The article is written so that the descendants do not step on the rake that I stepped on.
If on your server / local computer the network environment stops opening with the error “None of the network access services can process the network path”, welcome

Symptoms

In general, one fine day a user called me and said that he could not connect to the main server by samba (naturally he said something wrong, but the essence was transferred) I tried to type \\ server from my computer (name changed for ease of understanding) and got an error . although the server pinged perfectly and all the necessary ports were open. After rebooting the server (and this is known to be a full ahtung in the middle of the working day), the server worked for about an hour and the error repeated. On the server itself, when trying to go over the network to any computer, \\ user received the error "None of the network access services can handle the network path"

Anamnesis

As mentioned earlier, port 445 was opened. The error “None of the services” prompted the idea that the problem is in the services :)
So we climb into the services and on the offhand we see the following: the services server, workstation, computer browser have fallen. Run - it works, after 10-15 minutes it falls again. In the application logs, we see the error
“Application error svchost.exe, version 5.2.3790.3959, kernel32.dll module, version 5.2.3790.3959, address 0x0006beb8.”
Immediately after which the services fall

Differential diagnosis 1

Google ...

We come to the unequivocal conclusion that the reason is a certain kido virus that attacks network computers on port 445, resulting in a buffer-overflow error. The solution is to run kk.exe on all computers on the network. kk.exe - a program for the treatment of kido virus from Kaspersky. Kaspersky Anti-Virus itself can’t stand it, although I did it - Kaspersky itself did not detect any threats, and kk.exe found it and apparently cured it.

Treatment

After going through all the computers on the network and running kk, we found and cleaned a lot of this virus. In addition, in order to protect newly infected computers, they started kk in the monitoring mode “kk -m” and added it to startup. After all these manipulations they sighed freely, they wanted to rest, but it wasn’t there. Services began to fall not so often. But that didn't make it any easier! By the way, a temporary solution to the problem is to go into the properties of one of the services and set "restart the server" in all fields of the recovery tab. Services, although they are falling, are being restored almost immediately.

Differential diagnosis 2

So I began to think why services are falling in batches. And what unites these services. The answer was simple - one of svchost.exe ran all these services. Here is the complete list:
• Computer Browser (!)
• Cryptography Services
• Logical Disk Manager
• COM + Event Service
• Help and Support
• Server (!)
• Workstation (!)
• Network Connections (!)
• Network Location Service
• Task Scheduler ( !)
• Secondary login
• Notification of system events
• Determination of shell hardware
• Client for tracking changed connections
•
Windows management tools • Automatic updating
• Wireless setup

In general, the thought went further. Since there are no more viruses on the server, then the virus is still there on any computers on the network. And he continues to attack the server. But why does the server crash from this? So there’s some kind of hole. And if there is a hole, then there must be a patch. With grief in half, I found such a patch for WinXP - KB958644
And having the name of the patch for Win2003, I found the patch without any problems.

Treatment part 2

put patches on the server and all computers on the network. instead of the error
“Application error svchost.exe, version 5.2.3790.3959, kernel32.dll module, version 5.2.3790.3959, address 0x0006beb8.” the
warning
“Report queuing error: application error svchost.exe, version 5.2.3790.3959, kernel32.dll module, version 5.2.3790.3959, address 0x0006beb8. ”

Total

In principle, the problem is solved, you can write out. But (!) Once the attacks continue, the virus is still somewhere in effect. I would like to ask the habrasociety about this - how to identify a computer infected on the network?
It is logical to assume that you need to listen to port 445 - those who climb, the horns. But after all, a lot of things were rummaged on the server, people climb edit, create, save, watch ... How to separate the normal 445 port traffic from the malicious one?
I am waiting for advice in the comments, and I hope that in the future my article will help someone quickly deal with this problem.

ZYZH automatic update stood, 2003 was updated - for some reason this patch does not swing with everyone.