Good Day my friends, long time no news!!!!! :)

win2k, 512ram, cel 900 mhz, 120HD with dvd and dvd burner. Question is any time I try to long on the internet, I get this message: "svchost.exe has generated errors and will be closed by windows. You will need to restart the program". But I can get into internet and continue my work. What is causing the problem? Thanks for the help.

I think it has something to do with an error when loading Hyperterminal, does require you reboot also.
Do you really need to be running that?
See blackviper (http://www.blackviper.com) for his Services Configuration Pages for WIN2000.

It also may be indication of an infection, more will comment.

Are all the MS patches installed?

Thanks for your reply. If I need hyperterminal... no I don't need nor used so far. Recently I formated this HD with Maxtor utility CD which came with it. I downloaded Service Pack 3 and installed it. This morning after posting this question, I went to 'critical update' section of windows and upgraded most of them including internet explorer 6.0 (before I had 5.0). Honestly I did not see that error after I rebooted and connected to internet. Do you think that upgrade I did corrected the 'svchost.exe' file? If I get this same error what will be my next move??????:confused:

By the way I did browse thru little bit of blackviper site. I need more time to go thru as it might have some info which will be useful.
Thanks again. Will be in touch.:cool:

Sounds very like one of the effects of the Blaster Worm that exploits the RPC vulnerability.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

http://www.microsoft.com/downloads/details.aspx?FamilyID=dc27b8c6-2a5a-4399-ad3d-4a97a25f41d9&displaylang=en

Patch or Upgrade to SP4 and run the tool from symantec.

I would agree, Stinger is a decent removal tool to help clean the Blaster variants also.

stinger (http://vil.nai.com/vil/averttools.asp)

Thanks for the info guys!!! I went into these sites, Paul and then per PrntRhd, downloaded stinger also. According to instructions, I had to install SP4 and then remove the worm. So I tried to install SP4 and I had to keep internet on. Problems occured during that process:
1) I kept getting some messages like: 'Message from SpyWare Advisory to user on 5/2/04 saying that "your computer has been infected with unauthrised spyware program so goto SPW9e.com to fix it". And giving instruction where to write this on the web'. I did not believe this so I did not goto that site. Did anybody noticed such messages before???
2) Internet disconnected three times during that process. why can not have internet on for some time with out disconnecting?
3) After installing SP4, This message came up: 'error occured during installation of w2k sp4' and then this W2K SP4remover wizad came up and deleted files, copied in c:w2k\system32... (something like that)
4)svchost.exe error message, was not there till I tried to install SP4, now it is back again.
Where did I go wrong???????????

:confused:

SP4 is a big download so apply the individual patches first and/or use a firewall as per http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html otherwise you can be reinfected any time you are on line.

We recommend that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

Thank you, Paul, I will do that and let you know the results. Actually I was installing P4 first but got disconnected three times during that 2 Hrs download process (I don't have dsl :) ) After going thru all that trouble downloading, got a message that it has generated an error in installation and it uninstalled it, can you believe that.:mad:
I will try again. Right now I don't know about my sys has a virus or not but due to Chicago's weather I am having a virul situation. Let me gain some strenght. Thanks once again.:cool:

I think it is time to download hijack this and run it.

Install it in its own folder.

Run the program

DO NOT fix anything. Save the log file and post the results back here

Hi classicsoftware!
I loaded Hijackthis and saved the file, logged back to this web site. Norton Virus alart pops-up: My sys infected by "Bloodhound.packed" in c\winnt\system32\rtlsvc.exe. Norten did not or could not fix it. Anyway I am attaching 'hijackthis' file here for your review. Hope this will help you to help me. (do you think I should reformat this HD and start all over again????? - just a thought! )

Logfile of HijackThis v1.97.3
Scan saved at 6:58:43 PM, on 5/5/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\essspk.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03. exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03. exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38108.4663310185

Your log looks pretty clean to me. I am not that experienced and maybe Budred or MJC will happen along.

