why my system shows svchost.exe has generated an error ?

balraj_netha
balraj_netha used Ask the Experts™
on
Hi
I don't why my system started showing svchost.exe error. Even my yahoo messenger also shows similar error, showing yimg.exe generated errors.

can any one let me know what is actually svchost.exe deals with and how to solve this problem

Thnx
Balraj
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technical Consultant
Commented:
:0) Is this the problem :0)

"svchost.exe" errors with RPC messeges and reboots

OR

"NT Authority...shut down in 1 min"

Soundslike youve got the "Blaster Worm"
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html


This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Fixes Available here
http://support.microsoft.com/?kbid=823980

More Links
http://www.cert.org/advisories/CA-2003-19.html

Automatically Remoce the Virus with

http://www.sophos.com/misc/blastsfx.exe

Download and run it, it will create a directory called SOPHTEMP

From Command line type

C:\SOPHTEMP\RESOLVE.COM -DF=BLASTERA.DAT -NOC

How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the 'End Process' (in Windows 95/98/Me 'End Task') button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

in the righthand pane select

windows auto update = msblast.exe

and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.


Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.



How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the required patches and files from being downloaded.

On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.

To do this:

go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click 'Change settings of this connection'
click Advanced
click 'Protect my computer.....'
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

Select Start|Run and type
dcomcnfg.exe.
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect 'Enable distributed COM', click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches

Windows NT/2000

Select Start|Run and type
dcomcnfg.exe.
Select the Default Properties tab.
Deselect 'Enable distributed COM on this computer', click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches

From http://www.sophos.com/support/disinfection/blastera.html

Author

Commented:
The error what i get is "Svchost.exe" has generated some error and will be closed".  and
my system is behaving some thing peculiar, some times my cut,copy,paste and search options doesn't work
and when i restart the system it works fine for some time, but  again gives the same problems.
Is this an indication of Virus attack. what shall i do now to resolve this problem.

awaiting ur early reply

Thnx
Balraj

Yes, as Pete says, it sounds like your pc has been infected with the blaster virus. He provided you with links to the removal tool and the microsoft released patch to prevent your machine from getting reinfected.
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Commented:
To properly handle the RPC problems, this is the proper link. It gets you to more things you need to know:

http://www.microsoft.com/security/incident/blast.asp

For example, you should put up a firewall first, such a by ZoneAlarm (there is a free version that works well, and protects from this and similar vulnerabilities yet to be patched up).  The virus itself does not hit NT. The RPC vulnerability itself can impact NT, so all need the month old patch except Win9x.  If you want to install patch you must have administrative rights. The errors you refer to can come from a product having insufficient rights.

Before running anything, you can simply search you system yourself. Look for file MsBlast.exe, or search MsBlast*.* to find traces of it. It does not have the smarts to use a variety of names.  But a couple of rare copycats can.

If you have been regularly maintaining upgrades, the RPC problem is not yours. As I say, it is old, been out about six weeks now.

Where you can identify a virus by running a recent pattern file on your system, here is where you can get removal for the variants, as well as the original blaster:

                                        http://securityresponse.symantec.com/avcenter/tools.list.html

Commented:
This one:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

is intended to fix your system without your help, but can cause problems with svchost including rebooting PC if it cannot inherit admin rights from user.  So it gained attention as the highest (terrorist) threat of the week.
Pete LongTechnical Consultant

Commented:
ThanQ

Commented:
http://www.cnn.com/2003/TECH/internet/08/29/worm.arrest/
Federal agents arrested Jeffrey Lee Parson of Hopkins, a suburb of Minneapolis, on Friday morning. He was expected to appear Friday afternoon before U.S. Magistrate Susan Nelson in St. Paul.

"Parson also admitted that he renamed the original "MSBlast.exe" executable "teekids.exe," after his online name 'teekid,'" according to the FBI case.

er, a tech weanie? <ahem>

Commented:
Tough Customer:         Last 10 Grades Given: C B C B B B

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial