hey guys

i had a trojan outbreak a week or so back so i downloaded all these virus scanners such as mcafee, norton, avast, kasperky and ewido, i did this cos everytime i scanned my computer with a new virus scanner it picked another trojan or something. the trojan problem is now fixed but everytime i start up my computer a svchost.exe error appears "The instruction at "0x7c9105f8" referenced memory at "0x00000010" The memory could not be read." sometimes the numbers vary to all 0's. now the error pops up twice and the computer comes to a complete stand still so it basically freezes and i have to wait 5 minutes for the task manager to appear so i can end the svchost.exe system process which helps turn everything back to normal. how do i get rid of this error? your help will really be appreciated

Welcome to the forum

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Download HijackThis into this folder.

If required a tutorial is here = Hijackthis Folder Tutorial

Links to Hijack This! v 1.99.1:

Hijack This! (© Merijn) at tools.radiosplace.com

Hijack This! (© Merijn) at spywarewarrior.com

Run it from that folder.
Click "Do a system scan and save a log file".

DO NOT "FIX" ANYTHING WITH IT YET!!!
FIXING THE WRONG THING COULD RENDER YOUR SYSTEM INOPERABLE!!!


Go to the forum here:

Malware Removal Forum

Start a "New topic", and "copy/paste" the ENTIRE CONTENTS of the log file into THAT new topic.

thanks for the response but i've fixed it already...all i i had to do was remove ipv6 which in turn stuffed up WMI so yeah...

Good.

I was afraid there was some malware present that you hadn't fully removed.

Hey man, thanks!

I had been getting the same error. I removed:

Microsoft TCP/IP version 6

From the properties of my Network connections, and Walah! Perfecto!

Thanks again. I was getting pretty frusterated. (I am a network admin, certified)
And This was happening on my personal laptop.

At first I thought it was defective memory. (I had upgraded to 1GB about the same time) Then Who Knows, man I have been working on this issue for quite a while. I had just planned on backing up all 80gb of data/e-mail/etc to my NAS, and reinstalling. For a temp fix I had just waited for the reboot(12 min or so), then hibernate from then on. It seemed to work, unless I needed to reboot (normally in a meeting requiring some crazy software for a virtual conference and a reboot of course)!!! I fight malware for a living and I have never seen this error.

Another thing I must add. I noticed I also had a problem with UPnP also. Only one or two systray icons would load(No wifi, sound,bluetooth, blah). I had to disable the UPnP service (configure it to start manually) to get the rest of them working. Just another tip.

This post has been edited by thegadget: Jul 12 2006, 12:41 PM

Well, I'm surprised you didnt look up the error in the event viewer and trace the clsid value to WMI which has three dependencies, one being IPV6. It doesnt matter if you disable it as it is a technology not widely used yet and when it is necessary to be used, then Microsoft will have made a patch for xp. This problem should be better documented because all i found on the internet about svchost.exe errors were garbage about the blasterworm and worms.

This post has been edited by aussiejack123: Jul 12 2006, 01:06 PM

Hey Aussie,

Yeah, you know I have been doing technical work for over 13yrs now and I still learn new things(Duh, and will continue to learn new things as computers are continually inventing new ways of malfunctioning. I cannot wait until winvista, HA! GAG!) You know the funniest thing, is the event viewer didn't list the error I experienced on startup.

I ran tasklist /svc. I had reviewed all the processes, and nothing out of the ordinary with svchost.exe. I checked my services, everything was running. Next I went the event viewer. I just cleaned out my cache about 10 mins ago, and cannot remember exactly what was in there, but here is what I remember:

(These were the only errors in the log)
Event ID: 1000
Unknown Application, version 0.0.0.0 encountered an error, blah blah

Even ID: 1004
Unknown Application, version 0.0.0.0 encountered an error, blah blah

In these events, nothing pertained to anything. It didn't even reference svchost.exe! The only place I actually got your listed error was on boot. Normally it would popup even before I would login. After a few seconds (as long as I didn't cancel/ok) another error would pop up "Svchost.exe generic something 32, would you like to send a report to MS?" As long as I didn't close these errors, the system would function normally.

I know that this system ran IPv6 fine before. I am not sure why this happened. I have been sifting through MS KNBase, and found some interesting "interpreting svchost.exe processes" and nothing. And you are right, all the rest of the sites on google are worried about malware/spyware!

Ok, you have got to tell me where you got the clsid and actually found the IPv6 running as a part of WMi. How did you do that in the event viewer when there was no discription? Please let me know. Thanks for your quick reply.

This post has been edited by thegadget: Jul 12 2006, 01:36 PM

The clsid value is in the properties of the error that appears on startup in your case the error isnt in the system log. Somehow i doubt that, the source of the error should be 'DCOM', event ID is "10010" and the description is


"The server {692E988D-1057-4C57-8078-26CF7AE54263} did not register with DCOM within the required timeout."

There are several versions of svchost, each for different services and since one of the svchost.exe is dependent on WMI and in turn WMI is missing one of it dependencies, svchost.exe generates that error. It restarts svchost.exe which is rather dumb considering it doesnt load the remaining services that Windows needs that is necessary such as Windows Audio as you might have noticed your sound wasnt working unless you manually started the service. You can use Process Explorer (www.sysinternals.com/Utilities/ProcessExplorer.html) which elaborates more on what each svchost.exe is for.

As for where to find the IPv6 as a dependency, it would have been in the WMI service under the dependencies tab but since you uninstalled it, it wont be there anymore. Hope that helps.

Edit: There's a way to use your computer when the svchost.exe error lags like crazy. Just after you log in, press alt-ctrl-del and wait till the error occurs then end the svhcost.exe process that occupies the most mem usage and that should work. A bit of improvising i managed to come up with.

This post has been edited by aussiejack123: Jul 12 2006, 01:52 PM

Ok, you are right. I do remember a DCOM error now. I think it was in the system log. The others were in the applications log. Oops. Ok, so after you found the DCOM (what is DCOM anyway? It seems like there was something about COM+ too)

So from the class ID: 692E988D-1057-4C57-8078-26CF7AE54263, you looked it up in the registry? Is that were you found that to be the IPv6? And were did you find it linked to the WMI (Besides in the services).

Thanks for the tip on killing the process.

DCOM is basically a interface/concept that allow client programs to request services from a server program, it's similar to COM because it's based COM. I'm not overly experienced in networking but from i've read it's a waste of space and supposedly attracts hackers. Basically it's kinda like ActiveX. Here's some more information: http://www.grc.com/freeware/dcom.htm

As for the clsid value, under the description in the error window; it allowed me to send error to microsoft and it came back with instructions to trace the clsid in the registry to determine the vendor, which came back with "Windows Management and Instrumentation". That kinda confused me considering i hadnt modified anything related to WMI lately so i looked up it's dependencies as it could only be some kind of sequential error i assumed. My situation might not apply to you as i had never used IPv6 before and had only installed it while trying to restore all my system files while trying to solve a virus i had contracted earlier. As you mentioned you had used IPv6 before with no problems, you may need to recall the recent changes you made before the svchost.exe error start occuring, if you come up with any ideas to the source all of your troubles i would be very interested to know what it is.

i have the problem with svchost for months now..
but i just want to ask:
deleting the microsoft TCP/IP v6 cause any problems?
because it sais above the items: this connection needs following parts

so can i really delete it?

Hey guys,

I just wanted to thank you for leading me to the fix for this problem, and add that I had to first install IPv6 for my LAN connection, then disable it. (It could have been running before but did not display under my network connection's properties.) Just my two cents in case someone runs across this same post. Great forum!

Cheers,

Ben Molloy