# SVCHOST.EXE Errors



## mcduenas (Aug 12, 2003)

I run windows 2000 and as of Monday 8/11/2003 I have been getting SVCHOST.EXE errors. I have not downloaded anything. I started noticing this while I was creating a spreadsheet in Excel. It started out by not letting me get back in my spreadsheet. Well, I know little to nothing about the technical side of computers so I deleted my spreadsheet, cleaned disk, ran scandisk and defragmented. I rebooted and everything was fine until I reconnected to the internet. It will be okay for awhile then I get a svchost.exe error and then it won't let me email anyone. Says "There was an error opening this message. There is not enough memory." If I open Word it says "This document could not be registered. It will not be able to create links from other documents to this document." When I open Excel it says "Cannot use object linking and embedding." PLUS, it won't let me pull up my internet status window and it won't let me disconnect either. This is driving me nuts. Any help is greatly greatly appreciated.


----------



## Aka_Star (Aug 12, 2003)

Sounds like you may have the Blaster worm, Like I had. It's caused by a buffer overrun and doesn't need you to download anything. Download the fix from here.

http://securityresponse.symantec.com/avcenter/FixBlast.exe

The fix will scan your system and remove the worm, although I'm not sure how to get the copy, paste etc functions back. Svchost will still cause an error :-/ but the worm will be removed.


----------



## PC_Junglist (Aug 13, 2003)

OK, I had this worm too. My anti-virus caught it and removed it, and, as others have said, the svchost crashes continued. I then did an emergency repair process(Win2000) with my CD and svchost STILL crashes!

I don't remember experiencing any of these problems until after my antivirus removed the virus, could it be that maybe the virus registered itself as a service and the fix from "whoever antivirus" only removes the virus and not the reference to it, thus making svchost crash when it tries to load the "virus" that's no longer there?


Just a thought....


----------



## boolio (Jul 22, 2003)

Has anyone resolved this error - my colleagues computer is still having "no memory" messages.


----------



## bluecast (Aug 12, 2003)

I did get no errors for 20 minutes after installing Service Pack 1 and disabling the port 135 and denying connection from msblast.exe to the thousands of IPs that hosted the "virus"..

but after installing Service pack 2, it returned


----------



## aenima (Aug 12, 2003)

i found a solution.
it IS NOT the blaster worm!!

i performed two tasks, and one or the other, possibly both, fixed it.

1. download file: Windows2000-KB823980-x86-ENU.exe
2. install win2k service pack 4

after i rebooted yesterday, i havent had the svchost error.

hope this helps.


----------



## Seabemike (Aug 12, 2003)

I followed the advice that AENIMA had posted and finally cleared up the problem that had been haunting my machine for 2 1/2 days. All appears to be fine. Now to get a firewall installed ASAP.

Thanks to all.


----------



## mcduenas (Aug 12, 2003)

I appreciate everyone's help! This thing is cleared up now!


----------



## westclox (Aug 15, 2003)

Hi all i am new here!!! hope you all are fine!

ok i have the same error.. i see the post from Aenima as i see that some of you have the problem fix..... but before i do any of this, do i first have to have SP4 installed? i hope this works!!! can any one plese tell me the order and tell me what they done!!! .. my know how about PC suckz!! plez help!! thankz


----------



## keriah (Aug 16, 2003)

I am still getting the svchost.exe.

Background: I have run the Symantec "blast" detect program and it reports no worm. I have the latest virus definitions and it reports things are clean.

I have downloaded "Windows2000-KB823980-x86-ENU.exe" but it will not run because it tells me that my SP isn't at the rev. required.

I have tried to download/update the SP4 (from the MSoft site) but after downloading and then beginning the install process (running for a couple of hours) it reported that it 'could not install' -- no details (how frustrating)!!

(This could be, of course, because my system won't run for more than about a half hour before it gets the svchost.exe error!!!)

Any ideas???


----------



## p9718979 (Aug 17, 2003)

I am also affected with the error as mentioned. Don't seems to be able to remove it after running the fixblast n i can't install Window2000 SP 4.

Any1 can tell me why the error still come back even when I reformat my harddisk???


