The article was written so that descendants would not step on the rake on which I stepped.
If the network environment on your server / local computer stops opening with the error "None of the network access services can handle the network path" welcome

Symptoms:

In general, one day a user called me and said that he couldn’t connect to the main server via samba (of course he said not so, but the essence was transferred) . although the server pinged perfectly and all the necessary ports were open. After rebooting the server (and this is known as a full Achtung in the middle of a working day), the server worked for about an hour and the error repeated. On the server itself, when trying to go over the network to any computer, \\ user received the error "None of the network access services can handle the network path"

Anamnesis

As mentioned earlier, port 445 has been opened. The error “None of the services” prompted the idea that the problem was in the services :)
So we climb into services and see the following: services server, workstation, computer browser fell. We start - it works, after 10-15 minutes it drops again. In the application logs we see an error
“Svchost.exe application error, version 5.2.3790.3959, kernel32.dll module, version 5.2.3790.3959, address 0x0006beb8.”
Immediately after which services fall
')

Differential diagnosis 1

We google ...

We come to the unequivocal conclusion that the reason for all is a certain kido virus, which attacks the network computers on port 445, leading to a buffer-overflow error. The solution is to run kk.exe on all computers on the network. kk.exe is a program for treating a kido virus from Kaspers. The Kaspersky Anti-Virus itself doesn’t stand up to the spirit, although I did a scan - I didn’t find any threats from Kaspersky itself, but I found kk.exe and apparently treated it.

Treatment

Having passed through all the computers on the network and running kk, they discovered and cleaned a lot of this virus. In addition, in order to protect newly infected computers, they launched kk in the monitoring mode “kk -m” and added them to autoload. After all these manipulations, they sighed freely, wanted to rest, but it was not there. Services began to fall less often. But that didn't make it any easier! By the way, a temporary solution to the problem is to enter the properties of one of the services and set “restart the server” in all fields of the recovery tab. Services though fall, but almost immediately restored.

Differential diagnosis 2

So I began to think why services fall in batches. And what unites these services. The answer turned out to be simple - one of the svchost.exe started all these services. Here is the complete list:
• Computer Browser (!)
• Cryptographic services
• Logical Disk Manager
• COM + Event Service
• Help and support
• Server (!)
• Work station (!)
• Network connections (!)
• Network Location Service
• Task Scheduler (!)
• Secondary login
• Notification of system events
• Definition of shell equipment
• Client Tracking Changed Links
• windows management toolkit
• Automatic update
• Wireless setup

In general, the idea went further. Once there are no more viruses on the server, then the virus is still on any computers on the network. And he continues to attack the server. But why the server from this falls? So there is some kind of hole. And if there is a hole, then there must be a patch. Hardly found such a patch for WinXP - KB958644
And having the name of the patch for Win2003 found a patch without any problems.

Treatment part 2

put patches on the server and all computers on the network. instead of error
“Svchost.exe application error, version 5.2.3790.3959, kernel32.dll module, version 5.2.3790.3959, address 0x0006beb8.”
a warning began to appear
“Reporting of a queuing error: application error svchost.exe, version 5.2.3790.3959, module kernel32.dll, version 5.2.3790.3959, address 0x0006beb8.”

Total

In principle, the problem is solved, you can write out. But (!) Once the attacks continue, it means the virus is still operating somewhere. Here I would like to ask the habrasoobshchestvo - how to identify an infected computer on the network?
It is logical to assume that you need to listen to port 445 - who climbs, that and the horns. But after all, a lot has been done on the server, people climb and edit, they create, they keep looking ... How can we separate the 445 port's normal traffic from the malicious one?
I am waiting for advice in the comments, and I hope that in the future my article will help someone to quickly deal with this problem.

ZYZH automatic update stood, 2003 was updated - for some reason this patch does not swing with all together.