Guys I am a very basic user but I was able to fix it all on two computers. Just think of this tread as the fix for even dummies.
"svchost.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created"
If you follow what I did then you should be able to do it.
1. is your computer crashing? if yes go to 2 if no go to 3.
2. (from Hurbold) If you don't get an opportunity to apply the patch before the PC reboots, go to start > run > services.msc.
Right click Remote Procedure Call, select Properties, then Recovery. On all three drop-down boxes in this window, select take no action. The default is set to reboot. This will give you all the time you need to update. Please note that Control Panel > System > Advanced > Startup and Recovery > uncheck Automatically Restart does not seem to work to prevent system reboot.
3. Run trend micro online virus killer
http://housecall.trendmicr
4. Download the following patch and apply it.
http://microsoft.com/downl
Main Topics
Browse All Topics





by: CrazyOnePosted on 2003-08-12 at 16:44:16ID: 9134571
It is a worm that causes this problem mantec.com /avcenter/ venc/data/ w32.blaste r.worm.rem oval.tool. html mantec.com /avcenter/ FixBlast.e xe
mantec.com /avcenter/ venc/data/ w32.blaste r.worm.htm l
echnet/tre eview/defa ult.asp?ur l=/ technet /security/ bulletin/M S03-026.as p using TCP port 135. It will attempt to download and run the file Msblast.exe.
mantec.com /avcenter/ security/ C ontent/820 5.html for more information on the vulnerability being exploited by this worm and to find out which Symantec products can help mitigate risk from this vulnerability.
E\Microsof t\Windows\ CurrentVer sion\Run
om/SUPPORT /tsgeninfo .nsf/docid / 199762382 617 " for instructions.
e\Microsof t\Windows\ CurrentVer sion\Run
.exe oads/detai ls.aspx? Fa milyId=235 4406C-C5B6 -44AC-9532 -3DE40F69C 074&displa ylang=en
.exe oads/detai ls.aspx? Fa milyId=235 4406C-C5B6 -44AC-9532 -3DE40F69C 074&displa ylang=en
NU.exe oads/detai ls.aspx? Fa milyId=C8B 8A846-F541 -4C15-8C9F -220354449 117&displa ylang=en
NU.exe oads/detai ls.aspx? Fa milyId=C8B 8A846-F541 -4C15-8C9F -220354449 117&displa ylang=en
NU.exe oads/detai ls.aspx? Fa milyId=C8B 8A846-F541 -4C15-8C9F -220354449 117&displa ylang=en
NU.exe oads/detai ls.aspx? Fa milyId=C8B 8A846-F541 -4C15-8C9F -220354449 117&displa ylang=en
NU.exe oads/detai ls.aspx? Fa milyId=C8B 8A846-F541 -4C15-8C9F -220354449 117&displa ylang=en
NU.exe oads/detai ls.aspx? Fa milyId=C8B 8A846-F541 -4C15-8C9F -220354449 117&displa ylang=en
oads/detai ls.aspx? Fa milyId=2CC 66F4E-217E -4FA7-BDBF -DF77A0B93 03F&displa ylang=en
Removal tool
http://securityresponse.sy
Download
http://securityresponse.sy
http://securityresponse.sy
W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) http://www.microsoft.com/t
You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.
Click here http://securityresponse.sy
...
technical details
When W32.Blaster.Worm is executed, it does the following:
Creates a Mutex named "BILLY". If the mutex exists, the worm will exit.
Adds the value:
"windows auto update"="msblast.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWAR
so that the worm runs when you start Windows.
Calculates the IP address, based on the following algorithm, 40% of the time:
Host IP: A.B.C.D
sets D equal to 0.
if C > 20, will subtract a random value less than 20.
Once calculated it will start attempting to exploit the computer based on A.B.C.0 and count up.
NOTE: This means the Local Subnet will become saturated with port 135 requests prior to exiting the local subnet.
Calculates the IP address, based on many random numbers, 60% of the time:
A.B.C.D
set D equal to 0.
sets A, B, and C to random values between 0 and 255.
Sends data on TCP port 135 that may exploit the DCOM RPC vulnerabilty to allow the following actions to occur on the vulnerable computer:
Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.
NOTE: Due to the randomness with how it constructs the exploit data, it may cause computers to crash if it sends incorrect data.
Listens on UDP port 69. When it recieves a request, it will send back the Msblast.exe binary.
Sends the commands to the remote computer to connect back to the infected host and download and run the Msblast.exe.
If the current month is after August, or if the current date is after the 15th it will perform a denial of service on "windowsupdate.com"
With the current logic, the worm will activate the Denial of Service attack on the 16th of this month, and continue until the end of the year.
The worm contains the following text which is never displayed:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
...
Restarting the computer in Safe mode or ending the Worm process
Windows 95/98/Me
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."
Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.
5. Reversing the changes made to the registry
CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry, http://service1.symantec.c
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\Softwar
In the right pane, delete the value:
"windows auto update"="msblast.exe"
Exit the Registry Editor.
The Patch
Microsoft Windows XP 64-bit Edition :
Microsoft Windows XP Home SP1:
Microsoft Patch WindowsXP-KB823980-x86-ENU
http://microsoft.com/downl
Microsoft Windows XP Home :
Microsoft Windows XP Professional SP1:
Microsoft Patch WindowsXP-KB823980-x86-ENU
http://microsoft.com/downl
Microsoft Windows 2000 Advanced Server SP4:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downl
Microsoft Windows 2000 Advanced Server SP3:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downl
Microsoft Windows 2000 Advanced Server SP2:
Microsoft Windows 2000 Datacenter Server SP4:
Microsoft Windows 2000 Datacenter Server SP3:
Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Windows 2000 Professional SP4:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downl
Microsoft Windows 2000 Professional SP3:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downl
Microsoft Windows 2000 Professional SP2:
Microsoft Windows 2000 Server SP4:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downl
Microsoft Windows 2000 Server SP3:
Microsoft Patch Windows2000-KB823980-x86-E
http://microsoft.com/downl
Microsoft Windows 2000 Server SP2:
Microsoft Windows NT Enterprise Server 4.0 SP6a:
Microsoft Patch Q823980i.EXE
http://microsoft.com/downl