Solved

svchostes has taken over my computer !

Posted on 2004-10-17
18
166 Views
Last Modified: 2010-04-12
Hi All -  My home network has been siezed by a group of disruptive functions: services (4 occasions running), svchostes.exe (3 occassions running), and svchost (6 occasions running).  I can no longer drag & drop. I can no longer display network properties. And none of my software works.  I have run NAV (fully up with SARC on CD), hijackthis shows "nothing suspicious" - Spybot shows only DSO exploit. CWshredder says all is well. this is Win 2K system. I have cleaned the svcservices from the registry as suggested on google search - Now I am stumped - Any ideas ?   Thanks,  Pat
0
Comment
Question by:PFSullivan
  • 9
  • 8
18 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12335702
Hello PFSullivan =)

>> svchostes.exe (3 occassions running)
this is the crap file,,,,, did u remove its registry entries and this file itself from safemdoe ??
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12335717
ok read the ADVANCED section here on this svchostes.exe >> http://www.sophos.com/virusinfo/analyses/w32rbotnb.html
0
 

Author Comment

by:PFSullivan
ID: 12335755
Hi SheharyaarSaahil   I removed the registry entries but  I can not find a file by that name on the system.  It will not let me search - so I lookedd in wINNT, system, system32 - where is this devil?

Thanks, Pat
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12335768
it shud be in C:\WINNT\System32
did u turn on the Show Hidden Files feature before looking for it ??
0
 

Author Comment

by:PFSullivan
ID: 12335787
I have turned on the "view all" _ I have SVCHOST and svcpacd.dll - but no svchostes
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12335796
hmmmmmm ok but its running in task managre, and if its running then use this tool to know abt it >> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
0
 

Author Comment

by:PFSullivan
ID: 12335831
OK S - I have downloaded that to my notebook - sadly, the evil thing has killed my internet - so I'm off to find some floppies
I'll be back - Thanks
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12336738
Try safe mode then ending each task, then try seraching for it and removing the culprit...
Have you tried this I think its better thean NAV  www.free-av.com
0
 

Author Comment

by:PFSullivan
ID: 12338232
Hi All - I ran the prcexp program and killed the service.exe process tree. It did not help and did not locate the file for me. Perhaps I amusing the tool incorrectly.
To 1stITMAN - Unfortunately, I have no web access on that system and the file is much too big for floppies.  Thanks - all help appreciated
Safe mode will not allow me to stop the services.exe process
The system will no longer boot to normal mode - safe only and takes about 20 mins.
Ugly !!

0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12341457
u mean u can work on ur system only from safemode, and this svchostes.exe is running in safemode also ??
also why are u terminating services.exe,,, its a valid process !! :)
and have u disconnected this mahcine from the network already ??
0
 

Author Comment

by:PFSullivan
ID: 12341730
Correct - It will not boot to a desktop.
It stops after network connections and the screen stays blue.
The process I was closing is called "service" not services. Service is running multiple times - even in safe mode as is svchostes.
I have disconnected that system from all others and removed all items from startup.
It's very strange


0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12341836
hmmmmmm =\

ok do one thing, as win2000 has no msconfig, get it from here >> http://www.perfectdrivers.com/howto/msconfig.html
put it on a floppy and transfer it to ur system, run it and look in the Startup and Services section, if u can see any application related to these processes ??
0
 

Author Comment

by:PFSullivan
ID: 12343052
Hi SheharyaarSaahil  - I keep a copy of MSConfig on floppy - That's how I removed all from startup. I removed EVERYTHING !
I'm stumped - And I always appreciate your help !
Thanks
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12343285
but how they are running in safemode also,,, im stumped also, coz third party services and applications dont run in safemode,,,,, only necessary microsoft services and that's all !!

I can think that they can be from viruses,,,,, but they shudn't be present in safemode,,,, if they are running in safemode, how can we remove them, they will surely come back =\

how many systems do u have in netwokring, is this the only machine that has this infection ??
and u ran NAV which came as clean, can i ask to run stinger >> http://vil.nai.com/vil/stinger
0
 

Author Comment

by:PFSullivan
ID: 12550832
Hi All - I did run the stinger - no luck - BUT GOOD NEWS - I found the execution program  in the autoexec.nt. I have never heard of this before. The bat (or nt) file had been adjusted and there was a program called 'sequence'  in the win dir.  I only caught it by sorting the WINNT sub by date -


The line read    f:\ stop sequence 811-1/ begin : take

I deleted this line, searched for the program and deleted it - and the problem seems to have gone away - I am clueless!

But as always - I appreciate that you good folks share your knowkedge

best,  Pat



 
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12550962
wowwww PFSullivan, what a unique problem and and what a Fantastic solution.... im really impressed :)
thanx for sharing this with us..... and Congrats on a Superb Job !! =)

Now you can goto Suport area and can ask for a refund for this question as you have solved the problem yourself :)
for more info. on how to close a Question, plzz refer here >> http://www.experts-exchange.com/help.jsp#hs5
Cheers ^_^
0
 

Author Comment

by:PFSullivan
ID: 12551131
Thanks for the compliment  SheharyaarSaahil  -   Coming from you that is HIGH Praise -  The truth is I got lucky cause I am old DOS and Novell 3.11 guy - So I look for the change dates on th files.  

I always appreciate your input and your solutions -  No refund ever required considering how often you guys save my BT !

regards,  Pat
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 12551749
>> The truth is I got lucky cause I am old DOS and Novell 3.11 guy
hmmmmm means i shud start learning DOS ;-)

>> No refund ever required considering how often you guys save my BT !
If you will not close this now... this will be considered as Abondened, and quite possible that it will get deleted.... and i really dont want that this solution will be lost from EE database.... so the best thing to do is to ask a Mod to PAQ this question and refund your points by Accepting your comment as Answer so that the people in future can take benefit from this PAQ :)

I hope you are understanding my point of view now :)
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Find out what the Office 365 disclaimer function is, why you would use it and its limited ability to create Office 365 signatures.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now