Question

Locked

The Blaster worm returns- or has it?

By Tig2 ·
Over the past week the SO and I have been traveling to California and back. At the various places we were staying, we had access to wireless connections at the hotels. Being uber-geeks, we also had our laptops.

I use a Mac and never use the root account. I use a guest account for most things. I was using Comcast web access for my email. My computer worked well for the entire trip. The SO uses WinXP Media Edition. He uses the Zone Alarm Suite but always connects using his Administrator account (yes, I will be changing that).

So here's the thing. Very much like the Blaster32 and its variants, he has got svchost trying to access the Internet on various ports. It always begins by trying to reach port 135 from source IP 0.0.0.0. When it is denied access, it will start going for ports in the 2000 range from the computer's home IP. With every denial, it will try to get to an incrementally higher port number.

SO is trained to do a backup of his registry on a monthly basis along with a backup of his files. If I had to I could rebuild the machine but he would prefer that I not do that. We could also permanently deny svchost from reaching out to port 135 via Zone Alarm and never see the warning again. But that solution doesn't address the root cause, only the symptom.

My machine is fine. He should buy a Mac and be done with it...

The spec on the box- HP dv8000
WinXP Media Center Edition
2002 SP 2
T2400 @ 1.83 GHz
987 MHz, 2.0 GB RAM

The svchost version is 5.1.2600.2180 and shows no modification from it's initial installation.

All a Google search shows is information from the Blaster problem and the most recent data available is dated 2004. Theory has it that SP 2 was to have resolved that exploit. I haven't put SP 3 down yet because the test environment that I have running indicated that it fights with stuff he uses routinely. I did take the step of checking with Gibson Research only to discover that his machine is stealthed from our home connection. I did not check him from any other connection we were using on the trip.

What do you wonderful people think?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

This might give you a few answers to your issue.

What is svchost.exe And Why Is It Running?

You are no doubt reading this article because you are wondering why on earth there are nearly a dozen processes running with the name svchost.exe. You can't kill them, and you don't remember starting them? so what are they?

So What Is It?

According to Microsoft: "svchost.exe is a generic host process name for services that run from dynamic-link libraries". Could we have that in english please?

Some time ago, Microsoft started moving all of the functionality from internal Windows services into .dll files instead of .exe files. From a programming perspective this makes more sense for reusability? but the problem is that you can't launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born.

Why Are There So Many svchost.exes Running?

If you've ever taken a look at the Services section in control panel you might notice that there are a Lot of services required by Windows. If every single service ran under a single svchost.exe instance, a failure in one might bring down all of Windows? so they are separated out.

Those services are organized into logical groups, and then a single svchost.exe instance is created for each group. For instance, one svchost.exe instance runs the 3 services related to the firewall. Another svchost.exe instance might run all the services related to the user interface, and so on.

So What Can I Do About It?

You can trim down unneeded services by disabling or stopping the services that don't absolutely need to be running. Additionally, if you are noticing very heavy CPU usage on a single svchost.exe instance you can restart the services running under that instance.

The biggest problem is identifying what services are being run on a particular svchost.exe instance? we'll cover that below.

If you are curious what we're talking about, just open up Task Manager and check the "Show processes from all users" box:

Checking From the Command Line (Vista or XP)

If you want to see what services are being hosted by a particular svchost.exe instance, you can use the tasklist command from the command prompt in order to see the list of services.
tasklist /SVC

The problem with using the command line method is that you don't necessarily know what these cryptic names refer to.

Checking in Task Manager in Vista

You can right-click on a particular svchost.exe process, and then choose the "Go to Service" option.

This will flip over to the Services tab, where the services running under that svchost.exe process will be selected:

The great thing about doing it this way is that you can see the real name under the Description column, so you can choose to disable the service if you don't want it running.
http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/

Please post back if you have any more problems or questions.
If this info is useful, please give a thumbs up. Thanks

Collapse -

Thanks Peconet!

by Tig2 In reply to This might give you a few ...

My only other question is why it would suddenly try reaching out on a port that my ISP blocks (due to DCOM, I believe). I'll check the link you provided and see if I can get that answer as well.

Collapse -

You know what Windows is like. It wants to rule your computer. :)

When Microsoft did the code for this it made sure it can get through all ports so it can stay up to date or send out code to their hidden offices to see who has what. Now a days a worm can be build with the svchost.exe code. So to be sure and safe check the file(s) that come and go and see if they are attached to any program that is associated with the Windows system. Other than that i would phone up Microsoft and ask them for their code. LOL. :)
You can check this out on the system:
Goto your C drive and then go to "system32" and in the search bar type in "svchost.exe", it will bring up the processes that involves these svchost.exe's.
Hope all goes well.

Please post back if you have any more problems or questions.
If this info is useful, please give a thumbs up. Thanks

Collapse -

I'd say

by cmiller5400 In reply to The Blaster worm returns- ...

Patch it current without SP3 and make sure that a virus scanner say's that it is clean. I wouldn't worry about it from what I read. One reason is automatic updates of the system time. I also provided a link to another article that states that it may be okay-->

http://pcworld.about.com/magazine/2011p174id103781.htm

How are you doing? My heart broke into pieces reading your post the other day. Hugs to you-- <img src=http://jaqui-greenlees.net/images/smileys_files/grouphug.gif /img>

Collapse -

Thanks CMiller

by Tig2 In reply to I'd say

I'm hanging in as well as I can. Fortunately, with the 3 Day coming up so fast, I hardly have time to think much.

Just applied the current patches and will reboot to see if that nagging svchost process is still determined to reach port 135. I know that I can run a system restore on the box but am still really curious as to why it would suddenly want to go where it shouldn't.

(((hugs)))

Collapse -

Clean & Update

by CaptBilly1Eye In reply to The Blaster worm returns- ...

I agree with CMiller in that the best course of action is to scan & clean and then go to SP3.

Use this stand-alone in Safe Mode:
Avert Stinger (from McAfee)
http://vil.nai.com/VIL/stinger/

Just curious... Is DCOM disabled? If not, you may want to consider it. I do on all new machines and have for years. (http://support.microsoft.com/kb/825750)
A simple registry change that can always be changed back if needed.
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
- Change the EnableDCOM string value to N.
- Reboot for the changes to take effect.

BTW - WB!
missed you

Collapse -

Well, I thought it was

by Tig2 In reply to Clean & Update

Disabling DCOM is something I routinely do as well but it appears that one of the hotels changed that to enable remote printing.

I will be applying a few other safeguards as well so that we don't have this problem again.

Thanks!

Back to Software Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums