Generic Host Process for Win32 Services Error
Baron Thener
Our network was attacked recently, our antivirus mcafee detect the attack as
bo:stack blocked by bufferflow. some computer was infected some of them was
our critical servers. the symptoms was everytime we logon to windows the
system "Generic Host Process for Win32 Services Error" it stop the server,
computer browser and distribute file services. These services is done by the
svchost.exe
My question is:
1. If the svchost.exe is corrupted is there anyway to replace the file with
another clean and functional svchost.exe?
Thanks you for the answers.
best regards,
Baron
David H. Lipman
| best regards,
| Baron
It sounds like the Buffer Overflow detection kicked in in McAfee Enterprise v8.50i. Yes ?
You don't replace SVCHOSTS.EXE. That's the server of servers in Windows.
You have to find what was injected into the service.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Baron Thener
That right, do you have any suggestion on how to trace this infection?
because it's cantaminating all the user PC's also. I think the mcafee still
blocking it. but some of our servers have been disable. how to fix it without
formatting the servers? because we tried to repair the windows but it didn't
work.
Thanks a lot for your answer.
David H. Lipman
| Dear David,
| That right, do you have any suggestion on how to trace this infection?
| because it's cantaminating all the user PC's also. I think the mcafee still
| blocking it. but some of our servers have been disable. how to fix it without
| formatting the servers? because we tried to repair the windows but it didn't
| work.
| Thanks a lot for your answer.
You already have McAfee so use the following Multi AV Scanning Tool's Sophos and Trend
Micro modules to scan an infected server.
When using the Trend Micro module, you can disable the Spyware scanner capability.
You may want to concentrate on the c:\windows (c:\winnt) tree.
Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe
http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp
English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *
Baron Thener
multiscan manualy? because the infected server cannot connect to the network
properly so it could not get an update from the internet. an also do you have
any suggestion to trace the source of this buffer overflow infection?
Thanks,
baron
David H. Lipman
| One More thing Dave before I try this on. is there anyway to update this
| multiscan manualy? because the infected server cannot connect to the network
| properly so it could not get an update from the internet. an also do you have
| any suggestion to trace the source of this buffer overflow infection?
| Thanks,
| baron
Yes. Read the included PDF Help File on the use of a surrogate PC to download all files
and then transfer and run on an infected computer.
As for tracing this...
That's difficult. I personnally don't know. Is it backed upon RPC, TCP port 135 or
through SMB TCP 445 ?
Have you put a packet sniffer on any nodes ?
Robinson@discussions.microsoft.com Jez Robinson
This problem appears to be related to the Microsoft Vulnerability that
allows remote code execution on ports 139 and 445.
Check to make sure you have hot fix 958644 installed.
http://www.microsoft.com/technet/sec.../MS08-067.mspx
There is a large amount of activity on the web with variants of a virus
published last week.
So install the Hot Fix and reboot, hopefully that will solve your problem.
Over and out.
JezRobinson
Hi,
This problem appears to be related to the Microsoft Vulnerability that
allows remote code execution on ports 139 and 445.
Check to make sure you have hot fix 958644 installed.
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
There is a large amount of activity on the web with variants of a virus
published last week.
So install the Hot Fix and reboot, hopefully that will solve your
problem.
Over and out.
--
JezRobinson
------------------------------------------------------------------------
JezRobinson's Profile: http://forums.techarena.in/members/jezrobinson.htm
View this thread: http://forums.techarena.in/security-virus/1077813.htm
bredtracer
Well my friends I maybe new here but this problem is not new to me.
Actually whenever I formatted my PC and installed a fresh copy of
Windows XP SP2 version this problem would surface. As Jez rightly
pointed out you need that hotfix and even then some people might
continue to experience the problem as I did too. I did a Google search
of it and got the remedy from a forum like this. It was a software
installing which the problem never troubled me.
As I said already this situation has encountered by me many times so am
sure of what I said. I guess you people can also locate the software am
talking about by searching it for some time.
--
bredtracer
------------------------------------------------------------------------
bredtracer's Profile: http://forums.techarena.in/members/bredtracer.htm
Baron Thener
Thanks for the update. I've tried the hotfix. well, see in a couple of days.
and I'll report in this newsgroup again.
thanks.
Baron
Baron Thener
You got some heavy duty antivirus there. but it doesn't find the cause of
the bo:stack buffer overflow. it capture some virus in several servers but
the virus was not the same in every servers.
The reporting about buffer overflow has been rare since I tried the hotfix
from jez robinson and other windows critical update from windows update.
