• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 195
  • Last Modified:

svchostes has taken over my computer !

Hi All -  My home network has been siezed by a group of disruptive functions: services (4 occasions running), svchostes.exe (3 occassions running), and svchost (6 occasions running).  I can no longer drag & drop. I can no longer display network properties. And none of my software works.  I have run NAV (fully up with SARC on CD), hijackthis shows "nothing suspicious" - Spybot shows only DSO exploit. CWshredder says all is well. this is Win 2K system. I have cleaned the svcservices from the registry as suggested on google search - Now I am stumped - Any ideas ?   Thanks,  Pat
0
PFSullivan
Asked:
PFSullivan
  • 9
  • 8
1 Solution
 
SheharyaarSaahilCommented:
Hello PFSullivan =)

>> svchostes.exe (3 occassions running)
this is the crap file,,,,, did u remove its registry entries and this file itself from safemdoe ??
0
 
SheharyaarSaahilCommented:
ok read the ADVANCED section here on this svchostes.exe >> http://www.sophos.com/virusinfo/analyses/w32rbotnb.html
0
 
PFSullivanAuthor Commented:
Hi SheharyaarSaahil   I removed the registry entries but  I can not find a file by that name on the system.  It will not let me search - so I lookedd in wINNT, system, system32 - where is this devil?

Thanks, Pat
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
SheharyaarSaahilCommented:
it shud be in C:\WINNT\System32
did u turn on the Show Hidden Files feature before looking for it ??
0
 
PFSullivanAuthor Commented:
I have turned on the "view all" _ I have SVCHOST and svcpacd.dll - but no svchostes
0
 
SheharyaarSaahilCommented:
hmmmmmm ok but its running in task managre, and if its running then use this tool to know abt it >> http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
0
 
PFSullivanAuthor Commented:
OK S - I have downloaded that to my notebook - sadly, the evil thing has killed my internet - so I'm off to find some floppies
I'll be back - Thanks
0
 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Try safe mode then ending each task, then try seraching for it and removing the culprit...
Have you tried this I think its better thean NAV  www.free-av.com
0
 
PFSullivanAuthor Commented:
Hi All - I ran the prcexp program and killed the service.exe process tree. It did not help and did not locate the file for me. Perhaps I amusing the tool incorrectly.
To 1stITMAN - Unfortunately, I have no web access on that system and the file is much too big for floppies.  Thanks - all help appreciated
Safe mode will not allow me to stop the services.exe process
The system will no longer boot to normal mode - safe only and takes about 20 mins.
Ugly !!

0
 
SheharyaarSaahilCommented:
u mean u can work on ur system only from safemode, and this svchostes.exe is running in safemode also ??
also why are u terminating services.exe,,, its a valid process !! :)
and have u disconnected this mahcine from the network already ??
0
 
PFSullivanAuthor Commented:
Correct - It will not boot to a desktop.
It stops after network connections and the screen stays blue.
The process I was closing is called "service" not services. Service is running multiple times - even in safe mode as is svchostes.
I have disconnected that system from all others and removed all items from startup.
It's very strange


0
 
SheharyaarSaahilCommented:
hmmmmmm =\

ok do one thing, as win2000 has no msconfig, get it from here >> http://www.perfectdrivers.com/howto/msconfig.html
put it on a floppy and transfer it to ur system, run it and look in the Startup and Services section, if u can see any application related to these processes ??
0
 
PFSullivanAuthor Commented:
Hi SheharyaarSaahil  - I keep a copy of MSConfig on floppy - That's how I removed all from startup. I removed EVERYTHING !
I'm stumped - And I always appreciate your help !
Thanks
0
 
SheharyaarSaahilCommented:
but how they are running in safemode also,,, im stumped also, coz third party services and applications dont run in safemode,,,,, only necessary microsoft services and that's all !!

I can think that they can be from viruses,,,,, but they shudn't be present in safemode,,,, if they are running in safemode, how can we remove them, they will surely come back =\

how many systems do u have in netwokring, is this the only machine that has this infection ??
and u ran NAV which came as clean, can i ask to run stinger >> http://vil.nai.com/vil/stinger
0
 
PFSullivanAuthor Commented:
Hi All - I did run the stinger - no luck - BUT GOOD NEWS - I found the execution program  in the autoexec.nt. I have never heard of this before. The bat (or nt) file had been adjusted and there was a program called 'sequence'  in the win dir.  I only caught it by sorting the WINNT sub by date -


The line read    f:\ stop sequence 811-1/ begin : take

I deleted this line, searched for the program and deleted it - and the problem seems to have gone away - I am clueless!

But as always - I appreciate that you good folks share your knowkedge

best,  Pat



 
0
 
SheharyaarSaahilCommented:
wowwww PFSullivan, what a unique problem and and what a Fantastic solution.... im really impressed :)
thanx for sharing this with us..... and Congrats on a Superb Job !! =)

Now you can goto Suport area and can ask for a refund for this question as you have solved the problem yourself :)
for more info. on how to close a Question, plzz refer here >> http://www.experts-exchange.com/help.jsp#hs5
Cheers ^_^
0
 
PFSullivanAuthor Commented:
Thanks for the compliment  SheharyaarSaahil  -   Coming from you that is HIGH Praise -  The truth is I got lucky cause I am old DOS and Novell 3.11 guy - So I look for the change dates on th files.  

I always appreciate your input and your solutions -  No refund ever required considering how often you guys save my BT !

regards,  Pat
0
 
SheharyaarSaahilCommented:
>> The truth is I got lucky cause I am old DOS and Novell 3.11 guy
hmmmmm means i shud start learning DOS ;-)

>> No refund ever required considering how often you guys save my BT !
If you will not close this now... this will be considered as Abondened, and quite possible that it will get deleted.... and i really dont want that this solution will be lost from EE database.... so the best thing to do is to ask a Mod to PAQ this question and refund your points by Accepting your comment as Answer so that the people in future can take benefit from this PAQ :)

I hope you are understanding my point of view now :)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now