SVCHOST.EXE problems... What a drag!

I have been having a problem with svchost.exe in my WIN2K. After opening internet explorer for about 5 minutes an error message pops up - "svchost.exe has generated errors and will be closed by windows. You will need restart the program. An error log is being created ". At this point I can no longer navigate from any hyperlinks (even in outlook), plus my Windows Explorer is jumbled up and some programs in Control Panel are useless until I reboot. I have formatted and reinstalled win2k and the problem still exists. Could I possibly have a software conflict with some of my programs or is it as easy as a CMOS adjustment? Or is it time to take a sledge to this thing and buy a new one?
Any help would be appreciated.
Thanks, Hammer

 

This one will take a little digging on your part.

Svchost is a generic host process that hosts services run from DLLs. The only way to tell what processes are running in a particular instance of svchost.exe is to use tlist from the resource kit. If you don't have the resource kit installed, it is on your install CD.

Once you figure out exactly what is running in the svchost process that keeps crashing, you can possibly find a fix.

Once you have the resource kit loaded you'll want to open a cmd window and run

tlist -s

 

Thanks for the reply, Newt. I ran the tlist like you suggested and found two instances of svchost. As I was typing this I was hit with the usual error message I referred to earlier. I ran tlist again and found "388 svchost.exe Svcs: RpcSs" had disappeared. Could this be where the problem lies? I have noticed on a few occasions an error message which read something about the rpc server being unavailable, which was usually after the svchost crash. Any suggestions?
Thanks again
Hammer

Here are the tlist results before and after...



C:\>tlist -s
0 System Process
8 System
136 smss.exe
164 csrss.exe Title:
160 winlogon.exe Title: NetDDE Agent
212 services.exe Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserv
,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks
mi
224 lsass.exe Svcs: PolicyAgent,SamSs
388 svchost.exe Svcs: RpcSs
416 spoolsv.exe Svcs: Spooler
452 avgserv.exe Svcs: AvgServ
468 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
508 regsvc.exe Svcs: RemoteRegistry
568 MSTask.exe Svcs: Schedule
704 Explorer.exe Title: Program Manager
816 avgcc32.exe Title:
916 IEXPLORE.EXE Title: 250320 - Description of Svchost.exe in Windows 200
- Microsoft Internet Explorer
828 cmd.exe Title: C:\WINNT\System32\cmd.exe - tlist -s
480 tlist.exe






C:\>tlist -s
0 System Process
8 System
136 smss.exe
164 csrss.exe Title:
160 winlogon.exe Title: NetDDE Agent
212 services.exe Svcs: Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserv
,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks
mi
224 lsass.exe Svcs: PolicyAgent,SamSs
416 spoolsv.exe Svcs: Spooler
452 avgserv.exe Svcs: AvgServ
468 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
508 regsvc.exe Svcs: RemoteRegistry
568 MSTask.exe Svcs: Schedule
704 Explorer.exe Title: Program Manager
816 avgcc32.exe Title:
916 IEXPLORE.EXE Title: 250320 - Description of Svchost.exe in Windows 200
- Microsoft Internet Explorer
828 cmd.exe Title: C:\WINNT\System32\cmd.exe - tlist -s
848 tlist.exe

 

"I have noticed on a few occasions an error message which read something about the rpc server being unavailable, which was usually after the svchost crash. Any suggestions? "
Yup. Since that error is sorta diagnostic of an MSBlast.exe infection, I suggest you check for it.

Your installed AV software may be compromised so probably good to run a specific locator/cleaner app like the one listed down the page Here under the "removal tools" section.

 

**** your good. It was blaster alright. For some reason my AV program didnt detect this one. I ran a scan on the Symantec site and actually had 5 viruses. ElKern, Muma, Nachi, Lovesan (blaster) and Deloder. I resorted to a format and reinstall to rid myself of all the corruption. In the 3 minutes I was online downloading a firewall, I was hit by blaster again. Is this crazy or what? All is fine now. Thanks for your help newt.
Hammer

 

Hammer - some of the viri will disable your AV software as their first action. But silently so it seems to be still working but isn't doing anything.

If you have a critter sneak in because it is newer than your def files and it disables things, you can certainly get eaten alive while thinking you are protected.

You can also use Housecall as a fall-back option. Online scan, can't be attacked from your PC and is kept really current.

Anyway, glad you are fixed.

 

we had the nachi virus recently - our AV software didn't detect it because it snook in via the security holes in Windows.

we've sorted it now but what a pain in the ass!! not to mention the time wasted!