• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6678
  • Last Modified:

Help, what could be causing Event ID 1000, Faulting application svchost.exe, version 5.2.3790.3959, faulting module unknown, version 0.0.0.0, fault address 0x7ffa4512 ?

One of our SBS2003 servers has developed the following issue. svchost.exe crashes, causing users to loose the ability to access network shares. When looking in the event log i can see the following:
Event ID 1000  
Faulting application svchost.exe, version 5.2.3790.3959, faulting module unknown, version 0.0.0.0, fault address 0x7ffa4512.
I have disabled automatic updates to see if that makes a difference, updated the antivirus and am currently running a full system scan. I have also setup userdump for svchost.exe. Any other thoughts or ideas as to what might be causing the problem and how to fix it would be appreciated.
0
alduthart
Asked:
alduthart
  • 13
  • 9
  • 8
  • +4
1 Solution
 
Stephen CroftTechnical ArchitectCommented:
0
 
alduthartAuthor Commented:
Yes, however that's not the cause the server has service pack 2 installed.
0
 
hannibalsmithCommented:
Hi,
    can you see if you have this file, or any variation thereof, on your system?

msloginserv

let me know
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
StarNetSrvsCommented:
Hi,
I just started running into this problem an a Win2k3 Standard server with SP2 this week. It has 2 Gb of memory, so PAE is not turned on.

I just installed the debugging tools from Microsoft (http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=E089CA41-6A87-40C8-BF69-28AC08570B7E&displaylang=en) and am waiting for the next time it happens.

I did a search for msloginserv, but couldn't find anything.
0
 
hannibalsmithCommented:
Ok, if you manage to get a dump, let me know. I think it might be malware or an update because I've seen 3 instances of this where I work and all in the last week or so

You could also try the rootkitrevealer from sysinternals and post the results
cheers
0
 
StarNetSrvsCommented:
I try running the rootkitrevealer, and I get the following error message both when running from Live.Systinternals.com or when I download to my server (double clicking on the exe or calling it from a command prompt:

Rootkitrevealer must be run from the console.

Have you ran into this before?
0
 
hannibalsmithCommented:
Yep, I've run it loads of times. Ok, let's try something else. If you're not already running it, can you download a trial copy of Sophos and scan the system? I've seen other AV scanners miss this, so please try Sophos
0
 
StarNetSrvsCommented:
Ok, not enough caffee this morning. I was connect via RDP, and not with a console session. I'm running the rootkitrevealer now. I'll try Sophos after that.
0
 
hannibalsmithCommented:
Ok, let me know how you get on, Starnet....
0
 
alduthartAuthor Commented:
Hi All,

We are still experiencing the problem mentioned. Has anyone found a solution ? I have had automatic update disabled so i'm pretty sure it's not that. I have also serached for the file msloginserv and found nothing. I am currently running the rootkitreleaver (Took me a while to realise they had changed the rdp switch in Vista to /admin and not /console !!) and i will let you know the results. Also We currently have Trend Micro installed will Sophos happily install even though Trend is on the server ? Thanks for all your help and comments so far.    
0
 
StarNetSrvsCommented:
I ran the rootkitrevaler, and didn't find anything that looked suspicious. I have also installed Sophos, and it has not reporting anything either ( I also have always had McAfee installed, and nothing from it as well).

Interestingly, the problem hasn't happened since last Friday.......
0
 
sosheCommented:
Were having the exact same symptoms and events. There was some malware found in the server and cleaned it with several malware removal tools. Did scans with Avg, Symantec and rootkitrevealer  all are finding nothing, yet the svchost.exe is crashing and taking down all the server services along with it.  Any other thoughts ?
Sam
0
 
alduthartAuthor Commented:
I ran rootkitrevaler and also found nothing. I found the problem didn't occur for several days but has now re-occured twice. Once on Sunday early in the morning then again on Friday at around 5pm. Just an educated guess but i'm thinking it must either a virus or update seeing as we have all had this problem this month, and the first post I found on this error was posted on the 10th November.
0
 
hannibalsmithCommented:
Hi guys,
             sorry that the malware scans didn't pick it up, but I have recently closed the case I had with a client and it was a virus which infected svchost. It wasn't picked up by three other scanners, but Sophos got it. Do you have a dr watson dump? If so, please post its contents...
0
 
StarNetSrvsCommented:
I haven't gotten a dump since I installed the debugging tools, still waiting to see of it happens again.

