Generic Host Process for Win32 Services Error

Dear all,
Our network was attacked recently, our antivirus mcafee detect the attack as
bo:stack blocked by bufferflow. some computer was infected some of them was
our critical servers. the symptoms was everytime we logon to windows the
system "Generic Host Process for Win32 Services Error" it stop the server,
computer browser and distribute file services. These services is done by the
svchost.exe

My question is:
1. If the svchost.exe is corrupted is there anyway to replace the file with
another clean and functional svchost.exe?

Thanks you for the answers.

best regards,

Baron

It sounds like the Buffer Overflow detection kicked in in McAfee Enterprise v8.50i. Yes ?

You don't replace SVCHOSTS.EXE. That's the server of servers in Windows.

You have to find what was injected into the service.

Dear David,
That right, do you have any suggestion on how to trace this infection?
because it's cantaminating all the user PC's also. I think the mcafee still
blocking it. but some of our servers have been disable. how to fix it without
formatting the servers? because we tried to repair the windows but it didn't
work.
Thanks a lot for your answer.

"David H. Lipman" wrote:

> From: "Baron Thener" <BaronThener@discussions.microsoft.com>
>
> | Dear all,
> | Our network was attacked recently, our antivirus mcafee detect the attack as
> bo::stack blocked by bufferflow. some computer was infected some of them was
> | our critical servers. the symptoms was everytime we logon to windows the
> | system "Generic Host Process for Win32 Services Error" it stop the server,
> | computer browser and distribute file services. These services is done by the
> | svchost.exe
>
> | My question is:
> | 1. If the svchost.exe is corrupted is there anyway to replace the file with
> | another clean and functional svchost.exe?
>
> | Thanks you for the answers.
>
> | best regards,
>
> | Baron
>
> It sounds like the Buffer Overflow detection kicked in in McAfee Enterprise v8.50i. Yes ?
>
> You don't replace SVCHOSTS.EXE. That's the server of servers in Windows.
>
> You have to find what was injected into the service.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>

From: "Baron Thener" <BaronThener@discussions.microsoft.com>

| Dear David,
| That right, do you have any suggestion on how to trace this infection?
| because it's cantaminating all the user PC's also. I think the mcafee still
| blocking it. but some of our servers have been disable. how to fix it without
| formatting the servers? because we tried to repair the windows but it didn't
| work.
| Thanks a lot for your answer.

You already have McAfee so use the following Multi AV Scanning Tool's Sophos and Trend
Micro modules to scan an infected server.

When using the Trend Micro module, you can disable the Spyware scanner capability.

You may want to concentrate on the c:\windows (c:\winnt) tree.

Download MULTI_AV.EXE from the URL --
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe

http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/...irus-for-free/


To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

One More thing Dave before I try this on. is there anyway to update this
multiscan manualy? because the infected server cannot connect to the network
properly so it could not get an update from the internet. an also do you have
any suggestion to trace the source of this buffer overflow infection?
Thanks,

From: "Baron Thener" <BaronThener@discussions.microsoft.com>

| One More thing Dave before I try this on. is there anyway to update this
| multiscan manualy? because the infected server cannot connect to the network
| properly so it could not get an update from the internet. an also do you have
| any suggestion to trace the source of this buffer overflow infection?
| Thanks,

| baron

Yes. Read the included PDF Help File on the use of a surrogate PC to download all files
and then transfer and run on an infected computer.

As for tracing this...
That's difficult. I personnally don't know. Is it backed upon RPC, TCP port 135 or
through SMB TCP 445 ?

Have you put a packet sniffer on any nodes ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[JezRobinson]

Hi,

This problem appears to be related to the Microsoft Vulnerability that allows remote code execution on ports 139 and 445.

Check to make sure you have hot fix 958644 installed.

http://www.microsoft.com/technet/sec.../MS08-067.mspx

There is a large amount of activity on the web with variants of a virus published last week.

So install the Hot Fix and reboot, hopefully that will solve your problem.

Over and out.

Hi,

This problem appears to be related to the Microsoft Vulnerability that
allows remote code execution on ports 139 and 445.

Check to make sure you have hot fix 958644 installed.

http://www.microsoft.com/technet/sec.../MS08-067.mspx

There is a large amount of activity on the web with variants of a virus
published last week.

So install the Hot Fix and reboot, hopefully that will solve your problem.

Over and out.

"David H. Lipman" wrote:

> From: "Baron Thener" <BaronThener@discussions.microsoft.com>
>
> | One More thing Dave before I try this on. is there anyway to update this
> | multiscan manualy? because the infected server cannot connect to the network
> | properly so it could not get an update from the internet. an also do you have
> | any suggestion to trace the source of this buffer overflow infection?
> | Thanks,
>
> | baron
>
> Yes. Read the included PDF Help File on the use of a surrogate PC to download all files
> and then transfer and run on an infected computer.
>
> As for tracing this...
> That's difficult. I personnally don't know. Is it backed upon RPC, TCP port 135 or
> through SMB TCP 445 ?
>
> Have you put a packet sniffer on any nodes ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>

[bredtracer]

Well my friends I maybe new here but this problem is not new to me. Actually whenever I formatted my PC and installed a fresh copy of Windows XP SP2 version this problem would surface. As Jez rightly pointed out you need that hotfix and even then some people might continue to experience the problem as I did too. I did a Google search of it and got the remedy from a forum like this. It was a software installing which the problem never troubled me.
As I said already this situation has encountered by me many times so am sure of what I said. I guess you people can also locate the software am talking about by searching it for some time.

