ghillok
asked on
"svchost.exe application failure" - during shutdown. memory could not be read.
I'm running a new Dell Dimension 4600 with Windows XP professional. Great PC. However, when I shutdown through via restart or shutdown just before the system shutsdown I get the followinf message.
svchost.exe Application Failure. instruction at 00000019 refererenced memory at 00000019. memory could not be read.
The computer will go ahead and shutdown but this error message is really beginning to get to me. Obviously, we have a program instruction caught in a circular reference but how do I fix?
Thanks
svchost.exe Application Failure. instruction at 00000019 refererenced memory at 00000019. memory could not be read.
The computer will go ahead and shutdown but this error message is really beginning to get to me. Obviously, we have a program instruction caught in a circular reference but how do I fix?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the post. I've just run sfc and the probrlem still exists. I'm leaving the question open for more comments.
ghill
ghill
I suspect a blaster on ur system:
Get the removal tool from Symantec from the following URL and clean the worm then do a Windows update and apply the Security/critical updates:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Please post back with the results.
Regards,
Kumaran
Get the removal tool from Symantec from the following URL and clean the worm then do a Windows update and apply the Security/critical updates:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Please post back with the results.
Regards,
Kumaran
New Dells come loaded with Spyware on their systems.. This is by design from Dell, although their tech support will NOT admit it...
First thing I do when setting one up is kill these.. (use both Ad-aware and Spybot)
Spyware/Adware removal tools
-------------------------- ----
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml
Ad-aware : http://www.webattack.com/download/dladaware.shtml
First thing I do when setting one up is kill these.. (use both Ad-aware and Spybot)
Spyware/Adware removal tools
--------------------------
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml
Ad-aware : http://www.webattack.com/download/dladaware.shtml
There is also something an executable called dsentry.exe which loads at startup. It checks for spyware on bootleg DVD's, the symptom is the hard drive light blinks for a second or two once a minute.
Try killing that beast too...
Try killing that beast too...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Uninstall all the dell support software stuff... I bought 3 of those machines. Make sure you do all your updates as well, then I use Spybot Search and Destroy to lock it down from the web side and protect the machine from spybots.
ASKER
Gentlemen,
Thanks for your input.
I've run McAfee, Adaware, Spykillers, ......... yes, they found some files and were removed ..
The problems still there. I have found through selective startup that the problem only occurs after I start all system services and reboot twice. It's kinda tricky. Everythings fine when I don't load services and then shutdown. But when I shutdown the second time - the error appears again.
Still researching. I'll try posting a log real soon.
Thanks again.
Thanks for your input.
I've run McAfee, Adaware, Spykillers, ......... yes, they found some files and were removed ..
The problems still there. I have found through selective startup that the problem only occurs after I start all system services and reboot twice. It's kinda tricky. Everythings fine when I don't load services and then shutdown. But when I shutdown the second time - the error appears again.
Still researching. I'll try posting a log real soon.
Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here's a copy from Hijack:
Logfile of HijackThis v1.97.7
Scan saved at 9:53:19 AM, on 1/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msdtc. exe
C:\WINDOWS\System32\ctfmon .exe
C:\WINDOWS\System32\cisvc. exe
C:\WINDOWS\System32\inetsr v\inetinfo .exe
C:\WINDOWS\System32\tcpsvc s.exe
C:\WINDOWS\System32\snmp.e xe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\MsPMSP Sv.exe
C:\WINDOWS\System32\mqsvc. exe
C:\WINDOWS\System32\mqtgsv c.exe
C:\WINDOWS\Explorer.EXE
C:\hijack\hijackthis\Hijac kThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9 05236F6F65 5} - c:\progra~1\mcafee.com\vso \mcvsshl.d ll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Common\ycomp5 ,0,8,0.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt r\Binaries \MSConfig. exe /auto
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource \Detector\ CTDetect.e xe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon .exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-0 0AA00389B7 1} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4 1EE9F4C36C E} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5 A1EDB1D8A2 1} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C 18E1ADA438 9} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
I'm continuing to do selective startup tests.
I've removed all Dell Support Software.
Thanks all
Logfile of HijackThis v1.97.7
Scan saved at 9:53:19 AM, on 1/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msdtc.
C:\WINDOWS\System32\ctfmon
C:\WINDOWS\System32\cisvc.
