svchost.exe repeated crashes

  • Thread starter Massimo Nespolo
  • Start date
M

Massimo Nespolo

Dear all,
suddenly, this week I'm experiencing repeated crashes of svchost on two
Win2KProSP4 with crash logs like the following

svchost.exe 5.00.2134.1 caused exception C0000005 at address 10007B70
(Base: 1000000)

The two machines are totally unrelated. One is at my office, in a Win2k3
domain, the other one is at my home, with an ADSL connection.
The machine at office had also lsass.exe and serivces.exe crashes, followed
by forced sthudown imposed by NT Authority System. After several trial,
including reparing the installation, I had to format and reinstall (I'm
still on workgroup, to see if the problem reappears now, or when I join the
domain one of the next days).
The problem on the machine at home seems less severe. but the svchost
crashes occurs 3-4 times per day and sometimes the ADSL connection is
termined and I have to reboot.
Aslo Inetinfo (I have IIS server on my machines, to check my webpages, but
they are not accessible from outside) crashes when I reload a page.
I am practically sure I have no blaster or other viruses. Both machines
are protected by antivirus updated daily (F-Secure and AVG 7.0), with
frequent scan of all the disks.
Maybe some very recent Winupdate may have introduced some problems? Or some
incompatibilities with my firewall (Sygate)?
I really don't know where to look to find the causes of these crashes.

Many thanks in advance.

Massimo
 
D

David H. Lipman

| Dear all,
| suddenly, this week I'm experiencing repeated crashes of svchost on two
| Win2KProSP4 with crash logs like the following
|
| svchost.exe 5.00.2134.1 caused exception C0000005 at address 10007B70
| (Base: 1000000)
|
| The two machines are totally unrelated. One is at my office, in a Win2k3
| domain, the other one is at my home, with an ADSL connection.
| The machine at office had also lsass.exe and serivces.exe crashes, followed
| by forced sthudown imposed by NT Authority System. After several trial,
| including reparing the installation, I had to format and reinstall (I'm
| still on workgroup, to see if the problem reappears now, or when I join the
| domain one of the next days).
| The problem on the machine at home seems less severe. but the svchost
| crashes occurs 3-4 times per day and sometimes the ADSL connection is
| termined and I have to reboot.
| Aslo Inetinfo (I have IIS server on my machines, to check my webpages, but
| they are not accessible from outside) crashes when I reload a page.
| I am practically sure I have no blaster or other viruses. Both machines
| are protected by antivirus updated daily (F-Secure and AVG 7.0), with
| frequent scan of all the disks.
| Maybe some very recent Winupdate may have introduced some problems? Or some
| incompatibilities with my firewall (Sygate)?
| I really don't know where to look to find the causes of these crashes.
|
| Many thanks in advance.
|
| Massimo
|
|
| --
| remove "nospam" for private replies

Just to make sure... Please perform the following on the affected platforms...


Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode and shutdown as many applications as possible
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *
 
M

Massimo Nespolo

David H. Lipman‚³‚ñ‚Ì said:
| Dear all,
| suddenly, this week I'm experiencing repeated crashes of svchost on two
| Win2KProSP4 with crash logs like the following
|
| svchost.exe 5.00.2134.1 caused exception C0000005 at address 10007B70
| (Base: 1000000)
|
| The two machines are totally unrelated. One is at my office, in a Win2k3
| domain, the other one is at my home, with an ADSL connection.
| The machine at office had also lsass.exe and serivces.exe crashes, followed
| by forced sthudown imposed by NT Authority System. After several trial,
| including reparing the installation, I had to format and reinstall (I'm
| still on workgroup, to see if the problem reappears now, or when I join the
| domain one of the next days).
| The problem on the machine at home seems less severe. but the svchost
| crashes occurs 3-4 times per day and sometimes the ADSL connection is
| termined and I have to reboot.
| Aslo Inetinfo (I have IIS server on my machines, to check my webpages, but
| they are not accessible from outside) crashes when I reload a page.
| I am practically sure I have no blaster or other viruses. Both machines
| are protected by antivirus updated daily (F-Secure and AVG 7.0), with
| frequent scan of all the disks.
| Maybe some very recent Winupdate may have introduced some problems? Or some
| incompatibilities with my firewall (Sygate)?
| I really don't know where to look to find the causes of these crashes.
|
| Many thanks in advance.
|
| Massimo
|
|
| --
| remove "nospam" for private replies

Just to make sure... Please perform the following on the affected platforms...


Obtain McAfee's virus and worm removal tool, Stinger:
http://vil.nai.com/vil/stinger/

1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode and shutdown as many applications as
possible
3) Using McAfee Stinger, perform a Full Scan of your platform and
clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply
any
System Restore preferences, (e.g. HD space to use suggested 400 ~
600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *
Click to expand...

Preliminary report. I have done a Stinger-scan on the system partition of
the machine at home, in Safe Mode. Zero infections. I'll do a complete scan
this evening, I couldn't continue yesterday, it was already midnight and I
have three other partitions (data only). Today I'll do the scan also on the
machine at my office (formatted and reinstalled 2 days ago!).
Anyway, this morning booted here and immediately:

svchost.exe 5.00.2134.1 caused exception C0000005 at address 10007B70
(Base: 1000000)

Astonished....

Will report back soon again.

