svchost.exe

BoB_BoT · 12-08-2003 1:03am #1

Hey all, seem to be having a problem with this

.
I'm running windows2000, service pack 3.
Svchost.exe keeps closed by windows, (keeps crashing). i downloaded the patch for rpc shutdown error thinking it might have something to do with it, and i think it did. but the thing i've now noticed is that little trickles of information seems to be sending over the internet when i connect. i'm using a 56k and can notice when more information is being sent than normal. I closed all programs that might auto update and yet it is still sending more informaiton than it's supposed to when idle!! has anyone come accross this, i know of one other that has, but has no solution. anyone else have any ideas?

Thanks,
Rob

Zab · 12-08-2003 9:10am

Windows has an autoupdate built in to it, controlled by the "Background Intelligent Transfer Service", which is supposed to use your bandwidth when you aren't

On the other hand, open a command prompt and type "netstat -an" and see if your computer is trying to do anything odd. Make sure your AV software is up to date too. You could also try AdAware, or, if you see some "funny" connections being made to the internet, you could try out TCPView to see which process is making them.

Zab.

BKtje · 12-08-2003 9:54am

I got that yesterday as well, installed patch but haven't booted up again tho.
MS says that if you were affected by the exploit theres a fairly good chance theres a troyan/IRC bot on your pc. They reccommend a full system rebuild. Not sure if this is it tho but it could be the irc bot connecting to a network. Do a netstat -an as suggestedt and watch out for an irc connection (unless ur using irc personally).

Let me know how you get on as i'll probably be doing this tonight.

Zab · 12-08-2003 10:08am

Yeah, I think we are going to see an explosion of this guy, which you probably have. (W32.Blaster.Worm)

L1011 · 12-08-2003 11:14am

The unoffical website of the football was full of people asking for techie help over that RPC error, it seems however its distibuted, it got out to most of the members.

But not me, I don't use windows, ever for personal use like that. teehee...

If you purposely crash svchost yourslf you get the same message, and thats basically whats happening

wiensta · 12-08-2003 12:31pm

im gettin the same bloody thing!

I never get worms/any viruses... maybe its because I just updated my internet explorer..

Ill try out that symantec remedy, thanks for the link

elexes · 12-08-2003 1:39pm

got that same virus and im getting vhost errors and norton 2003 cannot be installed .

so u need a complete rebuild ?? feck

ive managed to get it off one computer in work but its on 2 others and one that im trying to get back to normal is showing loads of erros . its extremly slow atm . arg

suppafly · 12-08-2003 1:51pm

what exactly is the svchost.exe file and what does it do?

tendofan · 12-08-2003 3:16pm

I understand that it's a program that allows one to run another executable as a service.

Tendofan

BKtje · 12-08-2003 4:08pm

basically its al the services .exe's rolled into one.
Thats why when it crashes you cant disconnect from the internet, can't do searches etc etc etc

pain in the ass, good thing im only 2 days from my replacement hard drive, i think i'll wait till that gets here.

GuanYin · 12-08-2003 4:14pm

I followed instructions below, thankfully I wasn't compromised but had the svchost.exe error so it seems someone was trying to conect to my machine (or just deliberately crashing svchost.exe on me). The security patches fixed the problem.

From McGill University Ca

August 4, 2003: Widespread compromises believed to be the result of multiple trojans being installed on computers unpatched for the RPC DCOM vulnerability. Trojans detected include Radmin, W32/Valla.2048, W32.Spybot.dr, TrojanDropper.Win32.Checkin. Norton is currently detecting these trojans as Backdoor.trojan, meaning the computer is hacked.

Description: The RPC (remote procedure call) service crashes when a malformed packet is sent to an RPC enabled port. This crash affects DCOM (distributed component object model interface) listening on an RPC enabled port such as 135, 139, 445, 593, or any other specifically configured RPC port. Microsoft provides a patch (see Security Bulletin MS03-026). This vulnerability is being abused by various exploit code and provides full local system privilege. Please note that patching after compromise does not disinfect. You will need to follow the steps in Appendix A in
http://www.itap.purdue.edu/security/alert/index.cfm?AlertID=95

Advisories and patches:
http://www.microsoft.com/technet/security/bulletin/ms03-026.asp http://support.microsoft.com/default.aspx?scid=kb;en-us;823980
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
http://www.cert.org/advisories/CA-2003-19.html
http://xforce.iss.net/xforce/alerts/id/147
http://www.cert.org/advisories/CA-2003-20.html WORM SPREADING
http://xforce.iss.net/xforce/alerts/id/150

Scanning Tool for RPC/DCOM:
http://www.eeye.com/html/Research/Tools/RPCDCOM.html run this!

Reference:
http://www.nipc.gov/warnings/advisories/2003/Potential72403.htm
http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm
http://isc.sans.org/diary.html?date=2003-08-01
http://isc.sans.org/diary.html?date=2003-08-04
http://isc.sans.org/diary.html?date=2003-08-05
http://isc.sans.org/diary.html?date=2003-08-09
http://isc.sans.org/diary.html?date=2003-08-11

Symptoms of a possible attack against a non compromised machine:

SVCHOST.exe errors
Receiving "linking" errors in Word and Excel
Lossing the ability to use the Clipboard (ie: cut and paste - paste option actually disappears from menu)
Unable to perform manual virus scan

To determine if you are compromised:

Open "Command Prompt"
Type net start
This lists the services that are currently installed on your machine. In addition to the legitimate services if you also discover the following running then you are compromised:
FireDaemon (followed by any other words)
IPconfig
NTF
NTLMsDB
NTP
NTS
TCPIPenum
USB2.1
N0rton new!

Patching:

Reboot machine and immediately do a "Windows Update" (not to be confused with a Norton LiveUpdate). ONLY "Critical/Security Updates" should be applied. Depending on the operating system and current patch level, this may have to be done 2 or 3 times as some patches can only be applied separately followed by a reboot each time. Machine is up to date when Windows Update reports that there are no more critical updates needed.

BKtje · 12-08-2003 5:59pm

thanks for link sykeirl, not compromised either, just svchost crashing when they tried to connect.

Spunog UIE · 14-08-2003 1:50pm

i have 3 instances of svchost running each with different pid no's and mem usages.

Is that normal? (win2k)

BattlingCheese · 14-08-2003 1:57pm

Yeah, that's normal Gideon.

Spunog UIE · 14-08-2003 3:45pm

LOL still a bit paranoid i guess. need some educating

topgold · 05-04-2004 1:01pm

I burned up a work day going after svchost.exe and solved the problem by analysing what was running, killing processes, and renaming offenders. I was lucky enough and did not have to rebuild my XP Pro laptop.

Details on removing unwanted processes:

http://irish.typepad.com/irisheyes/2004/03/delete_spyware.html

MrPinK · 05-04-2004 1:39pm

You can check what is being run by each instance of svchost by running 'Tasklist /svc' from the command line.

topgold · 18-04-2004 7:17am

I think it's important to note that Norton Anti-Virus 2004 really got in the way of restoring normal operations after I used it to clean up my system. I could not prevent it from interfering (stopping) all POP and SMTP services. I could not get it to shut down. I could not remove it from my XP PRO system.

My story:
http://irish.typepad.com/irisheyes/2004/03/svchostexe.html

svchost.exe

Comments