read Vinaya_Pande and HughJass's post's form 5/31/05. no help, and I'm not formating. I'll put a bounty on the @#$%^ that created this bugger first!!
    My config:
    XP PRO w/SP2 - 2.4ghz celeron - 512meg mem - 2 users defined.
    Symptoms:
    Click on my logon and hear the pretty music - At the end of startup ( just after network processes etc. ) Icons flash vigorously ( more than normal active desktop re-painting ) and taskbar flashes and briefly looks like the old win98 start button is going to stay...then flashes back to XP start button.
    Then I receive the svchost.exe error. A couple of ways I know I'm in trouble...try to pull up volume control and get "...no active mixers available.." and sound is gone. Can't get to microsoft firewall I get " ...associated service not running..".
    If I try to ride it out and try to use other programs they slowly degrade in response time and functionality ex. Dreamweaver runs real slow and can't connect to databases etc..
    Went to a many, many forums and many google searches and here is what I have done:
    Ran:
    AVG w/current updates
    spyware doctor
    Ad-aware
    xoftspy
    cleanmypc - registry tool
    tweak regcleaner
    CrapCLeaner
    PC bug doctor
    Spybot
    Aluria's Security Center errored out when I tried to scan. ( the send report error )
    They all found something different - Thats a pain in itself! Except AVG didn't find any viruses.
    I know its some kind of worm that uses the legit svchost service. So ran the following worm removal tools:
    Blaster
    poza.a
    welchia
    assarm@mm
    gaobot
    They each took about 2 hours to run and found nothing!!!.
    Found other instances of svchost.exe running in folders other than windows/system32
    and deleted them ...The system booted up good and I thought I was out of the woods.....then the svchost error popped up again and I was back where I was. However during that time I read that microsoft firewall might have allowed the worm in and in fact ran Sheilds up online port test and sure enough port 1025 had been open all this time!! I was able to shut down the firewall and loaded the pcInternet patrol firewall.
    Now this stopped the error from popping up but the contamination was still there, i.e. Flashing taskbar almost going to win98 taskbar, can't pull up the volume etc and programs still not running right.
    The only thing I can figure is the this bugger has attached itself to a real process and that's why none of the anti-virus, spyware, regcleaners can't find it. - Doesn't give me a real warm and fuzzy about any protection I'm supposed to be getting and in some cases PAYING FOR!!!
    Anyway - I'm hoping another set of eyes can help!!
    I'll entertain any ideas!!

    Here is my log from HIjackThis if that helps anyone!

    Logfile of HijackThis v1.99.1
    We need a FULL listing, not one cropped by you!
    (realblackstuff)

    Can't put the rest because it's to long and mostly has to do with explorer toolbar stuff and that's pretty much been ruled out.
    I don't believe you! (realblackstuff)

    Hope to hear from someone but I'm not that confident...cause this is a real mess!! And I have got to get some work done!!
    Thank you for reading this!
    Sorry for the confusion on the hijack log...I've sent it as an attachment.
    By the way I ran Ewido have included that scan report as well.
    Thanks again. Hope you can see something.

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  3. dragin99

    dragin99 Newcomer, in training Topic Starter

    Sorry about the confusion on my part about the hihackThis log.
    I have attached it to the original thread.
    thanks again.
  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    PartyPoker.exe

    Next, click Start/Run and type in:
    cmd and hit Enter
    regsvr32 /u ippspw.dll and hit Enter
    Exit the command window.

    Next, try to UNinstall anything to do with (not delete yet!):
    C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll <<== 'Spyware doctor'
    C:\Program Files\Download Express\Add_Url.htm <<== get Stardownloader 1.44 from www.stardownloader.com later!
    C:\Program Files\PartyPoker\PartyPoker.exe

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O8 - Extra context menu item: Download using Download &Express - file://C:\Program Files\Download Express\Add_Url.htm
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    Fix all your O16 - DPF: entries
    O20 - Winlogon Notify: IsaLogon - C:\WINDOWS\system32\pcip\ippspw.dll
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
  5. dragin99

    dragin99 Newcomer, in training Topic Starter

    Thanks realblackstuff, did what you recommended.
    However, I removed the temp firewall, because It wouldn't allow me to run apache server without registering the program --$35.00 every 3 months, and installed zonealarm. The svchost.exe errors came back at startup killing( not starting, actually) many, many services, and pops up periodically and changes my taskbar from win98 to winxp and killing services again after I started them!
    I've attached the hijackthis log, and I've run ewido which didn't find anything this time. I don't know where this @$#% is hiding but it sure doesn't want to go away without a fight. One note on the startups, I notice every time this happens I get the line O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u and I usally delete it but that doesn't seem to help so left it in this time around in case it tells you something.
    Man this is really getting me down!!!
    Hope you can help ....and I really appreciate you taking the time to look at it!
  6. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Before we go any further, you need to get rid of as much unneeded junk as possible.
    If you want it again, you can always re-install it after the problem has been solved.
    Some of the items that I marked to 'fix' underneath, are made to get your system more streamlined.
    Some will only be stopped and removed from starting, but not deleted.
    Follow the instructions carefully!
    Some items might not even show up, don't worry.