Please look at this link (http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.packed.html).

After reading I would try to run the Symantec on-line scan.

Post back with results.

You are right classicsoftware, that is a clean log... I would try another online virus scan or two, possibly a trojan scan or two and maybe try McAffee Stinger before going to a wipe/reformat/reinstall....

Here are two online trojan scans...

http://scan.sygatetech.com/pretrojanscan.html
http://www.trojanscan.com/

You also badly need to update your Win2K to protect from several very nasty bugs that are going around.... And I just read back a bit to see you have been trying to do that... Try the trojan scans next and see what happens...

Yes, I ran stinger scan, it said was some 3600 or so files cleaned. Now should I go back to SP4 and install since I have it on HD?

If everything is working OK, install ALL critical updates ASAP.

I would also run one of the trojan scans and probably another online virus scans. AV programs don't pick up on trojans real well and one program may get something that another won't....

Originally posted by Budfred
I would also run one of the trojan scans and probably another online virus scans. AV programs don't pick up on trojans real well and one program may get something that another won't....

You already told him to do that, so I wasn't going to repeat what you said. I hope he listens, I guess he has so far.

Yes, I heard you loud and clear, as you know I am good listner and a good student.

Yes, I did use gfitrojan scan, no infected files. I tried sygate online also but I got this answer: You have blocked all of our probes! We still recommend running this test both with
and without Sygate Personal Firewall enabled... so turn it off and try the test again. " I dont know what to do I left it.

I tried to install sp4 again, same error: sp4 setup error - an error in updating your sys has occured. Select 'ok' to undo this changes that have been made. I remember installing sp4 on another sys and I was not successful during that time also. What else I shold do or not doing right-thanks for your guidence.
By the way I updated AVG files and spyboot files. And scan with both of these no problems.

Can you tell why internet getting disconneted in the middle of some process?

Mohamed -
In theory, all M$ OS updates are supposed to be easy. A few questions for you, please be aware that I do not know the details of your connection to your ISP, but I am wondering why you are using hyperterminal, if you are at all? That is unusual. Try this with W2K SP4, I am assuming you have downloaded the network install version, if not, go out to the corporate Windows Update site: http://v4.windowsupdate.microsoft.com/en/default.asp?corporate=true . If you are downloading SP4, as you already know, it is huge and will take forever to download, I believe that it is 100+MB. Once you have downloaded SP4, disconnect from the web, turn off all of your virus protection,spyware detection, and/or firewall, try installing SP4. Please make sure to re-enable all of your protection before going back on-line. Although it doen't happen often, sometimes protection software can interfere with SP installtion. Also, check support.microsoft.com for specific error codes, M$ is usually good about documenting their cryptic error messages. Also, check your application log for information about the installation, that might be where the specific error codes are. I know it seems like a large amount to do; I hope it points you in the right direction.

Thanks, Thatoneguy, tell me something you are the second person who asked me about this 'hyperterminal'. I have no clue that I was connected thru this mode. I installed modem and went thru installing msn internet explorer like I usually do. Can you guide me how to check this hyperterminal issue. You are right about 100 mb file size because even sp3 also 125mb file. I am going to uninstall this sp4 from the folder and will ask my friend who has a dsl connection to download for me, then will follow your instructions. I have very basic knowledge in computers so please bare with me if I ask you further questions about disabling different programs. Will be back soon after installing sp4. Thanks for your patience.:cool:

Mohamed - Hyperterminal is usually used for terminal sessions, hence the name. Usually Dial-up Networking (DUN) connections are handled in a different fashion in W2K, I believe that it will show as a network connection or the properties of it can be found in the control panel. Like I had mentioned, it is important that you check your error logs to see if there were any installation errors for the service pack. Your event logs can be accessed through the administrative tools. Check the applicaion event log and look for errors that have to do with SP installtion and look those errors up on support.microsoft.com. Please keep us informed as to your progress, I'd love to know if this works out.

