Dear Bob,
Thank you for your reply.
Based on this, please try to delete the registry entry and check the issue.
Once you finish the steps, please reply me with an update. I look forward
to the results.
Thanks and have a good day!
Regards,
Benny Fu
Microsoft Online Partner Support
Microsoft Corporation
Get Secure! –
www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Reply-To: "bob Sterrett" <
[email protected]>
| From: "bob Sterrett" <
[email protected]>
| References: <
[email protected]>
<
[email protected]>
<#lpt#
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
| Subject: Not Blaster related - I will just delete the registry entry
| Date: Wed, 13 Aug 2003 17:00:38 -0400
| Lines: 423
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <
[email protected]>
| Newsgroups: microsoft.public.win2000.advanced_server
| NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.advanced_server:10598
| X-Tomcat-NG: microsoft.public.win2000.advanced_server
|
| Probably not virus related. This has been around since sp3 and is more
| likely related to an upgrade of SQLserver, Exchange5.5 or
exchange2000beta.
|
| Thanks anyway.
|
| | > Dear Bob,
| >
| > Thank you for your reply.
| >
| > Based on this and my further research, the issue may be also related to
| the
| > worm virus "W32.Blaster.worm". It will use TCP port 135 to download and
| run
| > the file Msblast.exe and it can cause the svchost process and system
| reboot
| > unexpectedly.
| >
| > To prevent the computer from infected by the virus, please install the
| > security patch MS03-026. The patch is available from Windows Update as
| well
| > as on
www.microsoft.com\security
| >
| > Blaster Worm: Critical Security Patch for Windows 2000:
| >
|
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F
| > -220354449117&displaylang=en
| >
| > Please note that you still need to use Anti Virus program to clean the
| > system after you apply the patch. If you do not have Anti Virus software
| > installed, youcan use the following tool to detect the worm.
| >
| >
http://housecall.antivirus.com
| >
| > The following tools or information from 3rd party vendors may helpful
for
| > removing the virus.
| >
| > Symantec
| >
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
| >
| > McAfee:
| >
http://vil.nai.com/vil/stinger
| >
| > Hope the information is helpful.
| >
| > Thanks and have a good day!
| >
| > Regards,
| >
| > Benny Fu
| > Microsoft Online Partner Support
| > Microsoft Corporation
| > Get Secure! -
www.microsoft.com/security
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| >
| > --------------------
| > | Reply-To: "bob Sterrett" <
[email protected]>
| > | From: "bob Sterrett" <
[email protected]>
| > | References: <
[email protected]>
| > <
[email protected]>
| > <#lpt#
[email protected]>
| > <
[email protected]>
| > <
[email protected]>
| > <
[email protected]>
| > | Subject: Not a virus
| > | Date: Tue, 12 Aug 2003 14:07:22 -0400
| > | Lines: 313
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <
[email protected]>
| > | Newsgroups: microsoft.public.win2000.advanced_server
| > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.win2000.advanced_server:10534
| > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > |
| > | at least not this one.
| > |
| > | This is a service that does not start. As such, since things seem to
be
| > ok
| > | without it starting, I would suspect that no harm will be done by just
| > | deleting the registry entry.
| > |
| > | So unless you can indentify whatt the following was meant to do, I
will
| > just
| > | delete it.
| > |
| > | registry entry
| > |
| > | smss
| > | |-Enum
| > | |-Security
| > |
| > | root
| > | *(default) REG_SZ (value not set)
| > | *Description REG_SZ Manager of Security for Network Services
| > | *DisplayName REG_SZ Service Security Manager
| > | *ErrorControl REG_DWORD 0x00000001 (1)
| > | *ImagePath REG_EXPAND_SZ C:\WINNT\system32\svchost.exe
| > | *ObjectName REG_SZ LocalSystem
| > | *Start REG_DWORD 0x00000002 (2)
| > | *Type REG_DWORD 0x00000110 (272)
| > |
| > |
| > | Security
| > | *(default) REG_SZ (value not set)
| > | *SSecurity REG_Binary 01 00 14 80 a0 00 00 00 aC ...
| > |
| > | Thanks
| > |
| > |
| > | | > | > Dear Bob,
| > | >
| > | > Thank you for your reply.
| > | >
| > | > For the SSMS.exe process, it is likely related to the W32.Gismor@mm
| > virus,
| > | > please delete the virus to resolve the issue. For the detailed steps
| on
| > | how
| > | > to clean the virus, please refer to the following article:
| > | >
| > | >
| >
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
| > | >
| > | > You can delete it from
| > | >
| >
'HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run\SSMS.EXE'
| > | > registry.
| > | >
| > | > Hope it is helpful and clears your concerns.
| > | >
| > | > Thanks and have a good day!
| > | >
| > | > Regards,
| > | >
| > | > Benny Fu
| > | > Microsoft Online Partner Support
| > | > Microsoft Corporation
| > | > Get Secure! -
www.microsoft.com/security
| > | >
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | rights.