----------



## raaggee (Aug 17, 2003)

I'm still having the svchost.exe problem even after downloading service pack 4 and applying the patch. I did have the worm but I removed it manually before installing SP4 and the patch. I downloaded the symantec tool and it doesn't find it anywhere and neither does my AV program. Could the crash be caused by infected systems trying to infect my computer via tcp ports? I read how people have formatted their hard drive and still have the problem.

Lewis


----------



## kalisun (Aug 6, 2003)

Try installing a Firewall program..not sure if your all connected to the Internet when your svchost crashes...

Hope this help!


----------



## ron of orang (Aug 17, 2003)

hi all, I'm also new here,

I've been battling something which appears to be associated with "Kazaa" and/ or http://www.tifl.com. I had made a visit to a download site....my mistake!!!!!

Anyway, next thing you know MY home page which happens to be "google" is being taken over by Kazaa and/or tifl.com (they appear to be closely associated, but how I'm not sure!

Anyway, I tried most normal methods of removing these things to no avail. I added Spywareguard "Killer" program...this works very well as best I can tell after 2 or 3 days so far.

this is the link: http://www.wilderssecurrity.net/spywareguard.html

Although this helped me immensely so far, I'm having additional problems that I'm still working on. My ability to get on the "Net" has been totally a nightmare. I thought my service provider had problems, maybe, maybe not... I happen to have a spare computer... so I put it on line. It's running W2k Pro...same as my other box with all the problems.

The scvhost.exe problem is just part of my problems. I reloaded W2K....now I'm having Windows Installer issues. 
I disabled Windows Installer in the Administion/Server....seems to be a very bad idea.

I'm currently considering running a Microsoft program "sfc/scannow" which has a lot to do with EULA licensing....latest licensing and

Microsoft approved (latest version software) as best I can tell at the moment...I'm holding off on this idea for at least a little while 
because not all of my software is from Microsoft, just compatable with microsoft, (reloading W2k may not haver been such a good idea in retrospect.

Still can't get on the NET or get Outlook Express to open....No DHCP link with service provider.....blah, blah, blah

I also had (have) Simple TCP/IP problems (unable to remove and or stop Tcp/ip because Simple TCP/ IP prevents uninstall due to 
some dependancies requirements) and the list goes on from here.
Yes, I removed all the network drivers, and reinstalled them, still 
have problems.

Conclusion(s): nothing really solid, except that the Spyware guard software did help. (i havent tried to patch or run MSblast fixes).... do I have a worm.???

..maybe, I'm not real sure. But i do seem to have a lot of problems.

I did have a Firewall running when all of this happened like 
last tuesday or was it monday.???...

I know this is pretty winded....and probably not very beneficial....but I thought I'd share it anyway.

Anybody have some real fixes please let me know, i'll be home...unless I get a real job

ron of orange

1:56PM pst


----------



## poolsharpone (Aug 18, 2003)

ok i got scvhost.exe error and i cant d/l anything when i go to www.alleykatzden.com and try to enter pool room it gives me run around when i try front door to pool room nothing pops up some thimes if i restart and hurry then ill get in but as soon as scvhost,exe error shows up im screwed can you help me ........note: i can not d/l anything my YIM name is MADGERBIL if you could plz do your best to help me i wont forget it


----------



## ManfredM (Aug 18, 2003)

Got after searching blaster virus (nothing found - but virus symthoms) and applying MS03-026 since hours these svchost problems :
Internet pages were not found (but Ip traffic ok)
high cpu usage caused by svchost exe
high memory usage caused byi svchost exe
no possibility to shutdown xp, because mouse not useable
in the taskline /start button. 
Latest McAfee VirusScan/Firewall stuff in use.
After stopping scvhost exe (LOCAL + NET process) - system behaviour nearly normal - but internet access as described above.


----------



## jabelson (Aug 14, 2003)

> _Originally posted by kalisun:_
> *Try installing a Firewall program..not sure if your all connected to the Internet when your svchost crashes...
> 
> Hope this help! *


I installed ZoneAlarm and it fixed the problems with scvhost.exe and memory

http://www.zonelabs.com/store/conte...qn0cyG6V6AWgNKbI9LcGaArqvM6OnENMIB52Mqbttj7Pa!-63117531!-1062696905!7551!7552!-300025727!-1062696903!7551!7552?lid=home_zainfo


----------



## SupraBoy (Aug 18, 2003)

Hi recently, i've been getting the svchost.exe errors too. i just downloaded Hijack This and would like for someone to tell me if something is wrong.

