XP SP3 Generic Host Processor Error @ startup
Slider51
Michigan USA New
Greetings all,
Just went through a week-long machine cleaning with Chiaz
who helped me get rid of a couple of nasty rootkits and trojans that I have had for at least a year. Icrontic and Chiaz RULES!! 
Anyway a byproduct of this effort is now a Generic Host Process error that appears at every bootup. I have attached a screenshot of the error window with its two expansion windows open. Machine specs are in my profile.
Other than having to close the window every time (irritating) there doesn't seem to be any ill effects with the possible exception of occasionally not having a website come up on the screen when calling it from an external link... shows up at the bottom as a minimized window, but doesn't switch to the new page on the screen. I can't say that this is related to the error, and it has only happened once or twice since the problem first occurred a few days back.
I would be extremely appreciative if someone over here in the OS section could give me a hand getting this cured.
BTW, I've been to other forums in the past with limited good experiences, but Icrontic has proven itself to be invaluable! Pardon my rant but the best techs on the web live here....
Slider
Just went through a week-long machine cleaning with Chiaz
who helped me get rid of a couple of nasty rootkits and trojans that I have had for at least a year. Icrontic and Chiaz RULES!! Anyway a byproduct of this effort is now a Generic Host Process error that appears at every bootup. I have attached a screenshot of the error window with its two expansion windows open. Machine specs are in my profile.
Other than having to close the window every time (irritating) there doesn't seem to be any ill effects with the possible exception of occasionally not having a website come up on the screen when calling it from an external link... shows up at the bottom as a minimized window, but doesn't switch to the new page on the screen. I can't say that this is related to the error, and it has only happened once or twice since the problem first occurred a few days back.
I would be extremely appreciative if someone over here in the OS section could give me a hand getting this cured.
BTW, I've been to other forums in the past with limited good experiences, but Icrontic has proven itself to be invaluable! Pardon my rant but the best techs on the web live here....
Slider
0
Comments
First go into dos and issue the following command
sfc /scannow
that will go through and do a system file check and look for any errors. It's not uncommon after a massive virus removal to have some damaged files. If the problem persists then...
Please go into dos and issue the following command
tasklist /svc
That sill give you a list of all running services and associated processes. Give a look through the svchost applications and see if you can find any programs or services that you've removed but looks like it's still trying to launch.
If your still stuck please paste that command output so we can take a look at it.
I have found a way to stop the error message, but I wonder if I am simply shooting the messenger by turning off the error messaging service instead of fixing the problem. Here's what I tried:
I read your reply and the idea of checking the list of running processes jumped out at me. I first used TUT (Ultimate Troubleshooter) to bring that list up, because that's the way I'm used to checking it. I found a process running called ERSvc...check the "ERSvc Screenshot" to view what TUT says about this service. I'm wondering if you agree with what they say...
Anyway, when I set the service to Manual from Automatic and rebooted (twice to check for sure) the error message did not appear.
With ErSVC shut down, I then ran sfc /scannow, but I kept getting a Windows File Protection window saying "Files that are required for Windows to run properly must be copied to the DLL cache. Insert your Windows XP Pro CD-ROM now." I've got an OEM install on my machine with no disk, so I had to give up on this one.
Next, with ErSVC still shut down, I ran tasklist /svc. What I got is shown on the screenshot called "Svc after ErSVC Shutdown". I realized I should have run tasklist first like you said, so I went back and re-activated ErSVC (changed it back to auto startup) and ran tasklist again. What I got is on the "SVC" screenshot. Although the services aren't in the same order, each time there were 23 services running - I didn't check that the lists are identical though.
Anyway, bottom line is that if I shut this ErSVC process down, the error message goes away. Am I OK leaving it this way, or do I need to find the root cause and fix it rather than shutting down the reporting?
I'll try anything you ask, just want to do it right.
Thanks again,
Slider
if it's the .dll that's crashing then there is some other damaged process that's tripping it. While it is possible that the .dll service is the problem odds are it's something else. So killing the service is just putting the blinders on and hoping for the best. If you have an OEM version of XP you've got to have the installer files somewhere on a separate partition or something. To properly fix your machine you'll first have to do the sfc /scannow with access to the Windows XP disk. Either from cabs based on your OEM install or from a friends disk.
If you go up to the screen shots in my original post, the second expanded window down shows the szApp name as ersvc.exe, and the third window down shows it as ersvc.exe.mdmp. I don't pretend to know what I'm looking at in those two windows, but if you're sure it's a trojan being pointed out by virtue of the .exe extension, I'll take this thread back to chiaz on the malware forum.
Your first reply made sense to me that with the massive infection this machine had, either the infection or the cleaning process had damaged some system files and that's why the message window appeared. It didn't appear until after everything was running correctly again.
It's going to be a day or two wait for me to get the XP CD...should I wait for that and do the sfc /scannow first, or just take this over to chiaz right away?
Waiting to hear...
Slider
All indications make it sound like the process was damaged during your removal of the virus. I'd say ignore it for now until you can get the xp cd and then do the sfc /scannow and you should be back up and running.
I did get my hands on an XP re-install CD - be running the sfc /scannow in a half-hour or so...
