Svchost.exe keeps dying

[RaineStraha]

hi everybody brand new to this site but i need some major help with a seemingly small computer problem that is actually really getting on my nerves

please move this to the apropriate forum if it is in the wrong section

Problem: svchost.exe and all the services tied to the cmdline argument "-k netsvcs" keep dying but the other services are fine

i dont know if it will help much but it takes about 2 hours for the services to die

hope this helps some




Please help me
-Raine

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your HJT log looks clean. However, there is malware that can hide from HJT. Go and read this thread HERE and post a fresh renamed HJT log as an attachment into this thread.

Regards Howard :wave: :wave:

This thread is for the use of RaineStraha only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[RaineStraha]

thanks for the help the new log is in attachment form and some new develpoments have occurred FTP.exe was found running in the background along with cmd.exe also some files keep popping up a.bat and a.exe TMIS keeps finding them winrar32.exe is also evident in my system i dont know if its one 3 12 or just a fluke but im pretty sure this machine is in for it



thanks again for any and all help given
-Raine

 

[howard_hopkinso]

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=38.119.130.61:80<Fix this if you didn`t set this proxy yourself or don`t know what it is.

R3 - Default URLSearchHook is missing

O4 - Startup: Adobe Gamma.lnk.disabled

O4 - Global Startup: MA111 Configuration Utility.lnk.disabled

O17 - HKLM\System\CCS\Services\Tcpip\..\{5ECFA5A1-8651-49C3-A6FE-3C0FBD91289D}: NameServer = 216.68.4.10,216.68.5.10<Only fix this if it doesn`t belong to your ISP.

Click on the fix checked button.

Close HJT.

Reboot your system.

Other than the above, your HJT log is clean.

Regards Howard

This thread is for the use of RaineStraha only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[RaineStraha]

although that may help some underlying problems i dont think its gonna kill the a.exe, a.bat, and other problems ive been having winrar32.exe, d[1].php, generic host process for win32 error, with that last one i found that only services tied to the registry entry "netsvcs" are canceled

 

[howard_hopkinso]

Can you give me the exact filepaths to your suspect files?


Regards Howard

 

[RaineStraha]

sadly not however i can tell you the name of one virus trend picked up that a.exe was associated with which was the bkdr_sdbot family and that a.bat was found in the windows folder of c drive and winrar32.exe in c:\windows\system32

is this just one guy messing with me using the same stuff or is it a multitude of different virii also i can tell you that it all started with a file called dl.exe that could be found in the same folder as any application that was run during the initial infection period but that was last year on a different machine i believe strongly that it came over via infected jump drive although




-Raine

if im not making any sense please forgive me this problem has me somewhat psychotic over the fact that i couldnt fix it myself, and if i can offer any help as to how i can see to it that this never happens to anyone else ill be sure to submit this to Trend Micro, Symantec and whoever else can stop it

as is i wish painful death to the person that made this after they release the solution to this problem
but we've all been there right?

-Raine

 

[howard_hopkinso]

Download the Pocket Killbox programme from HERE. Extract it to your desktop.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

c:\windows\system32\winrar32.exe is definitely nasty and needs to be deleted.

Also, download and run this TOOL. It will check your system for the sdbot infection and hopefully kill it.

Regards Howard

This thread is for the use of RaineStraha only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[RaineStraha]

thanks

ill do that after school



-Raine

 

[RaineStraha]

i managed to delete winrar32.exe but it keeps coming back

 

[howard_hopkinso]

Somethings not right here.

Lets go for a full clean up.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard


This thread is for the use of RaineStraha only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.