Massimo
 
D

David H. Lipman

| David H. Lipman,³,ñ,Ì<[email protected]>,©,ç
|| ||| Dear all,
||| suddenly, this week I'm experiencing repeated crashes of svchost on two
||| Win2KProSP4 with crash logs like the following
|||
||| svchost.exe 5.00.2134.1 caused exception C0000005 at address 10007B70
||| (Base: 1000000)
|||
||| The two machines are totally unrelated. One is at my office, in a Win2k3
||| domain, the other one is at my home, with an ADSL connection.
||| The machine at office had also lsass.exe and serivces.exe crashes, followed
||| by forced sthudown imposed by NT Authority System. After several trial,
||| including reparing the installation, I had to format and reinstall (I'm
||| still on workgroup, to see if the problem reappears now, or when I join the
||| domain one of the next days).
||| The problem on the machine at home seems less severe. but the svchost
||| crashes occurs 3-4 times per day and sometimes the ADSL connection is
||| termined and I have to reboot.
||| Aslo Inetinfo (I have IIS server on my machines, to check my webpages, but
||| they are not accessible from outside) crashes when I reload a page.
||| I am practically sure I have no blaster or other viruses. Both machines
||| are protected by antivirus updated daily (F-Secure and AVG 7.0), with
||| frequent scan of all the disks.
||| Maybe some very recent Winupdate may have introduced some problems? Or some
||| incompatibilities with my firewall (Sygate)?
||| I really don't know where to look to find the causes of these crashes.
|||
||| Many thanks in advance.
|||
||| Massimo
|||
|||
||| --
||| remove "nospam" for private replies
||
|| Just to make sure... Please perform the following on the affected platforms...
||
||
|| Obtain McAfee's virus and worm removal tool, Stinger:
|| http://vil.nai.com/vil/stinger/
||
|| 1) If you are using WinME or WinXP, disable System Restore
|| http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
|| 2) Reboot your PC into Safe Mode and shutdown as many applications as
|| possible
|| 3) Using McAfee Stinger, perform a Full Scan of your platform and
|| clean/delete any
|| infectors found
|| 4) Restart your PC and perform a "final" Full Scan of your platform
|| 5) If you are using WinME or WinXP, Re-enable System Restore and re-apply
|| any
|| System Restore preferences, (e.g. HD space to use suggested 400 ~
|| 600MB),
|| 6) Reboot your PC.
|| 7) If you are using WinME or WinXP, create a new Restore point
||
|| * * * Please report back your results * * *
||
|
| Preliminary report. I have done a Stinger-scan on the system partition of
| the machine at home, in Safe Mode. Zero infections. I'll do a complete scan
| this evening, I couldn't continue yesterday, it was already midnight and I
| have three other partitions (data only). Today I'll do the scan also on the
| machine at my office (formatted and reinstalled 2 days ago!).
| Anyway, this morning booted here and immediately:
|
| svchost.exe 5.00.2134.1 caused exception C0000005 at address 10007B70
| (Base: 1000000)
|
| Astonished....
|
| Will report back soon again.
|
| Massimo
|
| --
| remove "nospam" for private replies


The Stinger scan should be done NOT just on the data area (partition) but should be
specifically pointed to the the drive that has the OS ( %windir% ).
 
M

Massimo Nespolo

David H. Lipman‚³‚ñ‚Ì said:
The Stinger scan should be done NOT just on the data area (partition) but
should be
specifically pointed to the the drive that has the OS ( %windir% ).
Click to expand...

That's what I've done. The C: drive, where I have Win and the
applications, was scanned and no infections found. I have not
scanned (yet) the other partitions, where however only data are
present.

Assuming that there is no virus (I would really be surprised finding
one), could be IIS on a Win-client (not server) be the cause? On
both machines I have a IIS 5.0 server (to check my webpages before
publishing them) and this is the only point (apart from the OS, of
course) of the two machines, and the only point that makes them
different from the other PCs in the domain.
Oh well, I can uninstall IIS and see if it solves. If not, I can
reinstall it.

Massimo
 
M

Massimo Nespolo

David H. Lipman‚³‚ñ‚Ì said:
Just to make sure... Please perform the following on the affected platforms...


Obtain McAfee's virus and worm removal tool, Stinger:
http://vil.nai.com/vil/stinger/

1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode and shutdown as many applications as
possible
3) Using McAfee Stinger, perform a Full Scan of your platform and
clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply
any
System Restore preferences, (e.g. HD space to use suggested 400 ~
600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *
Click to expand...

OK, David,
Stinger didn't find any virus on either PC. I had a look at the event
viewer and found repeated errors related to IIS, with code 7031 and
7032. I have found this discussion on the net

http://www.techspot.com/vb/showthread/t-10701.html

and tried the Winmgmt workaround here at office. After reboot, no
svchost crash (so far). But as soon as I accessed an HTML file via the
IIS (I mean, by typing http://myfixIPaddress/filename.htm) I got two
Inetinfo.exe crashes, with event log showing error 7032 WWW publishing
service. KB speaks of Code Red

http://support.microsoft.com/default.aspx?scid=kb;en-us;316612

which is not my case. I'm more and more convinced something happened
to IIS 5.0 on my Win2K machines last Monday. Simultanously. A
problematic patch? I'm behind a fireewall (Sygate) and at office I'm
protected by ACLs that do not permit access to our machines.

Puzzled...

Massimo
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Proper location of svchost.exe? 4
Explorer.exe and svchost.exe crash 4
what process is svchost.exe associated with 2
DBF Import Crashes .NET APP and no error log whatsoever 3
svchost.exe gobles up all CPU time 6
SVCHOST memory leak? 4
W2K, svchost.exe 1
Access Crashes When Trying To Compile 2

Top