You are right, I had two things check mark on it in properties of network connections, I deleted and reconnected by selecting 'connection thru modem to internet' option. This time, only one check mark in properties. I got this sp4 on a CD from my friend this time and let me install that and see what happens.

This is it, I have no idea still. I got this sp4 on a cd, installed and before it finish, got an error message and uninstall again. My event log shows this:

Event Type: Information
Event Source: EventLog
Event Category: None

another place it said "windows file protection", what this mean? And I still do not understand when I tried to log in to network, my modem freezes, after couple times of rebooting, I can get into it. Did I confussed you guys yet?????:eek:

Mohamed - Can you please post the complete error message from your event log? Can you also post any error messages that you recieve? Thanks

This is how it goes:
5/12/04 -7.06 PM -even log:
Microsoft (R) Windows 2000 (R) 5.0 2195 Service Pack 3 Uniprocessor Free.
Even log started.
7.40 PM.
Windows 2000 Service Pack 4 was removed from your computer, and the previous Windows 2000 configuration was restored.
7.42: The Event log service was stopped.
Microsoft (R) Windows 2000 (R) 5.0 2195 Service Pack 3 Uniprocessor Free.
Event log started.
8.36 PM
The protected system file c:\winnt\system32\sclgntfy.dll could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
The Event log service was stopped.
5/13/04 7.16 PM
The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.

Hope this is helpful to you to help me.:cool:

Are you loggon an as administrator when this happens?

Read this (http://support.microsoft.com/?kbid=258911).

I think I am. Should I change this method, if so how?

Here I am. Guess what I did, I gaveup going back and forth and formated this 120 HD. Then what happened, installed sp3 and then sp4, no problems. Which means right now os has sp4. But this SVCHOST.EXE still hunting me. I noticed it only when I tried to open hotmail account. Then I closed hotmail, opened yahoo mail, no problem, closed yahoo mail, opened hotmail account NO PROBLEM:confused: What is happening with this svchost file????:mad: One time it flashes and one time it does not, strange. Any suggestions at this point since I reformated and started all over again. Same error message with my spare 40 HD which was formated on this same sys.

svchost.exe is a process that runs as a "shell" for other processes. Take a look at this link: http://support.microsoft.com/default.aspx?scid=kb;en-us;250320

Do you have any errors in the Application or System event log? Follow the directions in the M$ article and extract tlist, which is a bit better than task manager. I suspect that there is an error in one of the services that are running. Please check the error log and stop the service that is failing - Please be aware of what the services do: go out to www.blackviper.com and read about the service before stopping services, but some service is failing.

If it was a Blaster Exploit (http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20707803.html) then what you have done should have "patched the hole" - but if the virus got in before it was patched now is the time to run a Blaster Removal Tool. These exploits, Blaster, Nachi, Sasser, etc can infect an unpatched system within seconds of just going on line.

Happy Friday,
This evening I got connected to internet, checked emails no error message. The only problem I had was at the begining, modem freeze, I had to reboot and after that no problems. I checked 'Event log in Application/System log' no error messages. (since modem freez, I thought I could see some error pertaining this freeze) I checked the website for 'Tlist' try to follow the instructions after unzip from Support.cab file. When I try to open tlist, screen flashes and never stays open. Anyway I tried thru 'task manager', I don't want change any of it so I left it.

About worms issue, I used fixblast & stinger, no worms. I was checking from Paul suggested website, which took me to 'expert exchange', there I noticed similar issue like mine, at one point, somebody was asking if updating BIOS, could have caused the problem. I think I did that too, because my second HD also got this svchost error when I was on the internet. So far I have not seen this svchost error popup (yet!) today. I hope it would not show up.:D

Let me use faxblast and stinger on other HD and see what happens. Have a good week end and thanks again.