Solved

Svchost.exe error when logging in to Windows.

Posted on 2006-07-10
12
524 Views
Last Modified: 2008-02-07
 A user at my work is recieving a svchost.exe error.  The following error is what is displayed on his screen when HE LOGS INTO WINDOWS (XP Pro):

 
The instruction at "0x10057530" referenced memory at "0x00000000".  The memory could not be "written".

  Click on OK to terminate the program

  Click on CANCEL to debug the program

 
When the user click's OK, the usual windows error reporting window comes up prompting for you to report the error.

 
**The user has a laptop with Symantec Anti-Virus protection, Service Pack 2, ALL of the latest updates as of about a week ago and has been formatted from scratch about 3 weeks ago right out of the Dell box.  It also has Windows Defender and that has the latest definitons as well.**

 
  I don't know if this error has anything to do with it, but when HE LOGS OUT OF WINDOWS he recieves a IreIKE.exe error message that displays similar information as the error message above.  I couldn't write down all of the error message because it only appears when the screen displays "Closing network conections.... Saving settings..." etc.  and then disappers because the PC has shut down.

 
**Both of the error messages are displayed at which appears to be random intervals.  For example, when I first found out about the error message I restarted the computer 3 times and did a complete shutdown 4 times.  The first error message was only displayed once and the second error message was diplayed twice.**
0
Comment
Question by:Swamp_Thing
  • 5
  • 5
12 Comments
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
Well, here's a page about IreIKE:

http://www.liutilities.com/products/wintaskspro/processlibrary/ireike/

My own suspicion is that you have viruses/trojans/other malware.  Some free online virus scanners:

http://housecall.antivirus.com  

http://www.pcpitstop.com/antivirus/default.asp

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Also try these free programs to rid your system of spyware, trojans, and other malware:

http://download.com.com/3000-2144-10194058.html?tag=lst-0-1
Spybot - Search & Destroy

http://download.com.com/3000-2094-10045910.html?legacy=cnet
LavaSoft Ad-aware  

I use BOTH of the above programs on my 3 Windows systems; what one program misses, the other catches.  Also make sure to download the most up-to-date data before you run the programs.
0
 
LVL 2

Author Comment

by:Swamp_Thing
Comment Utility
I will repost in a few minutes but this post is in response to it being a virus.  My boss already suggested that I scan using TrendMicro's free online scan and it didn't turn up anything at all.  I did the full system scan.  In addition I had read that the svchost.exe could be associated with the Blaster worm so I ran a scan tool for the worm and it didn't turn up any results either.  We also use Windows Defender which reported back with no issues found after a full system scan and Symantec Network Anti-Virus Client which also reported back with no issues after a full system scan as well.
0
 
LVL 2

Author Comment

by:Swamp_Thing
Comment Utility
I know that the IreIKE file is associated with our VPN client but it looks like I need to contact SafeNet tech support about it because my boss who just recently went on a business trip, is recieving the same message.  Not only is the IreIKE file associated with the VPN, it is actually created during the install of the VPN client in the SafeNet\NetScreen Remote folder.
0
 
LVL 2

Author Comment

by:Swamp_Thing
Comment Utility
 We use both SpyBot and AdAware on our machines and neither found anything big, just the usual issues that are linked to cookies, etc.
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
Perhaps you can find out a bit more about what Svchost.exe is connected to:

from Lockergnome, 1-28-03 edition:

Question: How do I find out what is starting a service on my computer? The name of the service is svchost.exe and the user name is Local Service. It starts with the first logon and eats a consistent 25-35% of CPU processing time. I have ended the process using the Windows Task Manager and have not had any problems. Any insight would be appreciated.
Answer: I think we can shed a little light on your svchost.exe problem. You didn't say whether you are using Windows XP or Windows 2000, so I will try to give the information for both. First, let's address what the svchost.exe program is used for. As quoted from Microsoft Knowledge Base Article - 314056: "At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can run, depending on how and where Svchost.exe is started. This allows for better control and easier debugging." In layman's terms, it is basically an easy way for your computer to execute a lot of DLL files that are needed at startup. So instead of just ending one of the instances of svchost.exe, we need to find what set of DLLs might be causing your processing problem.