We'll see for a couple days if something come out again I'll come back to
this forum. Thanks a lot for the antivirus though. It really useful.
best regards,
Baron
Baron Thener
We never experince anything like this before. and the the virus / maleware
or what ever this is is attacking multiply windows platform from windows
server 2000, server 2003, server 2003 R2, and XP SP2
Thanks for your reply.
baron
David H. Lipman
| Dear Dave,
| You got some heavy duty antivirus there. but it doesn't find the cause of
| the bo:stack buffer overflow. it capture some virus in several servers but
| the virus was not the same in every servers.
| The reporting about buffer overflow has been rare since I tried the hotfix
| from jez robinson and other windows critical update from windows update.
| We'll see for a couple days if something come out again I'll come back to
| this forum. Thanks a lot for the antivirus though. It really useful.
| best regards,
| Baron
You need to do some packet sniffing and find what computers on your LAN are infected and
searching out OTHER computers through TCP ports 135 and 445.
You need to isolate your network from the WAN better with a FireWall as well.
You indicated that there were "...some virus in several servers..."
Please identify exactly what was found.
Kayman
> Dear Jez.
> Thanks for the update. I've tried the hotfix. well, see in a couple of days.
> and I'll report in this newsgroup again.
> thanks.
> Baron
>
> "JezRobinson" wrote:
>>
>> Hi,
>> This problem appears to be related to the Microsoft Vulnerability that
>> allows remote code execution on ports 139 and 445.
Seconfig XP 1.1
http://seconfig.sytes.net/
Seconfig XP is able configure Windows not to use TCP/IP as transport
protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135, 137-139
and 445 (the most exploited Windows networking weak point) closed.)
David H. Lipman
| Seconfig XP 1.1
| http://seconfig.sytes.net/
| Seconfig XP is able configure Windows not to use TCP/IP as transport
| protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135, 137-139
| and 445 (the most exploited Windows networking weak point) closed.)
Kayman:
He indicated these are servers. They are not home computers and they are partipating in a
LAN.
Closing these ports could have disasterous effects on LAN communications.
Your advice is contraindicated.
Baron Thener
I tried to update the windows using this hotfix. it wen't well in the
windows 2000 server and windows 2003 r2. but one of our server using windows
2003 SP2 cannot be reach and cannot reach every network in our company. sthe
strange thing is ping, internet conection is ok. I even can do remote using
VNC to this server from other windows 2003 server. but if I use vista I could
not remote the computer.
everytime I go to run : \\computername it show:
the network connection could not be reach
this happen vise versa. is the hot fix close a port or something? if yes how
do you open it again?
Thanks
Baron Thener
Dear Jez,
After trialing for this couple of days, we take preventive action to update
the servers. for the last server that was infected we decided to formatting
the server after we install the antivirus updating the windows update
suddently the server service is down again. but without any virus warning.
can it be the windows update contain some kind of bug? or the mcafee is the
one causing this? I already run of Idea.. please advice
Thanks
Baron Thener
forgot cause i remove it once it detected. now it cause this in the event
viewer :
"Faulting application svchost.exe, version 5.2.3790.3959, faulting module
shell32.dll, version 6.0.3790.4184, fault address 0x0014e84e"
i already update the windows update and the antivirus also.
The Other Mike
<Baron...@discussions.microsoft.com> wrote:
>Sorry for the late reply dave. it cought sality or something like that. i
>forgot cause i remove it once it detected. now it cause this in the event
>viewer :
>
>"Faulting application svchost.exe, version 5.2.3790.3959, faulting module
>shell32.dll, version 6.0.3790.4184, fault address 0x0014e84e"
>
>
>i already update the windows update and the antivirus also.
>
Saw this thread and we recently went through a battle with a worm that
sounds like what you have. After patching the servers/pc's that were
infected, you still have to clean up those machines. The worm we had
created a service on the servers and PC's. So even though you patch
the machine, the service still ran...which would crash other machines
it was trying to spread to that weren't patched. We deleted the
registry keys mentioned in this alert on the infected machines...
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EA&VSect=T
We also used a network sniffer to scan for port 445 requests and
usually those PC's making alot of requests had this virus service
still on them.
mike
I had exactly the same problem on two of our 2003 servers (SP1).
It occurred 2 days ago for the first time.
I´ve found a workaround:
I installed, in order:
Hotfix KB914810 (included in SP2)
Hotfix KB932762
Security update KB958644
However the root cause is still unclear. But I suspect the auto update
service. It´s hosted by a svchost instance together with some important
networkservices.
greetings,
Michael
Antonius@discussions.microsoft.com Kris Antonius
Thanks for your solution, I have download hot fix for 958644 and install it
and then restart, the virus not appear again.
Baron Thener
If The computer already infected by using this hotfix can it restore the
computer condition before it get infected?
Thanks
David H. Lipman
| Dear Mike,
| If The computer already infected by using this hotfix can it restore the
| computer condition before it get infected?
| Thanks
NO !
A HotFix will only correct the vulnerability that was used in the exploit that got the PC
infected.
Baron Thener
So how to restore the condition of the server before it get infected without
have to reinstalling it?
David H. Lipman
| Dear Dave,
| So how to restore the condition of the server before it get infected without
| have to reinstalling it?
Tape for one.
Otherwise you have to discern what was changed and undo said changes.
In this case, I don't know what infected your Server and thus have no idea what changes
were made.