Svchost.exe error when logging in to Windows.
A user at my work is recieving a svchost.exe error. The following error is what is displayed on his screen when HE LOGS INTO WINDOWS (XP Pro):
The instruction at "0x10057530" referenced memory at "0x00000000". The memory could not be "written".
Click on OK to terminate the program
Click on CANCEL to debug the program
When the user click's OK, the usual windows error reporting window comes up prompting for you to report the error.
**The user has a laptop with Symantec Anti-Virus protection, Service Pack 2, ALL of the latest updates as of about a week ago and has been formatted from scratch about 3 weeks ago right out of the Dell box. It also has Windows Defender and that has the latest definitons as well.**
I don't know if this error has anything to do with it, but when HE LOGS OUT OF WINDOWS he recieves a IreIKE.exe error message that displays similar information as the error message above. I couldn't write down all of the error message because it only appears when the screen displays "Closing network conections.... Saving settings..." etc. and then disappers because the PC has shut down.
**Both of the error messages are displayed at which appears to be random intervals. For example, when I first found out about the error message I restarted the computer 3 times and did a complete shutdown 4 times. The first error message was only displayed once and the second error message was diplayed twice.**
The instruction at "0x10057530" referenced memory at "0x00000000". The memory could not be "written".
Click on OK to terminate the program
Click on CANCEL to debug the program
When the user click's OK, the usual windows error reporting window comes up prompting for you to report the error.
**The user has a laptop with Symantec Anti-Virus protection, Service Pack 2, ALL of the latest updates as of about a week ago and has been formatted from scratch about 3 weeks ago right out of the Dell box. It also has Windows Defender and that has the latest definitons as well.**
I don't know if this error has anything to do with it, but when HE LOGS OUT OF WINDOWS he recieves a IreIKE.exe error message that displays similar information as the error message above. I couldn't write down all of the error message because it only appears when the screen displays "Closing network conections.... Saving settings..." etc. and then disappers because the PC has shut down.
**Both of the error messages are displayed at which appears to be random intervals. For example, when I first found out about the error message I restarted the computer 3 times and did a complete shutdown 4 times. The first error message was only displayed once and the second error message was diplayed twice.**
ASKER
I will repost in a few minutes but this post is in response to it being a virus. My boss already suggested that I scan using TrendMicro's free online scan and it didn't turn up anything at all. I did the full system scan. In addition I had read that the svchost.exe could be associated with the Blaster worm so I ran a scan tool for the worm and it didn't turn up any results either. We also use Windows Defender which reported back with no issues found after a full system scan and Symantec Network Anti-Virus Client which also reported back with no issues after a full system scan as well.
ASKER
I know that the IreIKE file is associated with our VPN client but it looks like I need to contact SafeNet tech support about it because my boss who just recently went on a business trip, is recieving the same message. Not only is the IreIKE file associated with the VPN, it is actually created during the install of the VPN client in the SafeNet\NetScreen Remote folder.
ASKER
We use both SpyBot and AdAware on our machines and neither found anything big, just the usual issues that are linked to cookies, etc.
Perhaps you can find out a bit more about what Svchost.exe is connected to:
from Lockergnome, 1-28-03 edition:
Question: How do I find out what is starting a service on my computer? The name of the service is svchost.exe and the user name is Local Service. It starts with the first logon and eats a consistent 25-35% of CPU processing time. I have ended the process using the Windows Task Manager and have not had any problems. Any insight would be appreciated.
Answer: I think we can shed a little light on your svchost.exe problem. You didn't say whether you are using Windows XP or Windows 2000, so I will try to give the information for both. First, let's address what the svchost.exe program is used for. As quoted from Microsoft Knowledge Base Article - 314056: "At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging." In layman's terms, it is basically an easy way for your computer to execute a lot of DLL files that are needed at startup. So instead of just ending one of the instances of svchost.exe, we need to find what set of DLLs might be causing your processing problem.
In Windows XP, you can get a list of running services by going to Start | Run | type "CMD" | click OK. Type "tasklist /svc" (sans quotes) and then press Enter. Now you will have a list of every DLL running under each svchost.exe instance. For Windows 2000, you need to extract the Tlist.exe utility from the Support.cab file on your Windows 2000 installation CD. You still need to open a command window, but you will need to navigate to where you extracted the Tlist.exe file to, type "tlist -s" (sans quotes), and then press Enter.