In Windows XP, you can get a list of running services by going to Start | Run | type "CMD" | click OK. Type "tasklist /svc" (sans quotes) and then press Enter. Now you will have a list of every DLL running under each svchost.exe instance. For Windows 2000, you need to extract the Tlist.exe utility from the Support.cab file on your Windows 2000 installation CD. You still need to open a command window, but you will need to navigate to where you extracted the Tlist.exe file to, type "tlist -s" (sans quotes), and then press Enter.

For more information, see Microsoft Knowledge Base Article - 250320. Svchost.exe groups are identified in the following registry key: HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost. Also, each svchost group extracts its service names from the following registry key, whose Parameters key contains a ServiceDLL value: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ . Be sure to back up the registry key you are configuring before you make a change. You do this by browsing the desired registry key, and then going to File | Export. Follow the prompts, and you will now have a way to bring back that registry key (if you accidentally damaged it). I hope this helps to answer your question, but if you're still hunting for an answer after trying this suggestion, feel free to post your question in the Lockergnome forums, at help.lockergnome.com. [Brian]

0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 2

Author Comment

by:Swamp_Thing
Comment Utility
I did the tasklist command and here is the list:

1.) svchost.exe
        DcomLaunch, TermService

2.) svchost.exe
       RpcSs
-----------I have verified the above two instances of svchost.exe to be running valid items.  (I have the same on my PC which is running fine and is on the same LAN)-----------------------------------------------------------------------------------

3.) svchost.exe
       AudioSrv, BITS, Browser, CryptSvc, Dhcp, ERSvc, EventSystem, helpsvc, HidServ, Lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, srservice, TapiSrv, Themes, TrkWks, w32time, winmgmt, wuauserv
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
I will looking at the others for your entry 3 above (most I recognize) but one I see is bad:

http://www.greatis.com/appdata/d/SysDir/e/ersvc.exe.htm
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
Here's another one that looks like it might be bad:

http://www.symantec.com/avcenter/venc/data/trojan.sens.html

shellHWdetection MIGHT be this one:

http://www.sophos.com/virusinfo/analyses/trojspidora.html

TrkWks looks like this:

http://www.castlecops.com/o23list-817.html
0
 
LVL 59

Accepted Solution

by:
LeeTutor earned 250 total points
Comment Utility
You might also try this free program (HijackThis):

http://www.spychecker.com/download/download_hijackthis.html

HijackThis is a tool that is for advanced users, because it lists all the installed browser add-on and startup items, allowing you to inspect them and then optionally remove any ones you select.  You must be careful in choosing what to remove, although the program can create a backup of your original settings.  But put a check mark to fix any home page or search page setting that HijackThis detects which you have not entered yourself.  The program has an option to download online updates of the hijack data.

You should first post the log at this site:  

http://www.hijackthis.de/index.php?langselect=english

and it will be automatically analyzed for you (after you click on the button labeled "Analyze" near the bottom of the page), telling you which entries (called "Nasty") should be fixed.  You will also be told if you have any items that are "Possibly Nasty", or "Unnecessary", or "Unknown". If you don't know what to do about these, you might find something on the module name by doing a Google search of the internet.

If you have any questions about what it is asking you to fix that you would like the E-E experts to comment on, then do this:  scroll down where you will see a Save Analysis button, hit it and it will save your Log Analysis (for a period of three days), then copy the link of that page and paste it here, and experts can check it for you.  (Please DON'T post the entire log itself in your question.)

In case you would like to learn more yourself how to use HijackThis, here are a couple of urls:

http://www.tomcoyote.org/hjt/
HijackThis Quick Start

http://www.spywareinfo.com/~merijn/htlogtutorial.html
HijackThis log tutorial
0
 
LVL 2

Author Comment

by:Swamp_Thing
Comment Utility
 OK.  I have experience with the program and will run it on the user's laptop.  The only thing is, he is out of the office and I don't know when he'll be back (most likely this week).  I will repost if I find out he won't be in or I I'm able to get onto his PC.  Hang tight.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now