Logfile of HijackThis v1.96.1
Scan saved at 9:52:14 AM, on 8/18/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\ALWILS~1\AVAST32\avupdsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\System32\kernel32.exe
C:\WINNT\System32\syschk.exe
C:\WINNT\Fonts\rundll32.exe
C:\WINNT\Fonts\explorer.exe
C:\WINNT\System32\Explorer_.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\System32\OSSProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\rb32\rb32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sckr.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxycfg.marketscore.com/gencfg.asp?id1=Fsuhk7OYNh7&id2=U280wbz8Xb9&lp=1&nsv=5.2.4.5
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_1.1.70-big.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_1.1.70-big.dll
O3 - Toolbar: &My Way Speedbar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [KERNEL32] kernel32.exe
O4 - HKLM\..\Run: [Config Loader] syschk.exe
O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe
O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe
O4 - HKLM\..\RunServices: [KERNEL32] kernel32.exe
O4 - HKLM\..\RunServices: [Config Loader] syschk.exe
O4 - HKLM\..\RunServices: [Windows Explorer] Explorer_.exe
O4 - HKCU\..\Run: [NSCheck] C:\WINNT\System32\nscheck.exe /boot
O4 - HKCU\..\Run: [OSSProxy] C:\WINNT\System32\OSSProxy.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\winnt\downloaded program files\GoogleToolbar_en_1.1.70-big.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'csloa.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/230bde7eb723cfe2cc04/netzip/RdxIE601.cab
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj Class) - http://installs.hotbar.com/installs/hotbar/programs/hotbar.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games/v40/freecell/freecell.cab
O16 - DPF: {70612E37-F9C2-47D2-9D0E-0DC398D1BB49} (nsBrowserConfig Class 2) - https://www.marketscore.com/globalconfig/nsconfig_th.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://216.65.38.226/Download_Plugin.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37535.2369328704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA949858-0672-4150-A012-DA7C1762CC13}: NameServer = 130.179.16.67 130.179.16.11


----------



## Anchor (Aug 18, 2003)

SVCHOST -Error -- Yes, I having this error 
1) When I start Yahoo Messenger - I get log in but as soon as I am about to send messeges I get following messages --
A} The exception Priveleged instruction ( 0x00000096) occured at location 0x0096t863 -----------------Click OK to Terminate or Click Cancel to Debug the program
as soon as I press any thins I get another message
B} The instruction at 0x77d48 bcd refernced memory at 0xd3c524dd
Then " Memory could not be read"
2) Then I see this SVCHOST error message

Please note that - I have patch for balser and scaned by Syntec and it seems there is no virus and no blaser.
I have uninstall and Install this messegner and No use 

3) I am not able to access any links of the web pages( Even I press 3-4 times.. any links do not open)

Please guide me..
Thanks in advance


----------



## AndrewLooby (Aug 18, 2003)

Hi guys i have the same prob with scvhost.exe....I dont seem to have the blaster worm..UI did take your advice and ran hijack aLogfile of HijackThis is what i got
v1.96.1
Scan saved at 18:26:16, on 18/08/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\cdplayer.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Free Downloads Accelerator\fdaagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Free Downloads Accelerator\fda.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp99.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray
O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra 'Tools' menuitem: Free Software Downloads (HKLM)
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/4.1.1/Hiwire.cab
O16 - DPF: {4DB565BD-A306-415B-ADCB-336EAAE8D262} (ChainCast VMR Client Proxy) - http://64.124.45.181/download/ccpm_0223.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37670.7735532407
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D474227B-90FC-4312-B4F7-E56B4BCE242B}: NameServer = 194.145.128.1 194.125.2.206

Can anyone help?

