Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Community Forums
 Community Discussions (All other subjects)
 svchost.exe errors
 New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

dayve
Forum Moderator

USA
5820 Posts

Posted - 05 December 2003 :  17:15:21  Show Profile  Visit dayve's Homepage
Okay, hopefully I can explain everything here in one post. I am working on a family members computer. We recently did a new install of Windows 2000 on a Compaq 5106cl machine which originally had Windows ME. After installing Windows 2000 I noticed the modem was not recognized so no drivers were installed. I found the latest and greatest drivers from Compaq's website specifically for Windows 2000, which was a PC-Tel Platinum V90 56K modem. After installing the drivers we were able to get online. The first thing I did after that was install Norton Anti-Virus and got the latest and greatest signatures and made sure Active Scan was running.

Now, on to my problem. While trying to run Windows Update, an error started to come up stating:

SVCHOST.EXE has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created.

The machine then starts acting really weird, to the point of making it impossible to get anything done. After some quick researching I found an abundance of information stating that this was typically an issue related to the infamous Blaster Worm/Virus. I immediately ran Stinger and Blaster Removal utilities from Symantec and McAfee and neither one of these utilities reported Blaster or any other well known virus.

We then decided to start from scratch and try to prevent this problem from even occurring (basing it on the idea that it was still a virus). After reinstalling the Operating System and making sure Norton Anti-Virus was installed before going online, we once again installed the modem drivers for 2000 and then ran Windows Update. Sure enough, it happened again. It appears the error is only coming up after we go online. It never comes up if we boot the machine up and leave it on without going online.

I know a lot of you are going to read this and swear it is a virus, but I'm beginning to believe it is something else, maybe even something related to the modem drivers I got from Compaq because like I said, it is only an issue once we dial up to the internet. I have taken other measures to prevent this problem like turn off the Messenger Service, install a software firewall and even tried to find new modem drivers, but consistently the error comes back once we go on to the internet.

I read more into this issue as it pertains to RPC and needing the latest Windows Service Pack 4 to prevent from getting this virus, so we did that as well and still the error comes up.

So, my questions to the community

1. Am I wasting my time trying to fight a virus that does not exist?
2. Can a conflicting modem driver be the suspect in this problem?

Any help will be greatly appreciated, but please don't point me to any Blaster Worm checkers/fixers as I have done basically all of them.

Thanks for any help you can give me on this.

Nikkol
Forum Moderator

USA
6907 Posts

Posted - 05 December 2003 :  17:20:48  Show Profile
my first thought would have been nachii or blaster. did you run a program like stinger after running the windows updates?

Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~

Edited by - Nikkol on 05 December 2003 17:25:10
Go to Top of Page

Dave.
Senior Member

USA
1037 Posts

Posted - 05 December 2003 :  17:22:56  Show Profile
I'm not sure if I'm reading this correctly, but are you going online before you install SP4? Maybe your getting a virus before SP4 is installed?
Go to Top of Page

dayve
Forum Moderator

USA
5820 Posts

Posted - 05 December 2003 :  17:28:32  Show Profile  Visit dayve's Homepage
Nikkol, I know I typed a lot of text, but I kind of mentioned that I already did that. The answer is yes.

Dave., We installed SP4 before going online, plus again, no virus is being detected by ANY Blaster checker like Singer and FixBlast.

Go to Top of Page

Nikkol
Forum Moderator

USA
6907 Posts

Posted - 05 December 2003 :  17:31:08  Show Profile
quote:
Originally posted by dayve

Nikkol, I know I typed a lot of text, but I kind of mentioned that I already did that. The answer is yes.
K, just making sure that you ran those before and after. We've seen a lot of machines that are infected within the time it takes to run updates.

Nikkol ~ Help Us Help You | ReadMe | 3.4.03 fixes | security fixes ~
Go to Top of Page

dayve
Forum Moderator

USA
5820 Posts

Posted - 05 December 2003 :  17:36:22  Show Profile  Visit dayve's Homepage
I hate to admit it but I've spent 3 days on this now and feel I have covered every scenario possible which is why I finally brought it here to Snitz. We are going to replace the modem with a 3Com brand and rule out any driver issues, hopefully. It really is a bizarre situation, becaus everything I read points to this being nothing else other than a virus.

Go to Top of Page

Doug G
Support Moderator

USA
6493 Posts

Posted - 05 December 2003 :  19:05:46  Show Profile
Does the computer run without crashing in safe mode? Scandisk is clean? Have you run sfc? How about using some generic modem drivers? You can usally get away with using a generic 38400 modem type.