| > | >
| > | > --------------------
| > | > | Reply-To: "bob Sterrett" <
[email protected]>
| > | > | From: "bob Sterrett" <
[email protected]>
| > | > | References: <
[email protected]>
| > | > <
[email protected]>
| > | > <#lpt#
[email protected]>
| > | > <
[email protected]>
| > | > | Subject: Re: at least one service did not start - ssms
| > | > | Date: Mon, 11 Aug 2003 08:58:51 -0400
| > | > | Lines: 202
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | Message-ID: <
[email protected]>
| > | > | Newsgroups: microsoft.public.win2000.advanced_server
| > | > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| > | > | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| > | > | Xref: cpmsftngxa06.phx.gbl
| > | microsoft.public.win2000.advanced_server:10461
| > | > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > | > |
| > | > | The entry in question is ssms not smss.
| > | > |
| > | > | Virus scans continue to show me as ok.
| > | > |
| > | > | If you can't think of any reason to attempt a load of svchost with
| no
| > | > | arguments, I will go ahead an delete this registry entry and thus
| get
| > | rid
| > | > of
| > | > | my warning message.
| > | > |
| > | > | | > | > | > Dear Bob,
| > | > | >
| > | > | > Thank you for your reply.
| > | > | >
| > | > | > The following processes are system processes:
| > | > | >
| > | > | > System Idle Process
| > | > | > System
| > | > | > smss.exe
| > | > | > winlogon.exe
| > | > | > csrss.exe
| > | > | > services.exe
| > | > | > isass.exe
| > | > | > taskmgr.exe
| > | > | > regsvc.exe
| > | > | > mstask.exe
| > | > | > explorer.exe
| > | > | >
| > | > | > Please check registry for a virus associated with smss.exe and
| > | > csrss.exe.
| > | > | > For more information, please read the following web page:
| > | > | >
| > | > | >
| > | > |
| > | >
| > |
| >
|
http://securityresponse.symantec.com/avcenter/venc/data/w32.dalbug.worm.html
| > | > | >
| > | > | > Please monitor the status of the system after you delete the
| > smss.exe
| > | > from
| > | > | > registry. If anything is unclear, please feel free to let me
know.
| > | > | >
| > | > | > Thanks and have a good day!
| > | > | >
| > | > | > Regards,
| > | > | >
| > | > | > Benny Fu
| > | > | > Microsoft Online Partner Support
| > | > | > Microsoft Corporation
| > | > | > Get Secure! -
www.microsoft.com/security
| > | > | >
| > | > | > This posting is provided "AS IS" with no warranties, and confers
| no
| > | > | rights.
| > | > | >
| > | > | > --------------------
| > | > | > | Reply-To: "bob Sterrett" <
[email protected]>
| > | > | > | From: "bob Sterrett" <
[email protected]>
| > | > | > | References: <
[email protected]>
| > | > | > <
[email protected]>
| > | > | > | Subject: Re: at least one service did not start - ssms
| > | > | > | Date: Thu, 7 Aug 2003 09:20:57 -0400
| > | > | > | Lines: 123
| > | > | > | X-Priority: 3
| > | > | > | X-MSMail-Priority: Normal
| > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | > | Message-ID: <#lpt#
[email protected]>
| > | > | > | Newsgroups: microsoft.public.win2000.advanced_server
| > | > | > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net 64.8.197.170
| > | > | > | Path:
| > cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | > | > | Xref: cpmsftngxa06.phx.gbl
| > | > | microsoft.public.win2000.advanced_server:10393
| > | > | > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > | > | > |
| > | > | > | Thanks Benny, but I know "what" svchost is. The questions are
| "Is
| > | it
| > | > | > | alright to delete this troublesome ssms registry entry or
should
| > it
| > | be
| > | > | > | altered in some way so that it works?" and "Who put this thing
| > | there?
| > | > "
| > | > | > |
| > | > | > | | > | > | > | > Dear Bob,
| > | > | > | >
| > | > | > | > Thank you for your posting.
| > | > | > | >
| > | > | > | > Svchost.exe is a generic host process name for services that
| are
| > | run
| > | > | > from
| > | > | > | > dynamic-link libraries (DLLs). The Svchost.exe file is
located
| > in
| > | > the
| > | > | > | > %SystemRoot%\System32 folder. At startup, Svchost.exe checks
| the
| > | > | > services
| > | > | > | > portion of the registry to construct a list of services that
| it
| > | > needs
| > | > | to
| > | > | > | > load. There can be multiple instances of Svchost.exe running
| at
| > | the
| > | > | same
| > | > | > | > time. Each Svchost.exe session can contain a grouping of
| > services,
| > | > so
| > | > | > that
| > | > | > | > separate services can be run depending on how and where
| > | Svchost.exe
| > | > is
| > | > | > | > started. This allows for better control and debugging.
| > | > | > | >
| > | > | > | > Svchost.exe groups are identified in the following registry
| key:
| > | > | > | >
| > | > | > | > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
| > | > | NT\CurrentVersion\Svchost
| > | > | > | >
| > | > | > | > For more detailed information, you can refer to the
following
| > | > article:
| > | > | > | >
| > | > | > | > 250320 Description of Svchost.exe in Windows 2000
| > | > | > | >
http://support.microsoft.com/?id=250320
| > | > | > | >
| > | > | > | > Hope the information is helpful.