Rgds Andrew


----------



## ManfredM (Aug 18, 2003)

I solved the problem (?) 
1. Restored Backup System (saved in January)
Implemented MS03-026 (I have XP) as recommended 
Runn symantic fixblast (nothing detected)
Runn McAfee virus scan (nothing detected)
Runn MS KB823980Scan exe (everything ok) 
2. Implemented the McAfee firewall - filtering

Still a lot of dangerous traffic down there in the Internet


----------



## tazmora (Aug 19, 2003)

*Thanks Jabelson, ZoneAlarm worked for me!*

I had the same problems as everyone else. I used FixBlast.exe but it only got rid of the worm.

ZoneAlarm is blocking the error problems with svchost.exe.


----------



## Saracen (Aug 20, 2003)

Had the same problem. Din't have the blaster virus and had installed Windows 2000 SP4. 

Solution: Once I installed ZoneAlarm (the free version) the problem was gone! I guess the virus was atempting to infect my computer but instead crashed the svchost.exe file and faild with the infection attempt. This seams now blocked by the firewall. Everything is running smoothly...

/Saracen


----------



## irishblonde (Aug 20, 2003)

Im also having problems with svchost.exec...can't do anything =( I am totally puter illiterate and haven't a clue what to do...please help!


----------



## moose69 (Aug 20, 2003)

i'm trying out the Zone Alarm Firewall the free version so far so good. I have had most of the probs mentioned. I have not looked for a worm. I hope this works Ill let you know how it turns out
moose69


----------



## moose69 (Aug 20, 2003)

The fire wall is holding up and I have reinstalled most of my programmes and spent many hours on the net . I have to say Zone Alarm is very user friendly and easy to control. Unlike some that try to rule your system.

moose69


----------



## mireczek (Aug 20, 2003)

Hey everybody,
Although I appreciate everyones input about this freakish thing I call "ghost" (reference to svchost) I can hardly believe that only one person had the same problem as I had. I CANNOT DOWNLOAD ANY PATCHES OR FIXES for this problem because every time I get halfway downoading win2k service pack4 (this has to be installed before anything else is installed) the freaking svchost interupts download and that's it. 
I can't find a way around this problem so please if anyone has any suggestions give'm to me.


----------



## irishblonde (Aug 20, 2003)

i downloaded the free version of ZoneAlarm and it has sorted the problem with svchost


----------



## mireczek (Aug 20, 2003)

I also have downloaded ZoneAlarm (free version) and it stopped
svchost.exe from poping up but that's not a real fix. When you check Windows Task Manager you will see how busy the CPU is. 100% CPU usage without me even touching the keabord. When I checked the activity on ZoneAlarm all I saw was svchost hitting that "poor" fire wall and keeping my machine busy to the point that I could not any other application.
And I still can't download Win2k-service pack 4 which maybe the real cure for this. svchost.exe


----------



## q0bba (Aug 23, 2003)

I'm new in this forum, but thanks for all people!

I had the same problem, ran the fixblast and then installed zonealarm. (free)

Not on clear water yet, still have to reboot and connect to internet (I use dial-up)

The error of svchost.exe caused me this kind of problem, I couldn't disconnect by any other way than shutting down the computer, then some programs didn't launch etc.

But now gonna reboot... the moment of thruth is on the door


----------



## moose69 (Aug 20, 2003)

The free version of ZoneAlarm is the best fix for this problem. My computer is running fine since I downladed it three days ago and I have been on the net a lot since. If you are having probs downloading service packs it might be best to download the full pack using a download prog like flashget. But first istall Zone alarm!!!!

Moose69


----------



## Ferendon (Aug 13, 2003)

As of yet, I've noticed that svchost takes many functions with it. You probably all know this, but I wanted to get a consolidated list up for those who don't. These are just the things I have noticed to date.

1. Clipboard functions (copy, cut, paste)
2. Windows Media Player
3. Opening links in new windows
4. Form functions on web sites (like you when you join a site, some of the on-the-fly functions don't work)
5. Submit buttons at times
6. Alot of Java and VBScript
7. Alot of my proggies don't work, but have seen no evidence of that anywhere else. 

If anyone else can think of anything, please post it. I know there's more but I can't quite call it up at the moment.