Do you know the name of the malware?
0
 
sosheCommented:
These are the processes we found to be possible culprits - This IS lookin like a definate malware infection.
"
c:\windows\system32\afisicx.exe
c:\windows\system32\mabidwe.exe
c:\windows\system32\noytcyr.exe
c:\windows\system32\roytctm.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\tdydowkc.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\wsldoekd.exe"

Stop and Disable the services that are related to all of the above. and Use a AV product that can clean this. PrevX worked for me in removing these.
The server DID go down again after running this, and SVCHOST.exe is still crashing.
Now I'm working with MS Security team to see if they can help. will report what they come up with.

Segards,
Sam
0
 
HandoJinCommented:
Hi Guys,

I too am experiencing a very similar problem. Same setup as originally posted but running McAfee Enterprise AV 8.5. All event log sequences are the same for each of the 5 (so far) svchost crashes. McAfee logs an information alert (not error) at the same time as the svchost hang. McAfee alert is either notifiaction of sucessful excecution of either "prevent mass worm rule" or "non-windows applications running svchost". Seemed to much of a coincidence, so uninstalled McAfee and installed Sophos. Sophos found no nastys but has not crashed yet either.

StarNetSrvs , you said you had McAfee installed. Any of this sound familiar?

0
 
StarNetSrvsCommented:
Yeah, I have the same version of McAfee. I left it on, and installed Sophos as well. Nothing reported from either, but the service hasn't stopped since last Friday.
0
 
HandoJinCommented:
StarNetSrvs: Do you have any McAfee event logs generated at the same time as svchost crash?
0
 
StarNetSrvsCommented:
I just checked - Nothing.

It's really hard to rey to isolate this. I still haven't had any issues since last week, so I'm not sure if Sophos did the trick or not.
0
 
HandoJinCommented:
Do you know if your McAfee rules are setup to enforce as well as log? There is a chance that rules are being enforced but not logged...just a thought.

Also are there any application or system events that are logged at the same time or just before the crash?
0
 
hannibalsmithCommented:
I can't remember the name of the malware, but I think the payload was called msserve something. I can check when I get back to the office. If there are no memory dumps, does anyone have a dr watson dump?
0
 
HandoJinCommented:
Bang goes my McAfee theory as my server has just gone down again. I'm off to the site now. This will be first time I've had a chance to logon on locally to the server and see whats happened. Peviously, due to me working remotely, I've had to get on-site users to shut it down.

Hannibalsmith: The only dump files I have are the ones created by MS, .hdmp and mdmp. Are these any good to you? If so I'll upload...
0
 
hannibalsmithCommented:
Hi Hando,
                no, they're not files I'm familiar with. What program generates them? Have you set up drwatson to capture dumps?

You can try userdump (info below), but be careful because if svchost is infected as was the case with my customer, the hard drive can fill up! Please configure it to dump to a large external hdd, and not the Windows volume.  I would also advise a full, current, verified backup at all times :-)

http://www.msfn.org/board/Rermoving-Event-ID-1000-t125902.html

If you get a dump file from this, you can upload it for me...same goes for anyone else on this thread to date.
0
 
HandoJinCommented:
Hi Hannibal,

I'm talking about the dump files that windows creates when a service crashes, the same files that MS request when troubleshooting. I'll come back to dump files in a min....

I've now seen first hand the state of the server after one of these crashes. As I mentioed before, due to me being remote, when this crach has happened in the past I've had to ask somebody onsite and non-technical to reboot the server, as I can't connect to it.

This is what i've discovered today:

The reason for loss of network related service after the crash is because the following services (which all run within svchost) have exited with a non-zero exit code: startup type: automactic, but status blank.

*Server
*Workstation
*RAS
*Logical disk manager

So this explains why people can't connect to the server after the crash. This maybe stating the obvious but nobody has yet mentioned this in this discussion. The failed services can be started without error and normal service is resumed. This also explains why there are no event logs saying the above services have stopped, because of the manner in which the stopped.

