asked on

"svchost.exe application failure" - during shutdown. memory could not be read.

I'm running a new Dell Dimension 4600 with Windows XP professional. Great PC. However, when I shutdown through via restart or shutdown just before the system shutsdown I get the followinf message.

svchost.exe Application Failure. instruction at 00000019 refererenced memory at 00000019. memory could not be read.

The computer will go ahead and shutdown but this error message is really beginning to get to me. Obviously, we have a program instruction caught in a circular reference but how do I fix?

Thanks

SheharyaarSaahil

Hello ghillok =)
goto START>RUN and type sfc /scannow
let the scano to cpmplete and if it will ask ur for the Winxp cd, insert it and fix the corrupted files.

!! GOOD LUCK !!

SOLUTION

SheharyaarSaahil

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ghillok

ASKER

Thanks for the post. I've just run sfc and the probrlem still exists. I'm leaving the question open for more comments.

ghill

rbkumaran

I suspect a blaster on ur system:

Get the removal tool from Symantec from the following URL and clean the worm then do a Windows update and apply the Security/critical updates:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Please post back with the results.

Regards,
Kumaran

Fatal_Exception

New Dells come loaded with Spyware on their systems.. This is by design from Dell, although their tech support will NOT admit it...

First thing I do when setting one up is kill these.. (use both Ad-aware and Spybot)

Spyware/Adware removal tools
------------------------------

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml

Ad-aware : http://www.webattack.com/download/dladaware.shtml

Fatal_Exception

There is also something an executable called dsentry.exe which loads at startup. It checks for spyware on bootleg DVD's, the symptom is the hard drive light blinks for a second or two once a minute.

Try killing that beast too...

SOLUTION

jlandgr

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

jayca

Uninstall all the dell support software stuff... I bought 3 of those machines. Make sure you do all your updates as well, then I use Spybot Search and Destroy to lock it down from the web side and protect the machine from spybots.

ghillok

ASKER

Gentlemen,

Thanks for your input.

I've run McAfee, Adaware, Spykillers, ......... yes, they found some files and were removed ..

The problems still there. I have found through selective startup that the problem only occurs after I start all system services and reboot twice. It's kinda tricky. Everythings fine when I don't load services and then shutdown. But when I shutdown the second time - the error appears again.

Still researching. I'll try posting a log real soon.

Thanks again.

ASKER CERTIFIED SOLUTION

Fatal_Exception

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ghillok

ASKER

Here's a copy from Hijack:

Logfile of HijackThis v1.97.7
Scan saved at 9:53:19 AM, on 1/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\hijack\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I'm continuing to do selective startup tests.

I've removed all Dell Support Software.

Thanks all

ghillok

ASKER

To Anyone:

During shutdown - the message "Windows is shutting down" - the following error occurs

svchost.exe application failure.

the instruction at 0x 00000019 referenced memory at 0x00000019. memory could not be read.

I've removed Dell support software, run McAfee, Lavasoft, Spykillers, ... problem is still occuring.

Through mscofig, I have isolated it to a MS service - but which one?

I've just run Hi Jack this and will post the log again.

All responses are appreciated.

SOLUTION

jlandgr

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ghillok

ASKER

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
SMSS.EXE 376 N/A
CSRSS.EXE 424 N/A
WINLOGON.EXE 448 N/A
SERVICES.EXE 492 Eventlog, PlugPlay
LSASS.EXE 504 NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
SVCHOST.EXE 660 RpcSs
SVCHOST.EXE 700 6to4, AudioSrv, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
Ip6FwHlp, Iprip, LanmanServer,
lanmanworkstation, Messenger, Netman, Nla,
RasMan, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, TapiSrv,
TermService, Themes, TrkWks, uploadmgr,
w32time, winmgmt, wuauserv, WZCSVC
SVCHOST.EXE 772 Dnscache
SVCHOST.EXE 840 LmHosts, RemoteRegistry, SSDPSRV, WebClient
SPOOLSV.EXE 932 Spooler
MSDTC.EXE 1672 MSDTC
ALG.EXE 1764 ALG
CISVC.EXE 1776 cisvc
CTSVCCDA.EXE 1792 Creative Service for CDROM Access
inetinfo.exe 1824 IISADMIN, MSFtpsvc, SMTPSVC, W3SVC
mcvsrte.exe 1848 MCVSRte
mdm.exe 1876 MDM
nvsvc32.exe 1924 NVSvc
TCPSVCS.EXE 208 SimpTcp
snmp.exe 220 SNMP
SVCHOST.EXE 332 stisvc
MsPMSPSv.exe 324 WMDM PMSP Service
MQSVC.EXE 652 MSMQ
MQTGSVC.EXE 2096 MSMQTriggers
McShield.exe 2256 McShield
CIDAEMON.EXE 2904 N/A
CIDAEMON.EXE 2936 N/A
explorer.exe 3820 N/A
mcvsshld.exe 3912 N/A
mcagent.exe 3936 N/A
CTSysVol.exe 3944 N/A
CTDVDDET.exe 3952 N/A
AHQTbU.exe 3964 N/A
McVSEscn.exe 3976 N/A
Directcd.exe 4012 N/A
2portalmon.exe 4024 N/A
CTFMON.EXE 4032 N/A
CmTWO.exe 1364 N/A
DLG.exe 1560 N/A
msimn.exe 2720 N/A
IEXPLORE.EXE 556 N/A
CMD.EXE 888 N/A
WMIPRVSE.EXE 2848 N/A
TASKLIST.EXE 2820 N/A

