Results 1 to 5 of 5

Thread: Problems with svchost.exe

  1. #1
    Join Date
    Jul 2004
    Posts
    264
    Rep Power
    0

    Default Problems with svchost.exe

    ok ... i have encountered this really annoying problem for about 4 weeks now .... everytime i boot up my machine explorer freezes .... the taskbar is rendered useless .... i try to run a program (like sytem restore) from command prompt .... it might start but if it does .... and is carrying out any function ... it usually crashes .... and then after a while a message box appears telling me something like
    "error with svchost.exe ... cannot access memory at position ..... whatever .... will have to terminate program .... " then everything seems to work ok afterwards .... does anyone know of what i might be talkin about ..... if so some help needed .... because i have to restart my comp sometimes to get it workin properly > .. really annoying

  2. #2
    Join Date
    Feb 2004
    Posts
    892
    Rep Power
    0

    Default Re:Problems with svchost.exe

    Is your machine properly patched with the required security updates?

    What Version of Windows are yu running?

  3. #3
    Join Date
    Jul 2004
    Posts
    264
    Rep Power
    0

    Default Re:Problems with svchost.exe

    well i have windows home edition on my system ..... ahhh well thought that might have been the prob ..... but alas i have not been able to keep up with all those updates ..... actually i hav not really checked on them .... only did something for that sasser worm threat .... anyway i was makin up my mind to upgrade soon .... but yeah ..... just as well i check up on those updates ....

  4. #4
    Join Date
    Feb 2004
    Posts
    892
    Rep Power
    0

    Default Re:Problems with svchost.exe

    Do you know how to check your resgitry?

    My sugesstion is that you download the patches for your PC and run the viruse updates for the W32.Blaster @ Welchia.
    Take a look below..


    How Does the Welchia Worm Infect My Computer?

    Copies itself to the Wins directory in the System or System32 folder in Windows usually

    C:\Windows\System32\Wins\Dllhost.exe for Windows XP or
    C:\WinNT\System32\Wins\Dllhost.exe for Windows NT/2000

    There is a legitimate file called Dllhost.exe (about 5-6K) in the System32 directory.

    Makes a copy of the TFTP server (TFTPD.exe) from the Dllcache directory to the following directories.

    C:\Windows\System32\Wins\svchost.exe for Windows XP or
    C:\WinNT\System32\Wins\svchost.exe for Windows NT/2000

    NOTE: Svchost.exe is a legitimate program, which is not malicious, found in the System32 directory

    Creates the following services:

    Service Name: RpcTftpd
    Display Name: Network Connections Sharing
    File: %System%\wins\svchost.exe

    This service will be set to start manually.

    Service Name: RpcPatch
    Display Name: WINS Client
    File: %System%\wins\dllhost.exe

    This service will be set to start automatically.


    Ends the process, MSBLAST, and delete the file %System%\msblast.exe which is dropped by the worm, MSBlast.A. First, it checks the operating system version, then it downloads the appropriate patch from the designated Microsoft Web site. After executing the patch, it reboots the system.
    Some of the patches it downloads into the system are as follows:

    http://download.microsoft.com/downlo...80-x86-KOR.exe
    http://download.microsoft.com/downlo...80-x86-CHT.exe
    http://download.microsoft.com/downlo...80-x86-CHS.exe
    http://download.microsoft.com/downlo...80-x86-ENU.exe
    http://download.microsoft.com/downlo...80-x86-KOR.exe
    http://download.microsoft.com/downlo...80-x86-CHT.exe
    http://download.microsoft.com/downlo...80-x86-CHS.exe
    http://download.microsoft.com/downlo...80-x86-ENU.exe
    The downloaded patch has the file name, RpcServicePack.exe. This worm deletes this file after it is run.

    Before downloading or installing the patch on the system, this worm first checks if the system has been previously patched by checking for specific registry keys to make sure the patch hasnt been installed.

    The worm travels through a computer network or local area network looking for unpatched and vulnerable machines. The worm will use a ping to determine if the active machine is on a network.Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.

    Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.

    Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.

  5. #5
    Join Date
    Feb 2004
    Posts
    892
    Rep Power
    0

    Default Re:Problems with svchost.exe


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •