svchost--Is there an authoritative source on the web?

[Wayne Watson]

The random loss of svchost is a pain in the butt. I see many, many msgs
posted about it. Is there one authoritative source on this that really
answers the question on what causes it and how to fix it? I'm using
w2000.

 

[John]

-----Original Message-----
The random loss of svchost is a pain in the butt. I see many, many msgs
posted about it. Is there one authoritative source on this that really
answers the question on what causes it and how to fix it? I'm using
w2000.

.Wayne.

Hi.Yes i am getting pain. Help anyone? :-(

 

[Pegasus \(MVP\)]

Your machine is probably infected with a virus.

 

[Andy Cowley]

You've got or had Blaster and/ or Welchia worms and Microsoft's patch
sucks I'm afraid. Once Blaster has infected your machine it attacks you
again from a remote server. It exploits a vulnerability in the DCOM
module. DCOM is pretty useless for everything except Blaster, so it can be
safely deactivated. You need to download a utility called DCOMbobulator
from

http://grc.com/dcom/

this will deactivate DCOM and stop the problem. You have to turn it off
and close the open port that it will find. I had this problem for about
six months before I found the solution so I know how frustrating it is.
This definitely works though!

Good luckOn Tue, 21 Oct 2003 04:04:16 GMT, Wayne Watson

 

[Wayne Watson]

I've run NAV twice in two weeks on my complete system with fresh definitions,
the last time 4 days ago. Nothing. I've had the problem for 4-6 weeks. I am
hoping a SP4 application will fix it. I may have SP4 (w2000) soon. I'll
certainly know then.

 

[Wayne Watson]

I've run NAV twice in two weeks on my complete system with fresh definitions,
the last time 4 days ago. Nothing. I've had the problem for 4-6 weeks. I am
hoping a SP4 application will fix it. I may have SP4 (w2000) soon. I'll
certainly know then.

I run McAfee firewall and have already run DCOMbobulator. It's still a
problem. Why wouldn't NAV detect it? Does it leave the system after it infects
it and then only strikes from afar as you suggest? How would it get on my
machine? Mail? Plant itself via an open port? I never execute any exe files
and use NScape.

 

[Andy Cowley]

Yeah install SP4; as regards Blaster, it attacks port 135, if you can
block that with a firewall or some such that would work. NAV won't pick up
Blaster if you've had Welchia after because welchia tries to remove
blaster as part of its payload.

 

[Wayne Watson]

I was wrong about DCOmbobulator. I enabled it through the dialog, but when I
verified that it was working it wasn't. So despite the fact I thought it's been
running on my system for 2-3 weeks, it hasn't.

That's a very funky interface to dcombob. I still haven't figured out how to turn
it on successfully. I've enabled it as mentioned, and then restarted. If I run
dcombob verify, it shows that DCOM is still active and that I'm vulnerable. Maybe
there's some firewall interference. Well, I'll try once more.

Between Swen and svchost, I seem to have a full time job.

 

[WuzzBot]

Since I installed SP4, I have not seen this problem reoccur.