svchost.exe crashes at logon

[Richard PT Ots]

Hi all,I've been trying for a while to get this problem resolved, but, although many problems posted on this and other forums look similar, the proposed solutions that I've read haven't solved my problemSymptoms:At XP Pro's logon screen I invariably get the message: The instruction at “0x7c918fea†referenced memory at “0x00000010.†the memory could not be “written"As long as I do not click OK or CANCEL, I can logon and work normally. However, when I do click one of these buttons, Explorer seems to halt. The taskbar does not appear and I cannot start new programs.The only thing that appears to help is not loading McAfee (mcupdate, mcagent, mcvsshld, msmnhdlr) but I can't imagine that there is no other solution.Could anyone have a look at my HijackThis logfile and tell me if there's anything out of the ordinary?Logfile of HijackThis v1.99.1Scan saved at 11:24:22 AM, on 9/27/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exeD:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exec:\PROGRA~1\mcafee.com\vso\mcvsrte.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeD:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exeD:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeD:\Program Files\QuickTime\qttask.exeC:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exeC:\Program Files\Java\jre1.5.0_04\bin\jusched.exed:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exeC:\WINDOWS\SOUNDMAN.EXED:\Program Files\Microsoft ActiveSync\WCESCOMM.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Messenger\msmsgs.exeD:\Program Files\Spybot - Search & Destroy\TeaTimer.exeD:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exeC:\Program Files\Mindjet\MindManager 5\sys\PDF\ENU\W2K\PDFSaver.exeC:\Program Files\VIA\RAID\raid_tool.exeC:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exeC:\Program Files\Netropa\Onscreen Display\OSD.exec:\PROGRA~1\mcafee.com\vso\mcshield.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\mmc.exeD:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\Acrobat.exeC:\WINDOWS\System32\WISPTIS.EXEC:\WINDOWS\system32\taskmgr.exeC:\Program Files\Internet Explorer\iexplore.exeD:\Download\Tools\HijackThis.exeR3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Richard\Application Data\Mozilla\Profiles\default\nkjnpvyx.slt\prefs.js)N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Richard\Application Data\Mozilla\Profiles\default\nkjnpvyx.slt\prefs.js)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dllO4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\ServicePackFiles\i386\msconfig.exe /autoO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [AdobeVersionCue] D:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exeO4 - HKLM\..\Run: [share-to-Web Namespace Daemon] d:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [ABIT uGuru] D:\Program Files\ABIT\ABIT uGuru\uGuru.exeO4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [instant File Name Search] D:\Program Files\InstantFileNameSearch\ifns.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: BTTray.lnk = ?O4 - Global Startup: MindManager PDF Writer.lnk = C:\Program Files\Mindjet\MindManager 5\sys\PDF\ENU\W2K\PDFSaver.exeO4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Send To &Bluetooth - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\Program Files\Microsoft ActiveSync\inetrepl.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dllO15 - Trusted Zone: http://ny.contentmatch.net (HKLM)O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123536466222O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{276601B2-B4DC-404C-B535-5835C8597CE0}: NameServer = 195.222.32.10 195.222.32.20O23 - Service: AdobeVersionCue - Adobe Sytems - D:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeO23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exeO23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exeO23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exeO23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exeO23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Richard PT Ots]

