Another old problem I had noted. I cleaned a computer that was infected with two rootkits, one in the Master Boot Record (MBR) and the other that dread UAC rootkit. These rootkits were modifying files as they were executed or when the file performed some action it did not like. For example, on this person’s computer, the rootkits corrupted McAfee files and would corrupt anti-malware scanners like HijackThis when it tried to scan. The MBR rootkit was very nasty. When you have a rootkit that corrupts anti-malware files, you will need to change the file name to something random (provided your file is not corrupted) or use the Windows disc to rebuild the MBR and manually remove the files or both.

After I successfully remove the rootkit, I had to do an in-place upgrade (commonly called a repair installation) of Windows XP to repair the damaged system files. After the in-place upgrade, I would receive the following message after every boot: (This is from the Event monitor)

Application popup: svchost.exe - Application Error : The instruction at "0x00cb06d1" referenced memory at "0x00000000". 
The memory could not be "written".

Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 8/28/2009
Time: 8:37:01 AM
User: N/A
Computer: *****
Description:
Application popup: svchost.exe - Application Error : The instruction at "0x00cb06d1" referenced memory at "0x00000000".
The memory could not be "written".

Of course, a quick Google search did not turn up anything related to svchost.exe and 00cb06d1. So I had to determine myself what was causing the problem. In this case. It was the Windows Image Acquisition service. Setting that service to manual caused this error to disappear. But what if your problem is slightly different but still involves the svchost.exe file? How do you fix the problem?

You must know that svchost.exe is an important Windows system file. It enables certain other Windows’ activities by loading the data need for those activities into memory. Therefore, quite often svchost.exe is called automatically on startup. Looking at the Windows services list, you can get an idea of which one might be causing the problem. When this error occurs, do not click OK or CANCEL on the error pop-up box. Instead, look at the list of services [RUN -> services.msc in Windows XP, or just type service in the search box on the start menu in Windows Vista/7]. Find a service that says STARTING. Then click OK on the svchost.exe error window and then press F5 on the services window to refresh. If that service that once said STARTING now says nothing beside it, you found the problem. Use a search engine to find out how to repair that particular problem.

Advertisement