Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

svchostes has taken over my computer !

Posted on 2004-10-17
18
Medium Priority
?
191 Views
Last Modified: 2010-04-12
Hi All -  My home network has been siezed by a group of disruptive functions: services (4 occasions running), svchostes.exe (3 occassions running), and svchost (6 occasions running).  I can no longer drag & drop. I can no longer display network properties. And none of my software works.  I have run NAV (fully up with SARC on CD), hijackthis shows "nothing suspicious" - Spybot shows only DSO exploit. CWshredder says all is well. this is Win 2K system. I have cleaned the svcservices from the registry as suggested on google search - Now I am stumped - Any ideas ?   Thanks,  Pat
0
Comment
Question by:PFSullivan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
18 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12335702
Hello PFSullivan =)

>> svchostes.exe (3 occassions running)
this is the crap file,,,,, did u remove its registry entries and this file itself from safemdoe ??
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12335717
ok read the ADVANCED section here on this svchostes.exe >> http://www.sophos.com/virusinfo/analyses/w32rbotnb.html
0
 

Author Comment

by:PFSullivan
ID: 12335755
Hi SheharyaarSaahil   I removed the registry entries but  I can not find a file by that name on the system.  It will not let me search - so I lookedd in wINNT, system, system32 - where is this devil?

Thanks, Pat
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12335768
it shud be in C:\WINNT\System32
did u turn on the Show Hidden Files feature before looking for it ??
0
 

Author Comment

by:PFSullivan
ID: 12335787
I have turned on the "view all" _ I have SVCHOST and svcpacd.dll - but no svchostes
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12335796
hmmmmmm ok but its running in task managre, and if its running then use this tool to know abt it >> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
0
 

Author Comment

by:PFSullivan
ID: 12335831
OK S - I have downloaded that to my notebook - sadly, the evil thing has killed my internet - so I'm off to find some floppies
I'll be back - Thanks
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12336738
Try safe mode then ending each task, then try seraching for it and removing the culprit...
Have you tried this I think its better thean NAV  www.free-av.com
0
 

Author Comment

by:PFSullivan
ID: 12338232
Hi All - I ran the prcexp program and killed the service.exe process tree. It did not help and did not locate the file for me. Perhaps I amusing the tool incorrectly.
To 1stITMAN - Unfortunately, I have no web access on that system and the file is much too big for floppies.  Thanks - all help appreciated
Safe mode will not allow me to stop the services.exe process
The system will no longer boot to normal mode - safe only and takes about 20 mins.
Ugly !!

0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12341457
u mean u can work on ur system only from safemode, and this svchostes.exe is running in safemode also ??
also why are u terminating services.exe,,, its a valid process !! :)
and have u disconnected this mahcine from the network already ??
0
 

Author Comment

by:PFSullivan
ID: 12341730
Correct - It will not boot to a desktop.
It stops after network connections and the screen stays blue.
The process I was closing is called "service" not services. Service is running multiple times - even in safe mode as is svchostes.
I have disconnected that system from all others and removed all items from startup.
It's very strange


0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12341836
hmmmmmm =\

ok do one thing, as win2000 has no msconfig, get it from here >> http://www.perfectdrivers.com/howto/msconfig.html
put it on a floppy and transfer it to ur system, run it and look in the Startup and Services section, if u can see any application related to these processes ??
0
 

Author Comment

by:PFSullivan
ID: 12343052
Hi SheharyaarSaahil  - I keep a copy of MSConfig on floppy - That's how I removed all from startup. I removed EVERYTHING !
I'm stumped - And I always appreciate your help !
Thanks
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12343285
but how they are running in safemode also,,, im stumped also, coz third party services and applications dont run in safemode,,,,, only necessary microsoft services and that's all !!

I can think that they can be from viruses,,,,, but they shudn't be present in safemode,,,, if they are running in safemode, how can we remove them, they will surely come back =\

how many systems do u have in netwokring, is this the only machine that has this infection ??
and u ran NAV which came as clean, can i ask to run stinger >> http://vil.nai.com/vil/stinger
0
 

Author Comment

by:PFSullivan
ID: 12550832
Hi All - I did run the stinger - no luck - BUT GOOD NEWS - I found the execution program  in the autoexec.nt. I have never heard of this before. The bat (or nt) file had been adjusted and there was a program called 'sequence'  in the win dir.  I only caught it by sorting the WINNT sub by date -


The line read    f:\ stop sequence 811-1/ begin : take

I deleted this line, searched for the program and deleted it - and the problem seems to have gone away - I am clueless!

But as always - I appreciate that you good folks share your knowkedge

best,  Pat



 
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12550962
wowwww PFSullivan, what a unique problem and and what a Fantastic solution.... im really impressed :)
thanx for sharing this with us..... and Congrats on a Superb Job !! =)

Now you can goto Suport area and can ask for a refund for this question as you have solved the problem yourself :)
for more info. on how to close a Question, plzz refer here >> http://www.experts-exchange.com/help.jsp#hs5
Cheers ^_^
0
 

Author Comment

by:PFSullivan
ID: 12551131
Thanks for the compliment  SheharyaarSaahil  -   Coming from you that is HIGH Praise -  The truth is I got lucky cause I am old DOS and Novell 3.11 guy - So I look for the change dates on th files.  

I always appreciate your input and your solutions -  No refund ever required considering how often you guys save my BT !

regards,  Pat
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 2000 total points
ID: 12551749
>> The truth is I got lucky cause I am old DOS and Novell 3.11 guy
hmmmmm means i shud start learning DOS ;-)

>> No refund ever required considering how often you guys save my BT !
If you will not close this now... this will be considered as Abondened, and quite possible that it will get deleted.... and i really dont want that this solution will be lost from EE database.... so the best thing to do is to ask a Mod to PAQ this question and refund your points by Accepting your comment as Answer so that the people in future can take benefit from this PAQ :)

I hope you are understanding my point of view now :)
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question