Don't know if it'll help, but I'm posting a tasklisting below as wellImage Name PID Services========================= ====== =============================================System Idle Process 0 N/ASystem 4 N/Asmss.exe 812 N/Acsrss.exe 900 N/Awinlogon.exe 936 N/Aservices.exe 1028 Eventlog, PlugPlaylsass.exe 1040 PolicyAgent, ProtectedStorage, SamSsati2evxx.exe 1192 Ati HotKey Pollersvchost.exe 1204 DcomLaunch, TermServicesvchost.exe 1316 RpcSssvchost.exe 1432 AudioSrv, BITS, Browser, CryptSvc, Dhcp, dmserver, ERSvc, EventSystem, FastUserSwitchingCompatibility, helpsvc, HidServ, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, srservice, TapiSrv, Themes, TrkWks, W32Time, winmgmt, wscsvc, wuauserv, WZCSVCsvchost.exe 1520 Dnscachesvchost.exe 1548 LmHosts, RemoteRegistry, SSDPSRV, upnphost, WebClientspoolsv.exe 1800 Spoolernhksrv.exe 288 nhksrvsvchost.exe 396 BthServbtwdins.exe 504 btwdinsmcvsrte.exe 560 MCVSRteMDM.EXE 604 MDMULCDRSvr.exe 748 UleadBurningHelperwdfmgr.exe 484 UMWdfvsmon.exe 856 vsmonati2evxx.exe 836 N/Aexplorer.exe 1376 N/Azlclient.exe 340 N/Arundll32.exe 416 N/Aatiptaxx.exe 512 N/AVersionCueTray.exe 676 N/Ahpgs2wnd.exe 488 N/Aqttask.exe 724 N/AMMKeybd.exe 336 N/Ajusched.exe 1368 N/Ahpgs2wnf.exe 280 N/ASOUNDMAN.EXE 1460 N/Awcescomm.exe 2076 N/Actfmon.exe 2084 N/Amsmsgs.exe 2168 N/ATeaTimer.exe 2204 N/Aacrotray.exe 2240 N/APDFSaver.exe 2272 N/Araid_tool.exe 2284 N/ATraymon.exe 2292 N/Aosd.exe 2304 N/AMcShield.exe 2624 McShieldalg.exe 3084 ALGsvchost.exe 3668 HTTPFiltermmc.exe 2452 N/AWISPTIS.EXE 3420 N/Ataskmgr.exe 2984 N/Aiexplore.exe 2236 N/AHijackThis.exe 2648 N/Anotepad.exe 3656 N/ANetscp.exe 892 N/Acmd.exe 2184 N/Aiexplore.exe 648 N/Acmd.exe 1080 N/Atasklist.exe 3396 N/Awmiprvse.exe 244 N/A

[NICK ADSL UK]

Hi Richard Well on your log side i am not officially qualified to answer your log but what i can tell you is that there are some things that could be removed and am sure a qualified member will step in to help you out. As for your services you have far to many running and a good prune here will be beneficial. In the first instance go to your START/ RUN and TYPE IN MSCONFIG. In here click on startup and remove everything apart from your firewall and anti virus and then reboot your computer. When back to the desktop you should download this free tool from here called auto-runs http://www.sysinternals.com/utilities/autoruns.htmlThis utility will let you know about the auto-starting locations of any startup program which msconfig does not deal with. On running of this software having read up on it first you will be then able to delete or disable certain other parts of your software and believe me there will be a lot in your case showing up. It is safe to delete all that you do not wish to start up when you boot up your computer so be careful to make sure that all the components of your firewall and anti virus have not been ticked for removal. Also leave in the DLL Directory. When you have studied up and gone through these things your computer will be like new. As i say one of the qualified members here hopefully will be be able to advise you on your log. Regards

Edited September 27, 2005 by NICK ADSL UK

[TeMerc]

Lil Bambi alerted me to this thread.Richard, its more than likley your problem is not malware related, which is a good thing.Bsed on what I found via Google, with those two specific error numbers, it may be related to MacAfee.Here is the link I came up with, and the first page is mostly related to McAfee.http://www.google.com/search?hl=en&lr=&rls...0010+%2B+memoryThere are a few minor items which you can fix with HJT tho. Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k <<<--This is from a system crashO17 - HKLM\System\CCS\Services\Tcpip\..\{276601B2-B4DC-404C-B535-5835C8597CE0}: NameServer = 195.222.32.10 195.222.32.20 <<<<---If this is your ISP:http://www.dnsstuff.com/tools/whois.ch?ip=195.222.32.20Do not fix.Reboot, run HJT, if the above are gone, no need to repost with new log. Hope that helps some.

Edited September 27, 2005 by TeMerc

[Richard PT Ots]

Hi TeMerc,Thanks for the advice. I was able to remove the lines you mentioned except the 3rd one since that indeed is my ISP.Thanks also for the link. It's good to see that more people are having similar problems, but unfortunate that the solution appears to be to uninstall (parts of) the McAfee suite. Just sounds somewhat odd for a product with such a good reputation. To NICK ADSL UK: Yeah, I know I have quite a bit of stuff running. I do go through the list every now and try to clean things up a bit but in some cases it is quite handy to have these tools already loaded. But you're right, it's about time for a sweep again.Thanks all!