S
Someone
Yesterday (6/17) we got a call from a client saying that one of their
computers was very slow and error messages regarding SVCHOST
were appearing. This sounded like the typical Blaster call. However,
the office's computers (5 in all) are behind a router without any port
forwarding or DMZ assignment. All the machines are fully up to date
with all the MS patches. The machines are all W2K SP4 with all
post-SP hotfixes and other critical updates installed.
So we go out there and verify the problem machine is actually patched
properly and it is. We disconnect all the other computers from the
network, leaving only the problem machine connected to the router,
and reboot it. Sure enough, it takes forever to boot up and eventually
get the "SVCHOST has generated errors" message with RPC failing
in the event log.
Now if we disconnect this machine from the network, it boots up
just fine. If, after it is all booted up, we reconnect it to the network,
it will continue to work just fine indefinitely (until it is restarted).
I know that even a patched machine can still suffer from being bombarded
by the Blaster worm. But if all the other machines on the network have
been physically disconnected from the network, and the router supposedly
isn't placing this machine in the DMZ or something like that, what would be
causing this? The machine has been scanned by three different products for
a virus, as well as other utilities for spyware and hijacks but everything is
clean. Also, the network has no wireless access points or other potential for
surreptitious connections. And none of the other machines in the office
exhibit unusual behavior when they boot up while connected to the network.
Another thing we tried was assigning a different inside IP address to the
problem machine but that didn't make any difference.
Does anyone have any ideas about this?
Thanks.
computers was very slow and error messages regarding SVCHOST
were appearing. This sounded like the typical Blaster call. However,
the office's computers (5 in all) are behind a router without any port
forwarding or DMZ assignment. All the machines are fully up to date
with all the MS patches. The machines are all W2K SP4 with all
post-SP hotfixes and other critical updates installed.
So we go out there and verify the problem machine is actually patched
properly and it is. We disconnect all the other computers from the
network, leaving only the problem machine connected to the router,
and reboot it. Sure enough, it takes forever to boot up and eventually
get the "SVCHOST has generated errors" message with RPC failing
in the event log.
Now if we disconnect this machine from the network, it boots up
just fine. If, after it is all booted up, we reconnect it to the network,
it will continue to work just fine indefinitely (until it is restarted).
I know that even a patched machine can still suffer from being bombarded
by the Blaster worm. But if all the other machines on the network have
been physically disconnected from the network, and the router supposedly
isn't placing this machine in the DMZ or something like that, what would be
causing this? The machine has been scanned by three different products for
a virus, as well as other utilities for spyware and hijacks but everything is
clean. Also, the network has no wireless access points or other potential for
surreptitious connections. And none of the other machines in the office
exhibit unusual behavior when they boot up while connected to the network.
Another thing we tried was assigning a different inside IP address to the
problem machine but that didn't make any difference.
Does anyone have any ideas about this?
Thanks.