As a work around I've set the above services to restart if they fail. Funny, I would have thought core services like server and workstation would be set to recover if they fail, by default. Obviously not??

Back to dump files.... I did run userdump and like you said it generated loads of dump files related to svchost crashing and I nearly ran out of disk space. I havent yet reviewed the dump files because the server was running fine while it was dumping away. I've got one of the dump files but it's 22 MB. What the best way to get it to you?

Thanks....

0
 
hannibalsmithCommented:
Hi Hando,
               sorry, you're right and I should have mentioned it. A workaround is to set the services to restart on failure (or manually restart them), but it's only a bandaid :(

Normally windows crash dumps would end in .dmp ..that's why I was confused. If you have a kernel or mini dump (preferably a kernel one) can you run it through the debugger and let me know the output? If you need help with this, just let me know.

As for getting the files to me, do you have an FTP filer or some shared storage space on net? Mozy or similar? If you have your own FTP filer, give me the address and I'll download it...

cheers
0
 
HandoJinCommented:
Hi Hannibal,

I'd apperciate it if you could have a look at the dump file. Like i said before, the starange thing is that while userdump was creating the dump files (quite frequently) none of the services in question were being affected.

http://www.redhallcomputing.co.uk/svchost9180.rar

Thanks

0
 
hannibalsmithCommented:
just downloading now. had no broadband access for the lats few days :(
0
 
hannibalsmithCommented:
Hi Hando, not much there unfortunately. It does mention RPC APIs but as you say, the dump does not correspond to a problem on your system

Have you been able to get any other dumps?

Is the system fully patched?
0
 
hannibalsmithCommented:
sorry, meant to ask if anything appears in the eventvwr logs either..
0
 
HandoJinCommented:
Hi Hannibal,

Good timing..I've just started debugging 2 relevant dump files created at the time of the crash. Bare with me and I'll post the results. Looks interesting - XPSP2RES.DLL is involved in two of the dump files I've looked at so far.

0
 
StarNetSrvsCommented:
McAfee sent out an email to it's customers about a worm against the MS08-067 exploit. McAfee's calling the worm W32 Flicker.

This is what McAfee is recommending:
"We are recommending the following steps be taken on any infected
machines, Patch, reboot, Stinger, reboot, ODS to remove any other
malware. It is important to get any infected machines off the network
ASAP, since they will attempt to spread the worm once fully compromized."

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Microsoft Security Bulletin MS08-067  Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Published: October 23, 2008

I'm out of the office, and haven't had a chance yet to verify if my server has had this patch applied
 or not, but I hope this helps.

Happy Thanksgiving!
0
 
HandoJinCommented:
Just checked all dump files created at various crash times, and all involve XPSP2RES.DLL (see attched)

StarNetSrvs: Thanks for that...I'll take a look.
HDMP.txt
0
 
sosheCommented:
hey guys,

not sure if this will apply to you, but we had the exact same issue on an sbs 2003 server.
It turned out that it was a rootkit effecting the svchost.exe process.  Symantec, AVG, rootkit revealer, were all no help.
In the end a combination of PrevxCSI ( www.prevx.com ) and Unhackme ( http://www.greatis.com/unhackme/) Seem to have removed the malware.
Microsoft Support suggested the only way to resolve this was a rebuild from backup prior to infection. Well we haven;t done that and The server has been healthy for about a week and half now. No errors and no service crashes at all.

hope this helps.

Cheers
0
 
hannibalsmithCommented:
Yep, same as the case I had then...an infection of svchost. It could be a polymorphic because, as you'll see from my earliest posts, the dll on my case was different.

all's well that ends well :-)
0
 
plincheCommented:
Check out this link, it resolved the error that I had on my server.
http://support.microsoft.com/kb/932762/

0
 
hannibalsmithCommented:
Hi Plinche,
                 thanks for sharing that; it's a good one to store away. In the cases above (and in my case), it was, however, malware....

cheers
0
 
HandoJinCommented:
Just wanted to say thanks to StarNetSrvs, as his solution worked for me. My problem was not malware related but was resolved by following: Microsoft Security Bulletin MS08-067 .

Thanks to all that took part in this discussion.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 13
  • 9
  • 8
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now