For more information, see Microsoft Knowledge Base Article - 250320. Svchost.exe groups are identified in the following registry key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost. Also, each svchost group extracts its service names from the following registry key, whose Parameters key contains a ServiceDLL value: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ . Be sure to back up the registry key you are configuring before you make a change. You do this by browsing the desired registry key, and then going to File | Export. Follow the prompts, and you will now have a way to bring back that registry key (if you accidentally damaged it). I hope this helps to answer your question, but if you're still hunting for an answer after trying this suggestion, feel free to post your question in the Lockergnome forums, at help.lockergnome.com. [Brian]
from Lockergnome, 1-28-03 edition:
Question: How do I find out what is starting a service on my computer? The name of the service is svchost.exe and the user name is Local Service. It starts with the first logon and eats a consistent 25-35% of CPU processing time. I have ended the process using the Windows Task Manager and have not had any problems. Any insight would be appreciated.
Answer: I think we can shed a little light on your svchost.exe problem. You didn't say whether you are using Windows XP or Windows 2000, so I will try to give the information for both. First, let's address what the svchost.exe program is used for. As quoted from Microsoft Knowledge Base Article - 314056: "At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging." In layman's terms, it is basically an easy way for your computer to execute a lot of DLL files that are needed at startup. So instead of just ending one of the instances of svchost.exe, we need to find what set of DLLs might be causing your processing problem.
In Windows XP, you can get a list of running services by going to Start | Run | type "CMD" | click OK. Type "tasklist /svc" (sans quotes) and then press Enter. Now you will have a list of every DLL running under each svchost.exe instance. For Windows 2000, you need to extract the Tlist.exe utility from the Support.cab file on your Windows 2000 installation CD. You still need to open a command window, but you will need to navigate to where you extracted the Tlist.exe file to, type "tlist -s" (sans quotes), and then press Enter.
For more information, see Microsoft Knowledge Base Article - 250320. Svchost.exe groups are identified in the following registry key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost. Also, each svchost group extracts its service names from the following registry key, whose Parameters key contains a ServiceDLL value: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ . Be sure to back up the registry key you are configuring before you make a change. You do this by browsing the desired registry key, and then going to File | Export. Follow the prompts, and you will now have a way to bring back that registry key (if you accidentally damaged it). I hope this helps to answer your question, but if you're still hunting for an answer after trying this suggestion, feel free to post your question in the Lockergnome forums, at help.lockergnome.com. [Brian]
ASKER
I did the tasklist command and here is the list:
1.) svchost.exe
DcomLaunch, TermService
2.) svchost.exe
RpcSs
-----------I have verified the above two instances of svchost.exe to be running valid items. (I have the same on my PC which is running fine and is on the same LAN)----------------------
3.) svchost.exe
AudioSrv, BITS, Browser, CryptSvc, Dhcp, ERSvc, EventSystem, helpsvc, HidServ, Lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, srservice, TapiSrv, Themes, TrkWks, w32time, winmgmt, wuauserv
1.) svchost.exe
DcomLaunch, TermService
2.) svchost.exe
RpcSs
-----------I have verified the above two instances of svchost.exe to be running valid items. (I have the same on my PC which is running fine and is on the same LAN)----------------------
3.) svchost.exe
AudioSrv, BITS, Browser, CryptSvc, Dhcp, ERSvc, EventSystem, helpsvc, HidServ, Lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, srservice, TapiSrv, Themes, TrkWks, w32time, winmgmt, wuauserv
I will looking at the others for your entry 3 above (most I recognize) but one I see is bad:
http://www.greatis.com/appdata/d/SysDir/e/ersvc.exe.htm
http://www.greatis.com/appdata/d/SysDir/e/ersvc.exe.htm
Here's another one that looks like it might be bad:
http://www.symantec.com/avcenter/venc/data/trojan.sens.html
shellHWdetection MIGHT be this one:
http://www.sophos.com/virusinfo/analyses/trojspidora.html
TrkWks looks like this:
http://www.castlecops.com/o23list-817.html
http://www.symantec.com/avcenter/venc/data/trojan.sens.html
shellHWdetection MIGHT be this one:
http://www.sophos.com/virusinfo/analyses/trojspidora.html
TrkWks looks like this:
http://www.castlecops.com/o23list-817.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK. I have experience with the program and will run it on the user's laptop. The only thing is, he is out of the office and I don't know when he'll be back (most likely this week). I will repost if I find out he won't be in or I I'm able to get onto his PC. Hang tight.
http://www.liutilities.com/products/wintaskspro/processlibrary/ireike/
My own suspicion is that you have viruses/trojans/other malware. Some free online virus scanners:
http://housecall.antivirus.com
http://www.pcpitstop.com/antivirus/default.asp
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Also try these free programs to rid your system of spyware, trojans, and other malware:
http://download.com.com/3000-2144-10194058.html?tag=lst-0-1
Spybot - Search & Destroy
http://download.com.com/3000-2094-10045910.html?legacy=cnet
LavaSoft Ad-aware
I use BOTH of the above programs on my 3 Windows systems; what one program misses, the other catches. Also make sure to download the most up-to-date data before you run the programs.