svchostes has taken over my computer !
Hi All - My home network has been siezed by a group of disruptive functions: services (4 occasions running), svchostes.exe (3 occassions running), and svchost (6 occasions running). I can no longer drag & drop. I can no longer display network properties. And none of my software works. I have run NAV (fully up with SARC on CD), hijackthis shows "nothing suspicious" - Spybot shows only DSO exploit. CWshredder says all is well. this is Win 2K system. I have cleaned the svcservices from the registry as suggested on google search - Now I am stumped - Any ideas ? Thanks, Pat
ok read the ADVANCED section here on this svchostes.exe >> http://www.sophos.com/virusinfo/analyses/w32rbotnb.html
ASKER
Hi SheharyaarSaahil I removed the registry entries but I can not find a file by that name on the system. It will not let me search - so I lookedd in wINNT, system, system32 - where is this devil?
Thanks, Pat
Thanks, Pat
it shud be in C:\WINNT\System32
did u turn on the Show Hidden Files feature before looking for it ??
did u turn on the Show Hidden Files feature before looking for it ??
ASKER
I have turned on the "view all" _ I have SVCHOST and svcpacd.dll - but no svchostes
hmmmmmm ok but its running in task managre, and if its running then use this tool to know abt it >> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
ASKER
OK S - I have downloaded that to my notebook - sadly, the evil thing has killed my internet - so I'm off to find some floppies
I'll be back - Thanks
I'll be back - Thanks
Try safe mode then ending each task, then try seraching for it and removing the culprit...
Have you tried this I think its better thean NAV www.free-av.com
Have you tried this I think its better thean NAV www.free-av.com
ASKER
Hi All - I ran the prcexp program and killed the service.exe process tree. It did not help and did not locate the file for me. Perhaps I amusing the tool incorrectly.
To 1stITMAN - Unfortunately, I have no web access on that system and the file is much too big for floppies. Thanks - all help appreciated
Safe mode will not allow me to stop the services.exe process
The system will no longer boot to normal mode - safe only and takes about 20 mins.
Ugly !!
To 1stITMAN - Unfortunately, I have no web access on that system and the file is much too big for floppies. Thanks - all help appreciated
Safe mode will not allow me to stop the services.exe process
The system will no longer boot to normal mode - safe only and takes about 20 mins.
Ugly !!
u mean u can work on ur system only from safemode, and this svchostes.exe is running in safemode also ??
also why are u terminating services.exe,,, its a valid process !! :)
and have u disconnected this mahcine from the network already ??
also why are u terminating services.exe,,, its a valid process !! :)
and have u disconnected this mahcine from the network already ??
ASKER
Correct - It will not boot to a desktop.
It stops after network connections and the screen stays blue.
The process I was closing is called "service" not services. Service is running multiple times - even in safe mode as is svchostes.
I have disconnected that system from all others and removed all items from startup.
It's very strange
It stops after network connections and the screen stays blue.
The process I was closing is called "service" not services. Service is running multiple times - even in safe mode as is svchostes.
I have disconnected that system from all others and removed all items from startup.
It's very strange
hmmmmmm =\
ok do one thing, as win2000 has no msconfig, get it from here >> http://www.perfectdrivers.com/howto/msconfig.html
put it on a floppy and transfer it to ur system, run it and look in the Startup and Services section, if u can see any application related to these processes ??
ok do one thing, as win2000 has no msconfig, get it from here >> http://www.perfectdrivers.com/howto/msconfig.html
put it on a floppy and transfer it to ur system, run it and look in the Startup and Services section, if u can see any application related to these processes ??
ASKER
Hi SheharyaarSaahil - I keep a copy of MSConfig on floppy - That's how I removed all from startup. I removed EVERYTHING !
I'm stumped - And I always appreciate your help !
Thanks
I'm stumped - And I always appreciate your help !
Thanks
but how they are running in safemode also,,, im stumped also, coz third party services and applications dont run in safemode,,,,, only necessary microsoft services and that's all !!
I can think that they can be from viruses,,,,, but they shudn't be present in safemode,,,, if they are running in safemode, how can we remove them, they will surely come back =\
how many systems do u have in netwokring, is this the only machine that has this infection ??
and u ran NAV which came as clean, can i ask to run stinger >> http://vil.nai.com/vil/stinger
I can think that they can be from viruses,,,,, but they shudn't be present in safemode,,,, if they are running in safemode, how can we remove them, they will surely come back =\
how many systems do u have in netwokring, is this the only machine that has this infection ??
and u ran NAV which came as clean, can i ask to run stinger >> http://vil.nai.com/vil/stinger
ASKER
Hi All - I did run the stinger - no luck - BUT GOOD NEWS - I found the execution program in the autoexec.nt. I have never heard of this before. The bat (or nt) file had been adjusted and there was a program called 'sequence' in the win dir. I only caught it by sorting the WINNT sub by date -
The line read f:\ stop sequence 811-1/ begin : take
I deleted this line, searched for the program and deleted it - and the problem seems to have gone away - I am clueless!
But as always - I appreciate that you good folks share your knowkedge
best, Pat
The line read f:\ stop sequence 811-1/ begin : take
I deleted this line, searched for the program and deleted it - and the problem seems to have gone away - I am clueless!
But as always - I appreciate that you good folks share your knowkedge
best, Pat
wowwww PFSullivan, what a unique problem and and what a Fantastic solution.... im really impressed :)
thanx for sharing this with us..... and Congrats on a Superb Job !! =)
Now you can goto Suport area and can ask for a refund for this question as you have solved the problem yourself :)
for more info. on how to close a Question, plzz refer here >> https://www.experts-exchange.com/help.jsp#hs5
Cheers ^_^
thanx for sharing this with us..... and Congrats on a Superb Job !! =)
Now you can goto Suport area and can ask for a refund for this question as you have solved the problem yourself :)
for more info. on how to close a Question, plzz refer here >> https://www.experts-exchange.com/help.jsp#hs5
Cheers ^_^
ASKER
Thanks for the compliment SheharyaarSaahil - Coming from you that is HIGH Praise - The truth is I got lucky cause I am old DOS and Novell 3.11 guy - So I look for the change dates on th files.
I always appreciate your input and your solutions - No refund ever required considering how often you guys save my BT !
regards, Pat
I always appreciate your input and your solutions - No refund ever required considering how often you guys save my BT !
regards, Pat
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>> svchostes.exe (3 occassions running)
this is the crap file,,,,, did u remove its registry entries and this file itself from safemdoe ??