Dear Dave,
You got some heavy duty antivirus there. but it doesn't find the cause of
the bo:stack buffer overflow. it capture some virus in several servers but
the virus was not the same in every servers.

The reporting about buffer overflow has been rare since I tried the hotfix
from jez robinson and other windows critical update from windows update.

We'll see for a couple days if something come out again I'll come back to
this forum. Thanks a lot for the antivirus though. It really useful.

best regards,
Baron

"David H. Lipman" wrote:

> From: "Baron Thener" <BaronThener@discussions.microsoft.com>
>
> | One More thing Dave before I try this on. is there anyway to update this
> | multiscan manualy? because the infected server cannot connect to the network
> | properly so it could not get an update from the internet. an also do you have
> | any suggestion to trace the source of this buffer overflow infection?
> | Thanks,
>
> | baron
>
> Yes. Read the included PDF Help File on the use of a surrogate PC to download all files
> and then transfer and run on an infected computer.
>
> As for tracing this...
> That's difficult. I personnally don't know. Is it backed upon RPC, TCP port 135 or
> through SMB TCP 445 ?
>
> Have you put a packet sniffer on any nodes ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>
>

Dear bredtracer,
We never experince anything like this before. and the the virus / maleware
or what ever this is is attacking multiply windows platform from windows
server 2000, server 2003, server 2003 R2, and XP SP2

Thanks for your reply.

Dear Jez,
I tried to update the windows using this hotfix. it wen't well in the
windows 2000 server and windows 2003 r2. but one of our server using windows
2003 SP2 cannot be reach and cannot reach every network in our company. sthe
strange thing is ping, internet conection is ok. I even can do remote using
VNC to this server from other windows 2003 server. but if I use vista I could
not remote the computer.

everytime I go to run : \\computername it show:
the network connection could not be reach

this happen vise versa. is the hot fix close a port or something? if yes how
do you open it again?

Thanks

"JezRobinson" wrote:

>
> Hi,
>
> This problem appears to be related to the Microsoft Vulnerability that
> allows remote code execution on ports 139 and 445.
>
> Check to make sure you have hot fix 958644 installed.
>
> http://www.microsoft.com/technet/sec.../MS08-067.mspx
>
> There is a large amount of activity on the web with variants of a virus
> published last week.
>
> So install the Hot Fix and reboot, hopefully that will solve your
> problem.
>
> Over and out.
>
>
> --
> JezRobinson
> ------------------------------------------------------------------------
> JezRobinson's Profile: http://forums.techarena.in/members/jezrobinson.htm
> View this thread: http://forums.techarena.in/security-virus/1077813.htm
>
> http://forums.techarena.in
>
>

Dear Jez,
After trialing for this couple of days, we take preventive action to update
the servers. for the last server that was infected we decided to formatting
the server after we install the antivirus updating the windows update
suddently the server service is down again. but without any virus warning.
can it be the windows update contain some kind of bug? or the mcafee is the
one causing this? I already run of Idea.. please advice

Thanks

On Tue, 9 Dec 2008 19:38:01 -0800, Baron Thener
<BaronThener@discussions.microsoft.com> wrote:

>Sorry for the late reply dave. it cought sality or something like that. i
>forgot cause i remove it once it detected. now it cause this in the event
>viewer :
>
>"Faulting application svchost.exe, version 5.2.3790.3959, faulting module
>shell32.dll, version 6.0.3790.4184, fault address 0x0014e84e"
>
>
>i already update the windows update and the antivirus also.
>

Saw this thread and we recently went through a battle with a worm that
sounds like what you have. After patching the servers/pc's that were
infected, you still have to clean up those machines. The worm we had
created a service on the servers and PC's. So even though you patch
the machine, the service still ran...which would crash other machines
it was trying to spread to that weren't patched. We deleted the
registry keys mentioned in this alert on the infected machines...


http://www.trendmicro.com/vinfo/viru...AD%2EA&VSect=T

We also used a network sniffer to scan for port 445 requests and
usually those PC's making alot of requests had this virus service
still on them.

Hi!

I had exactly the same problem on two of our 2003 servers (SP1).
It occurred 2 days ago for the first time.
I´ve found a workaround:

I installed, in order:

Hotfix KB914810 (included in SP2)
Hotfix KB932762
Security update KB958644

However the root cause is still unclear. But I suspect the auto update
service. It´s hosted by a svchost instance together with some important
networkservices.