C:\WINDOWS\System32\inetsr
C:\WINDOWS\System32\tcpsvc
C:\WINDOWS\System32\snmp.e
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\MsPMSP
C:\WINDOWS\System32\mqsvc.
C:\WINDOWS\System32\mqtgsv
C:\WINDOWS\Explorer.EXE
C:\hijack\hijackthis\Hijac
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {3E68E405-C6DE-49FF-83AE-4
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
I'm continuing to do selective startup tests.
I've removed all Dell Support Software.
Thanks all
ASKER
To Anyone:
During shutdown - the message "Windows is shutting down" - the following error occurs
svchost.exe application failure.
the instruction at 0x 00000019 referenced memory at 0x00000019. memory could not be read.
I've removed Dell support software, run McAfee, Lavasoft, Spykillers, ... problem is still occuring.
Through mscofig, I have isolated it to a MS service - but which one?
I've just run Hi Jack this and will post the log again.
All responses are appreciated.
During shutdown - the message "Windows is shutting down" - the following error occurs
svchost.exe application failure.
the instruction at 0x 00000019 referenced memory at 0x00000019. memory could not be read.
I've removed Dell support software, run McAfee, Lavasoft, Spykillers, ... problem is still occuring.
Through mscofig, I have isolated it to a MS service - but which one?
I've just run Hi Jack this and will post the log again.
All responses are appreciated.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Image Name PID Services
========================= ====== ========================== ========== =========
System Idle Process 0 N/A
System 4 N/A
SMSS.EXE 376 N/A
CSRSS.EXE 424 N/A
WINLOGON.EXE 448 N/A
SERVICES.EXE 492 Eventlog, PlugPlay
LSASS.EXE 504 NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
SVCHOST.EXE 660 RpcSs
SVCHOST.EXE 700 6to4, AudioSrv, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibi lity, helpsvc,
Ip6FwHlp, Iprip, LanmanServer,
lanmanworkstation, Messenger, Netman, Nla,
RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, TapiSrv,
TermService, Themes, TrkWks, uploadmgr,
w32time, winmgmt, wuauserv, WZCSVC
SVCHOST.EXE 772 Dnscache
SVCHOST.EXE 840 LmHosts, RemoteRegistry, SSDPSRV, WebClient
SPOOLSV.EXE 932 Spooler
MSDTC.EXE 1672 MSDTC
ALG.EXE 1764 ALG
CISVC.EXE 1776 cisvc
CTSVCCDA.EXE 1792 Creative Service for CDROM Access
inetinfo.exe 1824 IISADMIN, MSFtpsvc, SMTPSVC, W3SVC
mcvsrte.exe 1848 MCVSRte
mdm.exe 1876 MDM
nvsvc32.exe 1924 NVSvc
TCPSVCS.EXE 208 SimpTcp
snmp.exe 220 SNMP
SVCHOST.EXE 332 stisvc
MsPMSPSv.exe 324 WMDM PMSP Service
MQSVC.EXE 652 MSMQ
MQTGSVC.EXE 2096 MSMQTriggers
McShield.exe 2256 McShield
CIDAEMON.EXE 2904 N/A
CIDAEMON.EXE 2936 N/A
explorer.exe 3820 N/A
mcvsshld.exe 3912 N/A
mcagent.exe 3936 N/A
CTSysVol.exe 3944 N/A
CTDVDDET.exe 3952 N/A
AHQTbU.exe 3964 N/A
McVSEscn.exe 3976 N/A
Directcd.exe 4012 N/A
2portalmon.exe 4024 N/A
CTFMON.EXE 4032 N/A
CmTWO.exe 1364 N/A
DLG.exe 1560 N/A
msimn.exe 2720 N/A
IEXPLORE.EXE 556 N/A
CMD.EXE 888 N/A
WMIPRVSE.EXE 2848 N/A
TASKLIST.EXE 2820 N/A
========================= ====== ==========================
System Idle Process 0 N/A
System 4 N/A
SMSS.EXE 376 N/A
CSRSS.EXE 424 N/A
WINLOGON.EXE 448 N/A
SERVICES.EXE 492 Eventlog, PlugPlay
LSASS.EXE 504 NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