======
Doug G
======
Computer history and help at www.dougscode.com
Go to Top of Page

dayve
Forum Moderator

USA
5820 Posts

Posted - 05 December 2003 :  21:58:03  Show Profile  Visit dayve's Homepage
the computer runs fine until we dial-up to the internet, scandisk checks good, generic modem drivers do not work, what is sfc?

Go to Top of Page

Doug G
Support Moderator

USA
6493 Posts

Posted - 05 December 2003 :  22:24:01  Show Profile
sfc is the system file checker program that verifies the windows files are not altered. You can run it from the command prompt, use sfc /? to see the command line options. Or you can run it in gui mode from Start - Accessories - System Tools - System Information and then look at the Tools menu.

It sounds to me like the drivers you installed are the problem. If you're not in a hurry you can probably get a USR or some other non-proprietary modem for about 5 or 10 bucks from Ebay.


======
Doug G
======
Computer history and help at www.dougscode.com
Go to Top of Page

dayve
Forum Moderator

USA
5820 Posts

Posted - 05 December 2003 :  23:10:36  Show Profile  Visit dayve's Homepage
I was already thinking the modem drivers could be the problem so I had the person I am helping pick up a modem and that will be our next step.

Go to Top of Page

dayve
Forum Moderator

USA
5820 Posts

Posted - 05 December 2003 :  23:53:42  Show Profile  Visit dayve's Homepage
I had someone else on another forum post this:

quote:
The shutdown occurs when you're scanned by an infected machine, not when you get infected. The antivirus can detect the worm as soon as you do get infected but as it's not a firewall it cannot prevent the machine being scanned and the errors that occur from this.

In the programming of the earlier versions of the worms based around the RPC vuln's which didn't close the threads they opened properly, leading to the svchost crashing and the system shutting down. Basically, the original versions had one chance to guess the OS of the remote OS, if they ****ed it up, it kills the svchost and bang goes the system. Later versions used a universal offset which worked on all unpatched machines for each OS. Earlier versions aimed for a particular version of each OS going for a % infection rather than aiming for 100%. Nice isn't it.

The strange part is that you mention that you've installed a software firewall... I can only suggest that this is badly configured (sorry!). Do a fresh install of Windows and install the firewall software before you go anywhere near the internet. Configure it to *only* allow traffic going out over port 80 and coming in to Internet Explorer. Block *all* other incoming ports. Apply SP4 then install the RPC vuln patches. Ideally, you'd download these manually on a different PC then get them over to the new machine via USB disk / CD-RW whatever. Finally run Windows Update to bring it up to current. Ideally, you would do all these installations from trusted local sources. If possible, run HFNetChk or the Microsoft Baseline Security Analyser on it too since Windows Update can miss patches that these will spot as missing.

Browse the net for a while and see if this has solved the problem. If it has, get Norton on there and also update it to current. As I said above, Norton should protect you from infection but not from the shutdown problem. If you find at this point the SVCHost error is gone, open up the firewall and keep monitoring the machine. Leave 135-139, and 445 closed. There's no need for these to be open to the internet on a home system.

I don't believe the modem is related to this, however for the sake of $10 if you still have the problem after the steps I outlined above it has to be worth trying throwing a brand new external one on. Always worth having one around anyway for if your DSL/cable goes down and you need to check your ISPs website.


Go to Top of Page

dayve
Forum Moderator

USA
5820 Posts

Posted - 06 December 2003 :  02:37:26  Show Profile  Visit dayve's Homepage
Bah! before replacing the modem, we ran the RPC vulnerability patch one more time. Oddly enough, this fixed the problem. I guess the first time we ran it, it didn't do anything. Go figure.

Go to Top of Page

Rasco
Advanced Member

Germany
3192 Posts

Posted - 06 December 2003 :  04:56:05  Show Profile  Send Rasco an ICQ Message
Thanks dayve. I have exactly the same problem on a friends machine.
I will try the suggested fix.

German Snitz Forum
Go to Top of Page

dayve
Forum Moderator

USA
5820 Posts

Posted - 06 December 2003 :  13:54:50  Show Profile  Visit dayve's Homepage
Just make sure you have SP4 installed as well, you need both SP4 and the RPC Vulnerability patch installed to eradicate the problem.

Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.29 seconds. Powered By: Snitz Forums 2000 Version 3.4.07