----------



## moose69 (Aug 20, 2003)

It also causes problems in word and excel. But all of the problems go away when zone alarm is installed. So if you have an svchost.exe error message just install the frre firewall and everything should be ok

moose69


----------



## vidooshak (Aug 24, 2003)

hi, i am just seconding the feedback here. faced same issues-- getting svchost crash error, fixblast found no worm, reinstalled win2k and still get svchost error. can't disconnect Internet status; other than that machine working ok.

another odd behaviour after reinstall of Win2k was that i started getting an UNREGISTERED alert from some PABLO BARIO BALLOON guy. what is that???!!!!
also get the Windows Installer message again and again.

downloading SP4 may take a while on slow net speeds....

any other solutions?? is the SVCHOST crash message dangerous to data???


----------



## moose69 (Aug 20, 2003)

Hi 
I t dosen't seem to do any harm to data. It just drives you crazy trying to do any work. Install "zone alarm", it clears the problem.

moose69


----------



## Veg (Aug 27, 2003)

This is a new loyalist to your site shouting THANK-YOU! I too experianced this dreaded plight and suffered sooo. For the folks who are listing the effects add to it: after svchost failure acess is lost to dial-up and modem control services. . .I couldn't get status or disconnect w/o drastic measures. And stand by for heavy rolls, the d/l of ZoneAlarm took 1.5 HOURS instead of the 10 minutes my connection first reported! I plodded on through all the random garbage as I ran out of other "fixes" to try, port filters, forced service restarts, etc. etc.

After taking the advice about ZoneAlarm it too started to overwhelm my processor with bogus VSMON.exe requests. Looking into it a bit further I found some interesting Registry entries that when deleted solved all of my overflow problems.

It seems this thing has a multitude of faces in which to do its deeds. I found them in my WINNT\System32\Wins directory. A bogus copy of SVCHOST.exe with microsoft as the author but not with valid signatures and an unsigned version of DLLHOST.exe where the only two files that existed there and when renamed to mask them, new ones appeared. The origional files I found pointed to my infection date (thank-you teenager of mine, you where the only one logged on that day!).

The only way they would reappear, so I thought, would be if they where registered. so I went looking. I first found them in "HKEY_USERS\" with a sweet list of other questionable filenames to search for:

HKEY_USERS\[yourusernumber]\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU" key

"000"="vsmon.exe"
"001"="dllhost.exe"
"002"="iexplore.exe"
"003"="system32.exe"
"004"=".exe"
"005"="dllhost"
"006"="log"
"007"="system32"
"008"=".log"
"009"="drwatson"
"010"="blast"
"011"="connect"
"012"="aventail"
"013"="svchost"
"014"="svchost.log"
"015"="tlist"
"016"="sychost"
"017"="hdnth"

What is interesting is the company that these files are keeping (note the blast and system32.exe entries neither of which where found on or used by my system).

References where also found in:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcTftpd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcTftpd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcPatch] and
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RpcPatch]

I backed up then removed all the instances I found. including the "ImagePath" references to the Wins directory mentioned above. I also noted that the questionable executables where all in uppercase in the directory, Registry, and process tab of TaskMan. Well after 292 ZA alerts and with only 9M remaining to d/l from Microsoft (I locked down WAY before that before I found you all) all seems to be going smoothly. SystemIdle and Update are right where they belong at the top of the Process list ordered by CPU usage. . .again thank-you very much for the thread!


----------



## moh1lsu (Aug 23, 2003)

Thanks to person who suggested downloading ZoneAlarm to fix the internet problems I was having. I used the free download and 'touch wood ' all seems ok for now.

:up: Maire


----------



## moose69 (Aug 20, 2003)

Hi moh1lsu
Im glad to hear Zone Alarm is working for you. I looks like the attack on scvhost.exe is set to continue so anyone without a firewall should consider it. Its also a good idea to sweep your machine with spybot (also free) before installing the firewall.

moose69


----------



## moh1lsu (Aug 23, 2003)

Hi Moose69
Should I install spybot now or just leave it? Zone alarm already downloaded

Maire


----------



## moose69 (Aug 20, 2003)

Install spybot if you have it and run. You will be surprised how much spyware and adware you have accumulated.

