scvhost.exe

[stephen]

Scvhost.exe. What does this do? I keep getting messages that this Ap has
failed and needs to be restarted. After is does fail, in Word for instance,
I can no longer Cut/Paste.

This is on a brand new - just today - fresh install of Win2Kpro and a
completely reformatted hard drive and nothing installed except MS Office
2000, so far.

 

[stephen]

The failure of this App also seems to prevent moving icons on the desktop as
well.
Re-trying from the Run menu doesn't make a difference.

 

[Geoffw]

msblaster.exe

www.symantec.com

Geoff

 

[stephen]

msblaster.exe

On a totally new system that has received no emails with those suspicious
blaster subject lines? Is it really possible to have been 'infected' so
quickly? Not really doubting you, but I'm just amazed?

Symantic reports about it, but I didn't see any removal tools or
instructions there.

 

[Chuck]

It won't hurt to run the removal tool; look here:
http://securityresponse.symantec.com/avcenter/tools.list.ht
ml

Try the removal tool for the W32.Blaster.Worm. The link
to the tool itself is in the page of instructions.

 

[Chris Shields]

On a totally new system that has received no emails with those
suspicious blaster subject lines? Is it really possible to have been
'infected' so quickly? Not really doubting you, but I'm just amazed?

Symantic reports about it, but I didn't see any removal tools or
instructions there.

Within 5 minutes of being online with an unpatched clean install of windows
2000 my system was infected with the W32.Welchia.Worm, which exploits the
same DCOM RPC vulnerability as the Blaster one. So it is very easy to pick
up with an unpatched system with DCOM activated.

Also after picking up this worm, although it's main function is to try and
patch the vulnerability it exploited, I had similar problems to which you
describe, problems with scvhost and then the system acting very weird
indeed. It is worth running the symantec removal tool for this worm as well
as the blaster worm. It can be found here http://tinyurl.com/khlz. Make sure
you patch up and/or disable DCOM as well as you will most likely be
reinfected as soon as you remove it otherwise. You can disable DCOM with
DCOMbobulator from http://www.grc.com/dcom/intro.htm.

HTH

 

[Chuck]

On a totally new system that has received no emails with those suspicious
blaster subject lines? Is it really possible to have been 'infected' so
quickly? Not really doubting you, but I'm just amazed?

Symantic reports about it, but I didn't see any removal tools or
instructions there.

As other posters have indicated, it is indeed possible to become
infected very quickly after connecting to the internet. Blaster
attacks through the network, not just thru email.

To recover from this nuisance, you must in this order:
1) Get a firewall or NAT router (or both).
2) Remove the infection.
3) Connect to WindowsUpdate and download all critical updates
immediately.

Cheers,

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

 

[stephen]

1) Get a firewall or NAT router (or both).

2) Remove the infection.
3) Connect to WindowsUpdate and download all critical updates
immediately.

Thanks, Chuck. I've done the three steps you outlined. New problem is that
now, after installing SP4 update I can't get any program to access the
internet - not a browser, email client, newsreader (currently using
different computer) at all. Zone Alarm has permission to all this
applications, but I cannot connect.

 

[stephen]

Thanks for the information, Chris.

 

[Chuck]

On a totally new system that has received no emails with those suspicious
blaster subject lines? Is it really possible to have been 'infected' so
quickly? Not really doubting you, but I'm just amazed?

Symantic reports about it, but I didn't see any removal tools or
instructions there.

As other posters have indicated, it is indeed possible to become
infected very quickly after connecting to the internet. Blaster
attacks through the network, not just thru email. You need to be
behind a firewall or router to block its attack.

To recover from this nuisance, you must in this order:
1) Get a firewall or NAT router (or both).
2) Remove the infection.
3) Connect to WindowsUpdate and download all critical updates
immediately.

Please do all of these for everybody's sake. Guess what your system
is doing, while it's connected to the internet, after becoming
infected? Infecting others (or wasting bandwidth trying to).

Cheers,

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

 

[stephen]

Please do all of these for everybody's sake.

As I wrote previously, I HAVE installed Zone Alarm firewall and I HAVE used
the tool from Symantec and removed the worm from my system, so I couldn't be
infecting others even if I could access the net , which will now NOT allow
access after updating to SP4.

 

[Chuck]

Thanks, Chuck. I've done the three steps you outlined. New problem is that
now, after installing SP4 update I can't get any program to access the
internet - not a browser, email client, newsreader (currently using
different computer) at all. Zone Alarm has permission to all this
applications, but I cannot connect.

Stephen,

The security updates were a good idea. The SP4 probably wasn't. I've
seen queries by numerous victims of the SP4 upgrade identical to your
problem - so many that I've left it undone myself - my Win2K system is
still on SP3. But I do apply all the security updates, usually a week
or so after they come out.

The best protection for these worms like Blaster is a NAT router,
IMHO. Microsoft will never be as up to date as the hackers and
writers of Blaster like crap. So far, no worm can get thru NAT.

Cheers,

Chuck
I hate spam - PLEASE get rid of the spam before emailing me!
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Geoffw]

yes

symantec does have the tool as do other vendors.

did you contrl: alt: del to halt the process before running
the fix ?

I have read that you need to follow the fix exactly as
described.
do a cntrl:alt:del and see if msblats is still a running
process if it is still infected

re: sp4 I have seen so much in MS groups about problems with
sp4 I will be staying sp3 for a while yet

good luck

Geoff

 

[Geoffw]

http://securityresponse.symantec.com/avcenter/venc/data/w32.
blaster.worm.removal.tool.html

not the requirement to apply a specific patch / fix before
running the tool

Geoff

 

[stephen]

Thanks, Geoff.

 

[DaHelpa]

Also Could be Welch Virus worm...Symantec has the removal
tool for that as well. Especially if you have not
applied ANY updates. Look for excessive RPC mapping on
your firewall.