W2K Pro SP4 and svchost.exe problem...

  • Thread starter Thread starter BGanger109
  • Start date Start date
B

BGanger109

Last weekend I upgraded the wife's PC to W2K SP4 (when I replaced her
HD with a brand new one) and everything was grand for a little less
than a week. Then icons failed to show up in Control Panel and in the
Add/Remove Programs applet. When she tried to organize her favorites
in IE - she found she could not make folders in the favorites and the
screen for doing it was messed up. Then she could not print from the
internet - only in Wordpad or notepad (do not have Office loaded yet).
I repaired the install and it worked fine for a day till it started
doing the exact same thing.

When I rebooted the other day she got an error about svchost.exe that
errorred - I have not looked at the log yet but I do not know if
shutting a svchost.exe will cause the same problems. When she has the
problem she also can't print from the web.

When the PC does reboot the OS is fine for the first couple of minutes
till it gets hosed after getting the svchost.exe error - so it seems
to be a direct correlation.

Just talked with my father (he uses W2K Pro but not SP4 - I think he
is on SP2) - he has the same problem, same error, with the same
results (effects). His happens when he gets on the web with the wife's
it is about 2 minutes after she boots - no matter what. He also gets the
svchost.exe
error - just after he gets on the web. Only log file created or
changed with a size over 0 K is DRWatson and it says the same thing
DrWatson ever says - Sharing Violation.

All I can find on the MS website is that SP4 will solve the problem - but her
problem has NOT been fixed by SP4 in any way.

Any hope to fixing this problem or do I just have to reinstall W2K Pro
a couple of times till it is ok????
 
Nope - have run 2 AV's and searched for msblast.exe as well - completely clean.
I also ran the repair install and it did no good as well.
 
Some users have reported MSBlast's RPC attacks
coming at you from the Internet can
cause the RPC service to fail, even though it's not really even
on your machine...

If you PHYSICALLY disconnect from the Internet
(unplug cable), do the symptoms stop?
 
I started having the "svchost.exe error" problems last
week, after loading SP2 a few weeks ago (July 15) and
thought perhaps the SP4 would fix the problem. No joy.
Every time I get on the internet, within about 3 minutes
(max) the error notice appears and I must shut-down and
reboot to start over. Seems like something got downloaded
along with the SP2 and SP4 upgrades...
 
I had a machine infected with a virus that went undetected by Norton's,
McAfee's and Trends for a month. I found it and manually deleted it after
all 3 said the machine was clear. I submitted the virus file to both
Symantec and trends and BOTH said it was not a virus. Funny thing was if it
was'nt a virus, why did they add it to the defs only a week later? If it
looks like a virus and acts like a virus, it probobly is.
Moral of the story, don't rely on your antivirus, they ALL miss things
especially when the virus is new.
 
I checked manually - no dice - she did not have the entries in the registry and
Trend and AVG have that virus in their dat's.

So far - removing the network cable from PC and it is operating correctly...

Brian
 
BGanger109 wrote in
I checked manually - no dice - she did not have the entries in the
registry and Trend and AVG have that virus in their dat's.

So far - removing the network cable from PC and it is operating
correctly...
Click to expand...

Sounds more and more like your RPC service is vulnerable. That's the
entry point for MSBlast from an Internet connection.
* Apply MS hotfix from Security Bulletin MS03-026
* Lock down your hardware/software firewall for all unused ports.
 
Sherm wrote in
I started having the "svchost.exe error" problems last
week, after loading SP2 a few weeks ago (July 15) and
thought perhaps the SP4 would fix the problem. No joy.
Every time I get on the internet, within about 3 minutes
(max) the error notice appears and I must shut-down and
reboot to start over. Seems like something got downloaded
along with the SP2 and SP4 upgrades...
Click to expand...

SP4 does _not_ contain the RPC/DCOM fixes! Patch your system. See
WindowsUpdate or MS Security Bulletin MS03-026
 
The Hotfix has already been applied and one of the RPC vulnerabilities was
supposed to be fixed on SP2 (according to MS) so she should be good to go but
instead she is dead in the water....

Brian
 
BGanger109 wrote in
The Hotfix has already been applied and one of the RPC
vulnerabilities was supposed to be fixed on SP2 (according to MS)
so she should be good to go but instead she is dead in the
water....
Click to expand...

But are you blocking port 135 from the Internet. The attack mechanism
can destablize RPC (and svhost) on the system without actually
infecting the system. NAT routers are must these days.

If diconnected from the Internet the entire time from bootup does this
behavior cease?
 
She already has the MS03-026 hotfix and SP2 fixed another RPC vulnerability
(supposedly)...
 
After leaving her PC disconnected from the internet all night she had no
further attacks this morning after I plugged her cat5 in again. Since then
port 135 is blocked...

My question is why in the hell she was still having problems AFTER getting SP4
AND the MS03-026 hotfix??? She had the problems HOURS after the MS03-026
hotfix was loaded for some reason.
 
Back
Top