Some programs like iMesh won't run when when you disable their adware so if you clean out everything you might have to re -install some progs.


moose69


----------



## moh1lsu (Aug 23, 2003)

Moose69 I downloaded spyware from enigma software in error but did not install it can I delete the download?
Moh1lsu


----------



## moose69 (Aug 20, 2003)

moh1lsu

Any programme that is not installed will need to be deleted separately. Spybot should pick up anything else.

mooose69


----------



## Miami South (Sep 1, 2003)

I had the'worm' and the SVCHOST headache also, but after applying the patch I haven't had a problem.
I tried to install SP4 and it took a long time to down load then the files had to open..what a pain! Then it just froze.
What I did is go back to the SP website and installed SP 1, no problem. Then SP 2. Then SP3 and finally SP 4. Each one only took a few minutes and installed without a hitch. I quess trying to install SP4 without the prior packs was just too much of a bite to chew.


----------



## moose69 (Aug 20, 2003)

I had downloaded various service packs in the past. I found the practice a bit wasteful in the long run. If you instal direct you can have a breakdown during it and have to restart. Afterwards if you have a problem that cannot be solved you have to reinstall and then of course you have no servicepacs. 

I find the best option, even though I only have a 56k dialup, is to down load the complete file using a download tool like Flash Get. At least when you have the complete update you are fully equipped to deal with any situation.

By the way the service pack does nothing for the svchost.exe problem.

moose69


----------



## mireczek (Aug 20, 2003)

True statement; service pack does not do anything for the
svchost.exe but if I'm correct Microsoft came up with HotFix
for this problem. In order to install HotFix you have to have at least service pack 3 installed first.
Anyone wants to confirm if this is true. This is Microsoft webpage adress where I found info refering to svchost.exe :

http://support.microsoft.com/common...=EN-US&CND=1&VR=&CAT=&VRL=&SG=&MaxResults=250

It is titled: "Access Violation" Error Message in Svchost.exe When a Wireless Client Is Being Authenticated

and you will find it in Windows 2000 Post SV4 fixes.


----------



## moose69 (Aug 20, 2003)

Maybe the microsoft hotfix works. I'm running with serv pack 4 in win 2k and I have installed the free Zone Alarm Firewall. Its working fine for now. I just don't trust Microsoft to solve the problem fully. Maybe in their next service pack, can't be many left!!! in that OS.

moose69


----------



## mireczek (Aug 20, 2003)

I believe my point was missed. I said that the Microsoft HotFix needs to be installed on the top of Service Pack 3 (or4).
The thing with Firewall is that it only blocks that freaking svchost.exe from poping up and disturbing us, while HotFix will repair the programm. I think that the right thing is to fix it not to hide it.


----------



## Miami South (Sep 1, 2003)

Boy, this worm seems to have infected just about every computer on the planet! Anyway, You know you have it when the 'drag & drop' doesn't work and you get 'SVCHOST.EXE' errors popping up.
This worm will download a patch to close the hole it came in on to hide it's entry point. bla-bla-bla.
To get rid of it, use an online virus scan (Trend Microis good), to make sure it's in the computer. then download patch from Microsoft via Dell computer's web site :
http://www.dell.com/us/en/gen/topics/segtopic_virus_info.htm
You will find a patch for Win 2000 and one for Win XP.
Before launching the patch..
YOU MUST OPEN THE TASK MGR and kill all the SCVHOST.EXE process you can find then the DLLHOST.DLL process.
Run the patch.
Before rebooting, go to your Windows directory then System32.
Look for the WINS folder. In the folder you should find a SCVHOST and a DLLHOST file. DELETE THEM! They are infected. (if you can't delete them, go back to your TASK MGR and kill thier processes again, you can then delete).
REBOOT and your machine will be clean.
OR...
You can wait untill January 1, 2004 and the worm will delete itself.

Oh, what the hell..just set the system clock up past that date and reboot a few times and the worm is gone.


----------



## Miami South (Sep 1, 2003)

> _Originally posted by qqkkiixx:_
> *I have sp4 I did a micor trend online but i still have the problem here is the hijack this report...... your help is appreciated
> 
> Logfile of HijackThis v1.96.4
> ...


----------



## jw1111 (Dec 6, 2002)

Sounds like you guys have the welchia worm. You can find a removal tool at symantec.com.

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html


----------

