'General Host Process for Win32 Services' can't stay open

[Knack]

A popup error box keeps reappearing about this; with a following popup
asking to send a report to Microsoft. So obviously this process is able to
automatically restart itself again.

This problem is coincidental with an infection of the Lovsan worm
(msblast.exe), which was deleted today. The free McAfee AV program named
Stinger.exe "repaired" the system, but I now question the thoroughness of
that repair.

Does anyone know the name of the file pertaining to this process?

Will reapplication of SP1 fix the problem? Or is there some other specific
repair for this problem that is downloadable from Microsoft?

Any help in fixing this would be greatly appreciated.

 

[Steve Nielsen]

I have noticed on a few Win2k machines an error box stating scvhost.exe
has generated errors and must close after an apparent attack from MBlast
worm on our network. Just prior to the beginning of these errors my
Win2k workstation running a software firewall alerted me of a attempt
from a host within our WAN from port 4640 TCP hitting my local port 135
for Generic Host Process for Win32 Location Service, file associated was
svchost.exe. Scanning Win2k machines that exhibited the above mentioned
error with Fixbalst.exe from Symantec did not detect the worm and
searching the registry on said machines did not reveal signs of the
infection. In addition, until a restart some network services slowed or
would not function. I find nothing in any of the articles about Mblast
associating it with this error or with scvhost.exe, however I believe
there is a connection, it's too coincidental not to be.

Steve

 

[Knack]

Thanks Steve. Your observation pretty much proves to me that it was due to
the worm, not the bad install of Netscape 5 that I also just happened to do
yesterday (same day of the worm attack of my system).

The free McAfee AV program 'Stinger' (to repair the Lovsan/msblast worm) was
run on the system today. It deleted msblast.exe and one registry subkey
referring to it. However, afterward I ran Symantec's freeware for this worm
(FixBlast) and as expectd it did not find msblast.exe (because Stinger
already deleted it), but it found an additional offending registry entry
pertaining to Lovsan that Stinger missed.

Here's another interesting freeware fix that has been worked out just hours
ago to repair Lovsan infected/damaged ssystems. It's a VB script to run
http://www.kellys-korner-xp.com/xp_qr.htm#rpc