Xref: kermit microsoft.public.windowsxp.help_and_support:482799 microsoft.public.windowsxp.perform_maintain:171354

Thanks - I'll look into these possibilities!

--
####################
## PH, London
####################
"cquirke (MVP Win9x)" wrote in message
...
On Wed, 14 Apr 2004 18:46:38 +0100, "Philip Herlihy"

Thanks, Carey. I'm very grateful for the suggestion, but it didn't work.

The machine has XP Home with SP1 (I should have specified this) and the
patch is apparently pre-SP1 (an error-message said it could only be
applied
if no SPs were already there.

Two things come to mind:

1) There are new (April 2004) patches involving LSASS and DCOM

Seek and apply these - in case what is happening is an exploit of the
newly-announced holes involving these things.

2) Malware use of SVCHost

Malware can either use the "real" SVCHost to shell themselves (so that
firewalls set to allow the "real" SVCHost allows the malware too) or
can drop thier own "SVCHost" files that are running.

CoolWebSearch is a common, frequently-updated commercial malware that
exploits a wide range of holes and attack methods, often including
SVCHost. There's a web site and utility dedicated to killing CWS;
Google for it (merjin) and check it out - they document the variations
and evolve the killer tool to manage the matest ones.


As usual, I'd start with a formal virus check to exclude traditional
malware, then drill down to commercial malware through Windows using
AdAware, Spybot, and the dedicated CWS killer.



-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -