SVChost

[Ben]

Have a strange problem. Yesterday and today everymachine on a particular
subnet will dislpay a yellow message box saying svchost has generated
errors. Wen you click ok it goes away. I though this could be realted to
the new MSBlast virus. Our antivirus is up to date and I ran the removal
tool from symantec. It did not find anything. I also applied the security
patch from MS. MAchines are Win2k SP3 and XP SP1. Any thoughts? Thanks

Ben

 

[George Hester]

Yes I think that is what it is the MSBlast "virus." This isn't really a
virus. It is just using a "bad request" to mess up the DCOM in Windows.
That's not a virus. It is a worm. Look in your Event Viewer you will see a
RPC error. That's MSBlast. Nothing to catch just avoid it with the patch.

 

[George Hester]

Well what do you know I was wrong about "catching" something it seems. It
looks like you can get a msblaster.exe in
%systemroot%\system32. Sorry 'bout that. I got the svchost error but no
such executable.

 

[stephens]

Well I suspect the cleaning done by Norton is where your problem is. I was
running that for the last ½ hour until I read your post. I have stopped it.
My understanding is if you are "infected" you have msblast.exe in
%systemroot%\system32 and maybe some registry entries. The tool by Symantec
I can tell does nothing to the registry. I didn't let it finsish but I
doubt it does anything to the regisytry. It looks to want to just clean
(delete) a file (msblast.exe). I would try a serach in the registry for
msblast and remove any found. Then I would run in command prompt sfc
/purgecache (with the Windows 2000 CD-ROM in the drive) and finallly reboot.

The fixblast.exe tool will remove the registry entry that starts msblast.exe
when you boot. It also removes the file. It also checks to see if
msblast.exe is currently running, and aborts it. But it reports all these
things after scanning all your hard drives. If you had let it complete, you
would have seen its output message(s).