    I am not clear about MyWebEx. Unless you need it with Apache server, UNinstall it where I tell you.

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    atnthost.exe (mywebex)
    RAAGTAPP.EXE (mywebex)
    mdm.exe (ms debugger)
    fxssvc.exe (unneeded fax-service)
    carpserv.exe (unneeded modem dialtone listener)
    CFD.exe (broadband monitor, eats CPU)
    ybrwicon.exe (yahoo)
    ycommon.exe (yahoo)
    IAM.exe (internet answering machine)
    memturbo.exe (not needed)
    cidaemon.exe (part of the microsoft indexing service, not needed)
    IPMon32.exe (internet monitor, not needed)
    dumprep.exe (debugger reporter, not needed)
    Adobe Gamma Loader.exe (screen corrector, not needed)
    ONENOTEM.EXE (ms office space waster)

    Next, try to UNinstall anything to do with (not delete yet!):
    c:\program files\google\googletoolbar1.dll
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Yahoo!\common\
    C:\Program Files\Yahoo!\messenger\ and any other Yahoo stuff!
    C:\WINDOWS\Downlo~1\MyWebEx\319\atnthost.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
    C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    Fax Service (this is fxssvc.exe)
    Indexing Service (this is cidaemon.exe)
    atnthost.exe (mywebex)
    YPCSERVICE.EXE (yahoo)
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    C:\WINDOWS\Downlo~1\MyWebEx\319\atnthost.exe
    C:\WINDOWS\Downlo~1\MyWebEx\319\RAAGTAPP.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe

    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - Startup: MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
    O23 - Service: AT Host Service (atnthost) - WebEx - C:\WINDOWS\Downlo~1\MyWebEx\319\atnthost.exe
    O23 - Service: dev5_ap1 - Unknown owner - C:\phpdev5\apache\Apache.exe" --ntservice (file missing)
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.

    After you have done all of the above, you should have a George Foreman PC!
    (lean, mean, bloat-reduced machine)

    Now post a new HJT-log if you still have problems.
  7. dragin99

    dragin99 Newcomer, in training Topic Starter

    Well RealBlackStuff that sucker is still there,
    I did as you asked. Regarding your yahoo requests I removed all of the toolbars for firefox and ie but did not remove the yahoo DSL browser as this is the way my Dad gets onto his email. Your right about one thing it is streamlined it boots up fast and now the "svchost.exe has gen errors" pops up immediately!
    Have you ever seen anything like this?
    I left the dumpro error in the startup so you can see this happens every time I restart whether I'm coming out of Safe mode or not. Again what will happen is that a good many services don't start such as windows audio dns, dhcp and sometimes network connections isn't started either. I then start all of the services that should have been started and sometime during my session they will go away again as well as my ability to get to the internet. Somehow it kills my DSL connection. I mean I have tried EVERYTHING! I think now you are starting to feel my pain. Thanks again by the way! You have the patience of a Saint!
    I've attached another hjt scan but there's not much there anymore.
    Man this is a real bummer!
  8. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    These still need to be 'fixed' (but do not interfere otherwise):
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
    O23 - Service: dev5_ap1 - Unknown owner - C:\phpdev5\apache\Apache.exe" --ntservice (file missing)

    If you paid for Zonealarm, completely UNinstall, then get the latest version and re-install it.
    ZA also has issues with SP2 if SP2 is installed AFTER ZA.
    If you have ZA-free, completely UNinstall it and replace it with the free Sygate firewall
    http://soho.sygate.com
    Make sure you disconnect the PC from the web, when you change firewalls!
    If it is not ZA, then you'll have to count me out, I'm afraid.

    If you then still have issues, put 4-5 minidumps in a zip-file and make a new post with a title like "Svchost crashes, see minidumps". Hopefully cpc2004 will pick up on it.
  9. dragin99

    dragin99 Newcomer, in training Topic Starter

    RealBlackStuff, Thanks for getting back to me.
    I did as you asked and I like Sygate much much better than ZoneAlarm. Got much more info upon startup, but alas that @#$% svchost.exe error is still there. As I understand it, this sucker copies itself over the real svchost.exe error and then causes all these freaky problems. Can't believe none of the spyware, registry and antivirus programs cannot find it.
    I will take you up on your suggestion and re-post with a few dumps.
    Anyway thanks a ton for your help but if no one else can help looks like I'll have to reformat and reload....only problem with that is without knowing what is causing this it could very well come back to haunt me. But I have know choice I can't exist like this!
    Thanks again!
  10. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Final resort:

    Uninstall the Lexmark printer with all its extra ballast.
    Uninstall Apache as well for the time being (save your settings!).

    Then run the gamut of all online AV scanners, such as Stinger, TrendMicro, Panda, KAV, etc. And run MS Antispyware Beta as well!
    Good results have also been had with this MWAV kit:
    http://www.mwti.net/antivirus/mwav.asp
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.