SVCHOST.EXE and svchost.exe (W2000 Pro)

[Tad]

Hi, I have been for many weeks now trying to recover my
son's PC from an attack of spyware.
I got the spyware fixed (thanks to SPYBOT) but had many
other annoyances left over to try to comprehend and fix.

I am getting a 'svchost.exe' error shortly
after launching IE after a reboot.
The message says the application needs to be restarted,
but, other than that nothing happens other than the modem-
status no longer does
anything, and when I click on connection properties in
Dialup&Networking, I get a message saying that
an "unexpected error occurred".
I am in general suffering from "Wobbly Windows".
I thought I had MSBLASTER worm/virus, but I
ran "fixblast.exe" from Symantec, and it said I didn't
have it.

My question is: I have found two programs on my hard drive,
one called "svchost.exe" and the other "SVCHOST.EXE" in
different directories(havent't got their names to hand
just now!).
When I display the version info for SVCHOST.EXE, it seems
to indicate that it is really a copy of a TFTP program.
(Trivial File Transfer Protocol/Program)
Is this the way it is supposed to be ? or is this a
symptom of a virus/worm ?

For the time being, I have renamed this to BillGates.exe.
I haven't noticed any problems yet, but I have often spoken
too soon regarding this PoS (Pile of ....) excuse for an
OS. I don't want to become proficient in any of this
stuff, I'd just like it to work as advertised before I die!

Any help would be appreciated,

regards,
Tad
("Considering offering a bounty for apprehension and
dismemberment of virus/worm/spyware writers")

 

[James]

Greetings,

At a guess, I'd say you don't have a firewall(?!)

Try this article - one of the posters gives a good
explanation on what to do/how to remove the trojan:

http://www.experts-
exchange.com/Miscellaneous/Q_20708414.html

Trojans, by nature, are NOT viruses - which is why a lot
of AV packages got (and still get!) caught out. Now, of
course, they've added tools to find/remove this one.

But this is useless if you still haven't plugged the hole
in the OS/IE software - this or another trojan just comes
back onto your computer the next time you connect to the
internet.

Hence the need for a firewall - Zone Alarm's or Outpost's
free versions can be recommended.

In its current state, if you did a test of your computer
on sites such as grc.com ("Shields Up!") or pcflank.com
you'll see just how OPEN your ports are to all and sundry
without a firewall.

Patching and then testing the ports again will show you
which ones have been CLOSEd - but still visible without a
firewall.

Hope this helps!

Kindest regards,

James

 

[Joe]

The DCOMbobulatortook care of this problem. Port 135 stays
open allowing stuff to get in. Go to http://grc.com/dcom/
to download it. Be sure to read everything to understand
what's happening.
Joe