SVCHOST.EXE 660 RpcSs
SVCHOST.EXE 700 6to4, AudioSrv, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibi
Ip6FwHlp, Iprip, LanmanServer,
lanmanworkstation, Messenger, Netman, Nla,
RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, TapiSrv,
TermService, Themes, TrkWks, uploadmgr,
w32time, winmgmt, wuauserv, WZCSVC
SVCHOST.EXE 772 Dnscache
SVCHOST.EXE 840 LmHosts, RemoteRegistry, SSDPSRV, WebClient
SPOOLSV.EXE 932 Spooler
MSDTC.EXE 1672 MSDTC
ALG.EXE 1764 ALG
CISVC.EXE 1776 cisvc
CTSVCCDA.EXE 1792 Creative Service for CDROM Access
inetinfo.exe 1824 IISADMIN, MSFtpsvc, SMTPSVC, W3SVC
mcvsrte.exe 1848 MCVSRte
mdm.exe 1876 MDM
nvsvc32.exe 1924 NVSvc
TCPSVCS.EXE 208 SimpTcp
snmp.exe 220 SNMP
SVCHOST.EXE 332 stisvc
MsPMSPSv.exe 324 WMDM PMSP Service
MQSVC.EXE 652 MSMQ
MQTGSVC.EXE 2096 MSMQTriggers
McShield.exe 2256 McShield
CIDAEMON.EXE 2904 N/A
CIDAEMON.EXE 2936 N/A
explorer.exe 3820 N/A
mcvsshld.exe 3912 N/A
mcagent.exe 3936 N/A
CTSysVol.exe 3944 N/A
CTDVDDET.exe 3952 N/A
AHQTbU.exe 3964 N/A
McVSEscn.exe 3976 N/A
Directcd.exe 4012 N/A
2portalmon.exe 4024 N/A
CTFMON.EXE 4032 N/A
CmTWO.exe 1364 N/A
DLG.exe 1560 N/A
msimn.exe 2720 N/A
IEXPLORE.EXE 556 N/A
CMD.EXE 888 N/A
WMIPRVSE.EXE 2848 N/A
TASKLIST.EXE 2820 N/A
I would turn off Fast User Switching to start with... It causes more problems than it is worth... Also, you can not use NTFS security with it turned on... (Unless
Turn Off FUS... Do this in your User Accounts off the Control Panel... change the way users log on or off
Turn Off FUS... Do this in your User Accounts off the Control Panel... change the way users log on or off
All these look suspicious too.... 700 6to4,Ip6FwHlp, Iprip
Also, this one: 660 RpcSs
And: 332 stisvc
ASKER
FE
I just turned off FUS - and will try a restart.
Thanks.
I just turned off FUS - and will try a restart.
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I shut off FUS - problem still exists during shutdown.
I'll check your link.
Thanks
I'll check your link.
Thanks
ASKER
FE,
How do I get rid of those suspicious services?
Thanks
How do I get rid of those suspicious services?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
FE,
I read the services list and disbled most of the services that were not needed:
Here is my tasklist /svc log:
Image Name PID Services
========================= ====== ========================== ========== =========
System Idle Process 0 N/A
System 4 N/A
SMSS.EXE 376 N/A
CSRSS.EXE 424 N/A
WINLOGON.EXE 448 N/A
SERVICES.EXE 492 Eventlog, PlugPlay
LSASS.EXE 504 PolicyAgent, ProtectedStorage, SamSs
SVCHOST.EXE 660 RpcSs
SVCHOST.EXE 700 AudioSrv, CryptSvc, Dhcp, dmserver,
EventSystem, LanmanServer,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, SENS, SharedAccess,
ShellHWDetection, TapiSrv, Themes, winmgmt,
wuauserv, WZCSVC
SVCHOST.EXE 768 Dnscache
SPOOLSV.EXE 884 Spooler
explorer.exe 1128 N/A
mcvsshld.exe 1280 N/A
mcagent.exe 1300 N/A
CTSysVol.exe 1308 N/A
CTDVDDET.exe 1316 N/A
McVSEscn.exe 1340 N/A
Directcd.exe 1344 N/A
2portalmon.exe 1372 N/A
ALG.EXE 1580 ALG
CTSVCCDA.EXE 1592 Creative Service for CDROM Access
mcvsrte.exe 1620 MCVSRte
nvsvc32.exe 1656 NVSvc
SVCHOST.EXE 1716 stisvc
SVCHOST.EXE 2040 SSDPSRV
McShield.exe 216 McShield
CMD.EXE 544 N/A
WMIPRVSE.EXE 1076 N/A
TASKLIST.EXE 1356 N/A
Any suggestions?