| > | > | > | >
| > | > | > | > Thanks and have a good day!
| > | > | > | >
| > | > | > | > Regards,
| > | > | > | >
| > | > | > | > Benny Fu
| > | > | > | > Microsoft Online Partner Support
| > | > | > | > Microsoft Corporation
| > | > | > | > Get Secure! -
www.microsoft.com/security
| > | > | > | >
| > | > | > | > This posting is provided "AS IS" with no warranties, and
| confers
| > | no
| > | > | > | rights.
| > | > | > | >
| > | > | > | > --------------------
| > | > | > | > | Reply-To: "bob Sterrett" <
[email protected]>
| > | > | > | > | From: "bob Sterrett" <
[email protected]>
| > | > | > | > | Subject: at least one service did not start - ssms
| > | > | > | > | Date: Wed, 6 Aug 2003 16:28:49 -0400
| > | > | > | > | Lines: 58
| > | > | > | > | X-Priority: 3
| > | > | > | > | X-MSMail-Priority: Normal
| > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | > | > | > | X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | > | > | > | Message-ID: <
[email protected]>
| > | > | > | > | Newsgroups: microsoft.public.win2000.advanced_server
| > | > | > | > | NNTP-Posting-Host: 64-8-197-170.client.dsl.net
64.8.197.170
| > | > | > | > | Path:
| > | > cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | > | > | > | Xref: cpmsftngxa06.phx.gbl
| > | > | > | microsoft.public.win2000.advanced_server:10367
| > | > | > | > | X-Tomcat-NG: microsoft.public.win2000.advanced_server
| > | > | > | > |
| > | > | > | > | This probably started after svc pack3.
| > | > | > | > | This service attemps to start svchost with no arguments.
| > | > | > | > |
| > | > | > | > | Other instances of svchost (with arguments) are running,
| > Should
| > | I
| > | > | > | delete
| > | > | > | > | this from the registry?
| > | > | > | > |
| > | > | > | > | Services
| > | > | > | > | System Process (0)
| > | > | > | > | System (8)
| > | > | > | > | SMSS.EXE (180)
| > | > | > | > | CSRSS.EXE (204)
| > | > | > | > | WINLOGON.EXE (224)
| > | > | > | > | SERVICES.EXE (252)
| > | > | > | > | svchost.exe (468)
| > | > | > | > | DLLHOST.EXE (1116)
| > | > | > | > | DLLHOST.EXE (1768)
| > | > | > | > | spoolsv.exe (512)
| > | > | > | > | msdtc.exe (668)
| > | > | > | > | MSCIS.exe (892)
| > | > | > | > | WFSVCMGR.exe (904)
| > | > | > | > | dfssvc.exe (916)
| > | > | > | > | scvhost.exe (940)
| > | > | > | > | svchost.exe (992)
| > | > | > | > | ismserv.exe (1016)
| > | > | > | > | mdm.exe (1048)
| > | > | > | > | sqlservr.exe (1172)
| > | > | > | > | ntfrs.exe (1300)
| > | > | > | > | regsvc.exe (1372)
| > | > | > | > | LOCATOR.EXE (1384)
| > | > | > | > | mstask.exe (1416)
| > | > | > | > | tcpsvcs.exe (1456)
| > | > | > | > | SNMP.EXE (1472)
| > | > | > | > | svchost.exe (1484)
| > | > | > | > | WinMgmt.exe (1516)
| > | > | > | > | winnt124.exe (1584)
| > | > | > | > | WINS.EXE (1608)
| > | > | > | > | MsPMSPSv.exe (1628)
| > | > | > | > | svchost.exe (1644)
| > | > | > | > | DNS.EXE (1656)
| > | > | > | > | inetinfo.exe (1704)
| > | > | > | > | EXMGMT.EXE (1776)
| > | > | > | > | MAD.EXE (1980)
| > | > | > | > | mqsvc.exe (2012)
| > | > | > | > | mssearch.exe (2044)
| > | > | > | > | trigserv.exe (2436)
| > | > | > | > | STORE.EXE (2636)
| > | > | > | > | EMSMTA.EXE (2804)
| > | > | > | > | LSASS.EXE (264)
| > | > | > | > | explorer.exe (2212) Program Manager
| > | > | > | > | evntsvc.exe (292)
| > | > | > | > | CTFMON.EXE (1156)
| > | > | > | > | AcroTray.exe (3072)
| > | > | > | > | sqlmangr.exe (3700)
| > | > | > | > | CMD.EXE (1964) Command Prompt - tlist -t
| > | > | > | > | tlist.exe (1400)
| > | > | > | > | MSOFFICE.EXE (3660)
| > | > | > | > |
| > | > | > | > |
| > | > | > | > |
| > | > | > | >
| > | > | > |
| > | > | > |
| > | > | > |
| > | > | >
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|
