TechSpot

Svchost.exe keeps dying

By RaineStraha
Oct 16, 2006
  1. hi everybody brand new to this site but i need some major help with a seemingly small computer problem that is actually really getting on my nerves

    please move this to the apropriate forum if it is in the wrong section

    Problem: svchost.exe and all the services tied to the cmdline argument "-k netsvcs" keep dying but the other services are fine

    i dont know if it will help much but it takes about 2 hours for the services to die

    hope this helps some




    Please help me
    -Raine
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your HJT log looks clean. However, there is malware that can hide from HJT. Go and read this thread HERE and post a fresh renamed HJT log as an attachment into this thread.

    Regards Howard :wave: :wave:

    This thread is for the use of RaineStraha only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. RaineStraha

    RaineStraha TS Rookie Topic Starter

    thanks for the help the new log is in attachment form and some new develpoments have occurred FTP.exe was found running in the background along with cmd.exe also some files keep popping up a.bat and a.exe TMIS keeps finding them winrar32.exe is also evident in my system i dont know if its one 3 12 or just a fluke but im pretty sure this machine is in for it



    thanks again for any and all help given
    -Raine
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=38.119.130.61:80<Fix this if you didn`t set this proxy yourself or don`t know what it is.

    R3 - Default URLSearchHook is missing

    O4 - Startup: Adobe Gamma.lnk.disabled

    O4 - Global Startup: MA111 Configuration Utility.lnk.disabled

    O17 - HKLM\System\CCS\Services\Tcpip\..\{5ECFA5A1-8651-49C3-A6FE-3C0FBD91289D}: NameServer = 216.68.4.10,216.68.5.10<Only fix this if it doesn`t belong to your ISP.

    Click on the fix checked button.

    Close HJT.

    Reboot your system.

    Other than the above, your HJT log is clean.

    Regards Howard :)

    This thread is for the use of RaineStraha only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. RaineStraha

    RaineStraha TS Rookie Topic Starter

    although that may help some underlying problems i dont think its gonna kill the a.exe, a.bat, and other problems ive been having winrar32.exe, d[1].php, generic host process for win32 error, with that last one i found that only services tied to the registry entry "netsvcs" are canceled
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Can you give me the exact filepaths to your suspect files?


    Regards Howard :)
     
  7. RaineStraha

    RaineStraha TS Rookie Topic Starter

    sadly not however i can tell you the name of one virus trend picked up that a.exe was associated with which was the bkdr_sdbot family and that a.bat was found in the windows folder of c drive and winrar32.exe in c:\windows\system32

    is this just one guy messing with me using the same stuff or is it a multitude of different virii also i can tell you that it all started with a file called dl.exe that could be found in the same folder as any application that was run during the initial infection period but that was last year on a different machine i believe strongly that it came over via infected jump drive although




    -Raine

    if im not making any sense please forgive me this problem has me somewhat psychotic over the fact that i couldnt fix it myself, and if i can offer any help as to how i can see to it that this never happens to anyone else ill be sure to submit this to Trend Micro, Symantec and whoever else can stop it

    as is i wish painful death to the person that made this after they release the solution to this problem
    but we've all been there right?

    -Raine
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it to your desktop.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    c:\windows\system32\winrar32.exe is definitely nasty and needs to be deleted.

    Also, download and run this TOOL. It will check your system for the sdbot infection and hopefully kill it.

    Regards Howard :)

    This thread is for the use of RaineStraha only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. RaineStraha

    RaineStraha TS Rookie Topic Starter

    thanks

    ill do that after school



    -Raine
     
  10. RaineStraha

    RaineStraha TS Rookie Topic Starter

    i managed to delete winrar32.exe but it keeps coming back
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Somethings not right here.

    Lets go for a full clean up.

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :)


    This thread is for the use of RaineStraha only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...