"flekso" <taurus@email.hinet.hr> wrote:

Huh???

_BOTH_ are common/standard/default.

Why are you trying to disable one of them?

Does your machine keep going septic/crashing/shutting down after telling you this
service has crashed? If so, Google for "Blaster worm" or "MS03-026" or perhaps
even read a couple of randomly selected threads in this newsgroup...


--
Nick FitzGerald

"Nick FitzGerald" <nick@virus-l.demon.co.uk> wrote in message
news:3f3c415e@clear.net.nz...
okay, but until a couple of days ago i only had one of them (*PosItIVe*) and
i don't know which one is newly spawned (by the WORM_MSBLAST.A) plus the
netsvcs is set to manual startup in services.mmc but it starts with each
boot - how can this be?

"flekso" <taurus@email.hinet.hr> wrote:

You are either wrong or have made some other, unrelated to Blaster, change to
your system.

All three standard install W2K machines in my immediate vicinity have at least
two svchost.exe processes running.

I've been experimenting with several of the vulnerability exploits that Blaster
is based on for well over a week and with Blaster since a few hours after it
was released deliberately running it on and infecting machines on an isolated
test netowrk and I have __NEVER__ seen any of that activity cause a new
svchost.exe process startup on a compromised or infected machine.

Further, from performing a fairly complete disassembly of the worm I see nothing
in its code that should cause a new svchost.exe process to startup, either
instantaneously or permanently.

Because something else has it as a dependency?

Because something else you have set to run at startup requires that service,
and its calling on the service counts as a "you're needed" and therefore the
"manual startup" requiement is met so it is run?

Whatever -- it is not "nefariously" because of Blaster and if Blaster's actions
are responsible for it, removing Blaster will make it go away. If not, you
wrong about it not being there before and/or about not having changed anything.


--
Nick FitzGerald

"Nick FitzGerald" <nick@virus-l.demon.co.uk> wrote in message
news:3f3cd470@clear.net.nz...
you're 100% right (hooray! no need to curse anymore),
paranoia got over my head, thanks

"»Q«" <boxcars@gmx.net> wrote:

At least in W2K (and presumably NT) the tlist util is part of the Resource Kit
and/or "Support Tools", neither of which is installed by default, though the
latter is included on the OS installation CD so should be readily available.
I seem to recall seeing this available for download from MS' web site too, but
now have no idea of the URL (and as MS is effectively under "patch before the
worm strikes" paranoia-induced DoS, I'm not even going to try to look for it
at the moment...).


--
Nick FitzGerald

"Nick FitzGerald" <nick@virus-l.demon.co.uk> wrote in message
news:3f3d6151@clear.net.nz...
i've found it on some dudes page

http://www.petri.co.il/w2k_sp4_support_tools.htm

"flekso" <taurus@email.hinet.hr> wrote in message news:bhkl7q$gs9$1@ls219.htnet.hr...
Ahhh, the "some dude" method. I think I'll just wait for the e-mail
version to arrive. ;o)

"FromTheRafters" <!0000@nomad.fake> wrote in message
news:vjtcsir2s9dpd0@corp.supernews.com...
no, really it's an ok page with links to microsoft

"flekso" <taurus@email.hinet.hr> wrote in message news:bhnd6p$7rb$1@ls219.htnet.hr...
Good, I was just having a little fun with ya is all.