I read the services list and disbled most of the services that were not needed:
Here is my tasklist /svc log:
Image Name PID Services
========================= ====== ==========================
System Idle Process 0 N/A
System 4 N/A
SMSS.EXE 376 N/A
CSRSS.EXE 424 N/A
WINLOGON.EXE 448 N/A
SERVICES.EXE 492 Eventlog, PlugPlay
LSASS.EXE 504 PolicyAgent, ProtectedStorage, SamSs
SVCHOST.EXE 660 RpcSs
SVCHOST.EXE 700 AudioSrv, CryptSvc, Dhcp, dmserver,
EventSystem, LanmanServer,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, SENS, SharedAccess,
ShellHWDetection, TapiSrv, Themes, winmgmt,
wuauserv, WZCSVC
SVCHOST.EXE 768 Dnscache
SPOOLSV.EXE 884 Spooler
explorer.exe 1128 N/A
mcvsshld.exe 1280 N/A
mcagent.exe 1300 N/A
CTSysVol.exe 1308 N/A
CTDVDDET.exe 1316 N/A
McVSEscn.exe 1340 N/A
Directcd.exe 1344 N/A
2portalmon.exe 1372 N/A
ALG.EXE 1580 ALG
CTSVCCDA.EXE 1592 Creative Service for CDROM Access
mcvsrte.exe 1620 MCVSRte
nvsvc32.exe 1656 NVSvc
SVCHOST.EXE 1716 stisvc
SVCHOST.EXE 2040 SSDPSRV
McShield.exe 216 McShield
CMD.EXE 544 N/A
WMIPRVSE.EXE 1076 N/A
TASKLIST.EXE 1356 N/A
Any suggestions?
You still have some suspicious services running, but we are getting close...
I have another meeting to go to and won't be back for a few hours.. If no one else has stopped in to help, I will try to ck these out then...
FE
I have another meeting to go to and won't be back for a few hours.. If no one else has stopped in to help, I will try to ck these out then...
FE
ASKER
Still removing services ....
ASKER
Well, Well, Well. Here's the scoop.
It's not a bug of the virus type. After I disabled the service Windows Image Acquisition (WMI) the error went away.
Several people deserve credit on this.
You see, a few weeks ago I installed my old camera software so I'm thinking that's causing problems either through my serial and more likely my USB port.
Who gets the points?
Thanks all.
It's not a bug of the virus type. After I disabled the service Windows Image Acquisition (WMI) the error went away.
Several people deserve credit on this.
You see, a few weeks ago I installed my old camera software so I'm thinking that's causing problems either through my serial and more likely my USB port.
Who gets the points?
Thanks all.
Whoa... but glad you got her running smooth again...
You can split the points and assign them to those who helped you most...
https://www.experts-exchange.com/help.jsp#hi19
FE
You can split the points and assign them to those who helped you most...
https://www.experts-exchange.com/help.jsp#hi19
FE
Thanks gh...
Have a nice weekend..!!
FE
Have a nice weekend..!!
FE
ASKER
Final note.
The suspect service is WIA! WIA!
Windows Image Acquisition (WIA)
Provides image acquisition services for scanners and cameras.
C:\WINDOWS\System32\svchos t.exe -k imgsvc
I disabled it and this Dell is shutting down fine.
My camera and scanners are working fine as well.
What's the deal with WIA?
Thanks to all - have a good weekend.
ghillok :)
The suspect service is WIA! WIA!
Windows Image Acquisition (WIA)
Provides image acquisition services for scanners and cameras.
C:\WINDOWS\System32\svchos
I disabled it and this Dell is shutting down fine.
My camera and scanners are working fine as well.
What's the deal with WIA?
Thanks to all - have a good weekend.
ghillok :)
Just like to say i had the SAME exact problem, on a non dell (down with dell!) and it was indeed the WIA service. In fact, it gave me the same error when i attempted to stop the service! I disabled it and all is well! Thanks for doing all the legwork people!
'ol gravy leg
'ol gravy leg
I have the same problem on a IBM T42p, and stopping the WIA service did not help at all.....
:(
:(
goto START>RUN and type sfc /scannow
let the scano to cpmplete and if it will ask ur for the Winxp cd, insert it and fix the corrupted files.
!! GOOD LUCK !!