Re: svchost.exe and DOS Exploit

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Bruce Chambers (bruce_a_chambers_at_h0tmail.com)
Date: 01/30/05 

Date: Sun, 30 Jan 2005 11:57:56 -0700

FlyingDutchmanIam wrote:
> I've been having a problem with my Toshiba Portege A200 laptop and I suspect
> it's a virus. I have Windows XP Professional (without the Service Pack 2
> update as I've heard horror stories about it causing more bad than good),

        Mostly unfounded or self-inflicted, but there were some compatibility
issues. Check with Toshiba to see if they know of any problems with SP2
and their specific OEM version of WinXP and/or their device drivers.

> with only AOL

        Almost always a major source of problems.

>
> My CPU usage has started running at full pelt (100%) and a look at the
> processes revealed five separate instances of svchost.exe running.
>

        What specific process is consuming all of your CPU cycles? Primary
suspects: any other process(es) using more than 2 or 3%; any
process(es) (other than System Idle) pulling more than 10% is almost
definitely a problem. Odds are that you'll find that one or more of the
Svchost.exe processes are involved. It's perfectly normal to have
several instances of Svchost.exe running simultaneously.

A Description of Svchost.exe in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314056

     However, if Svchost.exe is using a large portion of your CPU
cycles, it has most likely been "hijacked" by a worm, Trojan, or
scumware.

> I downloaded and ran SpyBot Seek and Destroy and it found 'DOS Exploit'
> which I duly ran a 'Fix Problems'... or so I thought.
>
> I rebooted my PC but unfortunately the CPU was still running at 100%, making
> running any programmes a pain in the proverbials!
>
> I re-ran the Spybot Seek and Destroy and surprise, surprise the same DOS
> Exploit error came up. I checked the details and it seems to be located in
> the registry settings. I ran the fix, making a note of the location of the
> settings, and deleted and changed the relevant registry settings. No joy.
>

     The DSO exploit was patched long ago by IE Cumulative Update
MS02-015, in March of 2002. If you've installed this specific patch,
or any subsequent IE Cumulative Updates, IE Service Pack 1, or WinXP
SP2, you're safe. It would appear that the latest version of SpyBot
S&D is only checking for Internet zone settings in the registry that
could be used as work-around protection, and not for the presence of
any corrective patches. Hopefully, the makers of SpyBot will soon fix
this bug.

  MS02-015 March 28, 2002 Cumulative Patch for Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;EN-US;319182

     If you like, you can test your system for this particular
vulnerability at this web site:
http://www.grey.com/security/advisories/gm001-ie/

     The makers of SpyBot S&D have acknowledged the problem and will
fix it on their next update:
http://www.safer-networking.org/index.php?page=paragraphs&detail=currentfaqs

     In the meantime, in SpyBot S&D, click Mode > Advanced > Settings >
Ignore Products > Security > DSO Exploit, to turn off the false alarm.

     Some people have reported that the SpyBot Detection rules dated 30
Aug 04, or newer, when used with SpyBot S&D 1.3.1TX, will fix this
problem. However, I've had inconsistent results with that particular
detection update; sometimes it reads clean, then later it will once
again find the DSO problem, and then it will read clean again, all on
the same machine, with no other changes made.

        Have you scanned for viruses? That should have been you're first step,
rather than using Spybot S&D. 

-- 
Bruce Chambers
Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html
You can have peace. Or you can have freedom. Don't ever count on having 
both at once. - RAH

Relevant Pages

  • Re: XP SP2 Update Annoyances
    ... will flag the registry settings for Security Center you've made as ... problems and if you don't uncheck them; if you blindly have Spybot S&D fix ... I do use Spybot S&D regularly. ... I had no idea that it had any effect on the Security Center settings. ...
    (microsoft.public.windowsxp.general)
  • Re: Latest Spybot update - security threat flag
    ... I ran Spybot again, let it "Fix" the problem, and it ... did not change the registry settings. ... Prev by Date: ...
    (microsoft.public.windowsxp.general)
  • Re: URGENT : Running Spybot - Search and Destroy Gives problems.
    ... First, Spybot is intended to fight "spyware", not viruses. ... As for associations, like using NOTEPAD to open a TXT file, that is not ... somthing that Spybot would normally care about or try to fix. ... previous virus might have destroyed or scrambled associations. ...
    (microsoft.public.windowsxp.basics)
  • Re: Did you get an answer on IE hang time?
    ... That fixes the symptom. ... Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines ... Alternative download pages for Ad-Aware, Spybot, HijackThis and CWShredder ... If trying everything at that site does not fix the problem please post back ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Windows Security Update cd- ready for a challenge?
    ... How does "the JAVA VM exploit" figure in your problem? ... Advanced users will find Spybot a useful tool but none of them are worth ... HijackThis won't take care of anything on its own. ... CWShredder (fix all found) ...
    (microsoft.public.security)