Fatal_Exception

I would turn off Fast User Switching to start with... It causes more problems than it is worth... Also, you can not use NTFS security with it turned on... (Unless

Turn Off FUS... Do this in your User Accounts off the Control Panel... change the way users log on or off

Fatal_Exception

All these look suspicious too.... 700 6to4,Ip6FwHlp, Iprip

Fatal_Exception

Also, this one: 660 RpcSs

Fatal_Exception

And: 332 stisvc

ghillok

ASKER

FE

I just turned off FUS - and will try a restart.

Thanks.

SOLUTION

Fatal_Exception

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ghillok

ASKER

I shut off FUS - problem still exists during shutdown.

I'll check your link.

Thanks

ghillok

ASKER

FE,

How do I get rid of those suspicious services?

Thanks

SOLUTION

Fatal_Exception

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ghillok

ASKER

FE,

I read the services list and disbled most of the services that were not needed:

Here is my tasklist /svc log:

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
SMSS.EXE 376 N/A
CSRSS.EXE 424 N/A
WINLOGON.EXE 448 N/A
SERVICES.EXE 492 Eventlog, PlugPlay
LSASS.EXE 504 PolicyAgent, ProtectedStorage, SamSs
SVCHOST.EXE 660 RpcSs
SVCHOST.EXE 700 AudioSrv, CryptSvc, Dhcp, dmserver,
EventSystem, LanmanServer,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, SENS, SharedAccess,
ShellHWDetection, TapiSrv, Themes, winmgmt,
wuauserv, WZCSVC
SVCHOST.EXE 768 Dnscache
SPOOLSV.EXE 884 Spooler
explorer.exe 1128 N/A
mcvsshld.exe 1280 N/A
mcagent.exe 1300 N/A
CTSysVol.exe 1308 N/A
CTDVDDET.exe 1316 N/A
McVSEscn.exe 1340 N/A
Directcd.exe 1344 N/A
2portalmon.exe 1372 N/A
ALG.EXE 1580 ALG
CTSVCCDA.EXE 1592 Creative Service for CDROM Access
mcvsrte.exe 1620 MCVSRte
nvsvc32.exe 1656 NVSvc
SVCHOST.EXE 1716 stisvc
SVCHOST.EXE 2040 SSDPSRV
McShield.exe 216 McShield
CMD.EXE 544 N/A
WMIPRVSE.EXE 1076 N/A
TASKLIST.EXE 1356 N/A

Any suggestions?

Fatal_Exception

You still have some suspicious services running, but we are getting close...

I have another meeting to go to and won't be back for a few hours.. If no one else has stopped in to help, I will try to ck these out then...

FE

ghillok

ASKER

Still removing services ....

ghillok

ASKER

Well, Well, Well. Here's the scoop.

It's not a bug of the virus type. After I disabled the service Windows Image Acquisition (WMI) the error went away.

Several people deserve credit on this.

You see, a few weeks ago I installed my old camera software so I'm thinking that's causing problems either through my serial and more likely my USB port.

Who gets the points?

Thanks all.

Fatal_Exception

Whoa... but glad you got her running smooth again...

You can split the points and assign them to those who helped you most...

https://www.experts-exchange.com/help.jsp#hi19

FE

Fatal_Exception

Thanks gh...

Have a nice weekend..!!

FE

ghillok

ASKER

Final note.

The suspect service is WIA! WIA!

Windows Image Acquisition (WIA)
Provides image acquisition services for scanners and cameras.
C:\WINDOWS\System32\svchost.exe -k imgsvc

I disabled it and this Dell is shutting down fine.

My camera and scanners are working fine as well.

What's the deal with WIA?

Thanks to all - have a good weekend.

ghillok :)

Parker2010

Just like to say i had the SAME exact problem, on a non dell (down with dell!) and it was indeed the WIA service. In fact, it gave me the same error when i attempted to stop the service! I disabled it and all is well! Thanks for doing all the legwork people!

'ol gravy leg

gryngve

I have the same problem on a IBM T42p, and stopping the WIA service did not help at all.....

:(

&quot;svchost.exe application failure&quot; - during shutdown. memory could not be read.

"svchost.exe application failure" - during shutdown. memory could not be read.