The re-install CD didn't work, I noticed it was an OEM Dell version though. So I tore the house apart and ran across two genuine XP Pro installation CD's - one from an older machine I had, and one from my wife's PC which is identical to mine. All 3 failed the same way - the scan would start, then the "insert CD-Rom wodnow would open...put the CD in my CD ROM drive, it would chig a little, then the same message comes up telling me to insert the preper CD. I even tried running them all from my DVD drive, same problem.
Does the Product Key number have to match the one from the CD used to install the OS on my machine? I mean, both my CD ROM and my DVD drives are fine, I verified that, and 2 of these 3 CD's were used as original installations, so I know they're good....but I just keep getting into that endless loop of asking for the CD-ROM, telling it to retry, etc., etc....
Definitely repairing Windows seems to be the right way to go. I'll wait for kryyst to get back to you about your problem in procuring the right disc though.
But for that bit of worry over whether malware remains...
Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The SystemLook log can also be found on your Desktop entitled SystemLook.txtAt this point you've got two options. First follow through with chiaz's advice just to make sure you don't have any lingering viruses left behind. But from that point you can keep your error message service disabled and just keep on trucking or you can do a repair install. However to do a repair install you need to do it from a Disk that matches the CD type for your machine. So if you have an OEM key you can't do the repair install from a retail disk. It'll prompt you for a new product key and I'll bet that it won't accept the one you have. You also can't use another OEM disk. So if your machine came with windows installed it's likely got a hidden repair partition that you'd have to use.
Which likely means that doing a repair install on that machine may not be possible. Your only option may to do a factory restore install.
Okay, here's the Look log:
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:14 on 15/12/2009 by Administrator (Administrator - Elevation successful)
========== file ==========
ersvc.exe - Unable to find/read file.
ersvc.dll - Unable to find/read file.
-=End Of File=-
This is probably too simple, but can I just go to the dll download site and replace these files? I'd try it first but I'd rather hear from you guys before I do anything else.
kryyst,
Hmmm. that bytes. (Sorry for the pun) Both disks I have are marked "for distribution with a new PC" One of them is older, a version 2002, that doesn't have any service packs on it. But the second one, is Version 2002, and "includes Service Pack 2", but as I said it is for my wife's machine, which is 100% identical to mine, only 6 months or so newer. That sort of irritates me that the one with SP2 won't work for just the scan- kindof makes me wonder if OEM installs aren't even a bigger problem than just no disk.
I recall now that a year or so ago I was unable to install the Recovery Console from either of these disks either. I just now got that during my work with Chiaz through the ComboFix method. If we can verify the machine is clean at this point, I think I'll just go for turning the reporting off and hope that regular scans will keep it clean. I would sure rather have it running, but thethought of a re-install makes me nervous, unless it won't affect my preferences and tweaks (never had to do one before).
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:56 on 16/12/2009 by Administrator (Administrator - Elevation successful)
========== filefind ==========
Searching for "ersvc.exe"
No files found.
Searching for "ersvc.dll"
C:\WINDOWS\$NtServicePackUninstall$\ersvc.dll
c 23040 bytes [02:13 09/09/2008] [04:56 04/08/2004] 67DFF7BBBD0E80AAB7B3CF061448DB8A
C:\WINDOWS\ServicePackFiles\i386\ersvc.dll
23040 bytes [13:12 02/10/2004] [00:11 14/04/2008] BC93B4A066477954555966D77FEC9ECB
C:\WINDOWS\system32\ersvc.dll --a--- 23040 bytes [12:00 31/03/2003] [00:11 14/04/2008] BC93B4A066477954555966D77FEC9ECB
-=End Of File=-
Trust me, it time consuming I know, but it pays off.
Ok thanks. I do have a couple of last questions though. The Look scan seems to point to a file that is damaged or missing, the ersvc.dll. It seems like I could just go into safe mode, rename the existing ersvc.dll to something else, then replace it with a copy of the file from my wife's machine, which we know doesn't have the problem. Or am I oversimplifying things?
Last, reading the TUT description of the ersvc service (in my original post above) they describe this service as simply something that sends Microsoft information on system errors, and that it is really unneeded. Is that true, or is ersvc the service that actually moitors for those errors and generates the warning screens? If TUT is right, I see no need for the process anyway. But if ersvc has a more important function, then maybe it is worth biting the bullet and doing a re-install. See what I'm driving at?
It's unneeded for the daily opperation of your machine. However it can be useful in trouble shooting errors. It's not the service that monitors errors. It's the service that brings up that pop-up once you get an error that will submit it to Microsoft and report back with possible solutions.
Not having that service is in no way going to hamper daily operations. The only remaining question is if there are other services that are damaged that just haven't been detected yet.
Personally I say go on with what you have, worry about it when you really need to. I wouldn't make this a priority unless you want to make it a priority if you fallow what I'm saying.
If money were no option. I'd say go buy an upgrade copy of windows 7 and do a clean install with it.
I am going to post one more time just to let you know if the dll change worked for your own reference, then I'd say we can move this one to the Resolved section.
Thank you very much to both of you, your knowledge and help is greatly appreciated!
Slider
Point taken on Win 7. At some point I'll be forced into doing that, but as you know from my post full of fun, I'm totally happy with XP Pro at this point. Plus with 3 machines, to keep things simpler I like to run everything on the same OS, so it's not just a matter of one migration, it's three. That'll have to wait for more time and $.
I consider this thread resolved, thank you both once again for your help. Best help forum on the web, by far...
Slider