svchost.exe, conhost.exe & csrss.exe

svchost.exe, conhost.exe & csrss.exe

Post by BillJohnst » Wed, 15 Dec 2010 12:26:20


I'm online with a Debian linux machine as I've problems with my main
machine running WinXP Pro.

Windows XP Pro x64. It's been running for years on the computer. I
upgraded the drive from 250 GB to 500GB then recently to 1TB. This last
time I tried to be as correct as possible so I bought Norton Ghost 15.0
and cloned the drive. That was just under a month ago and all had been
okay until recently.

I didn't back up the drive before or after the cloning.

I recently started getting redirects in Google searches. I ran Spybot,
something I do infrequently. Spybot showed CoolWWWSearch.OleHelp
infection of svchost and. conhost.exe, Win32FakeAlert.ttam infection of
csrss.exe. Spybot would fix the problems but the infection would return
almost immediately.

I'd gotten complacent about making changes with regedit. There are no
registry backups and now can't make any.

I made changes in trying to clear the infection(s).

The infection(s) problem is on the back burner while I try to fix what
I broke.

The WinXP Pro machine will boot into Windows just fine. The login
screen shows the one user and I login. No services are running. I look
in Task Manager and svchost.exe, conhost.exe and csrss.exe are all
running.

File search doesn't work. My Eudora doesn't find its mailboxes.
Commands don't run, e.g. Ntbackup.exe run as Administrator comes up with
The service did not respond to the start or control request in a timely
fashion.

I try to run Norton Ghost but get Error in Main. Image format is not
valid. The image file may be corrupted. Parameter name: stream

I tried a reinstallation of Norton Ghost but get that the Windows
installation wizard service isn't running.

I've started the machine in Safe Mode and tried running Ntbackup.exe
but it won't run in Safe Mode. I tried adding Administrator to
Ntwindows in regedit but it wouldn't take until I added it using regedit
in Safe Mode. Now I can login to Administrator from the normal WinXP
login screen but still programs complain that no services are running.

I try searching for files from Start > Search but the attempt seems to
get dumped into the bitbucket as the Search dialog never appears.

I open Administration Service and immediately see it's opening to
Extended instead of Standard making it look as if there are no services
installed. I go to the Standard page and see the services. I had made
some changes here as well trying to clear the infections. I recall I
disabled DCOM Server Process Launcher. I try to enable DCOM but Start
Stop Pause Resume and Restart are all grayed out. I try the DCOM
Properties but it doesn't run.

I tried going to My Computer and selecting Properties of Local Disk C:,
Sharing, and checking Share this folder on the network. In order to
successfully clone the drive with Norton Ghost I found I had to enable
sharing the C: drive then changed it back after the cloning. Now I
reasoned I might need to re-enable sharing on C: to get some normality
back but now I get "An error occurred while trying to share C. The
Server service is not started. The shared resource was not created at
this time."

So, it seems as if my drive is somehow locked down. It's as if the
drive is being protected. I'd appreciate suggestions on how to get
services running once again. I'm putting off a reinstallation of
Windows. I have a single icon space free on my desktop and know if I
reinstall Wi
 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by MyNew » Wed, 15 Dec 2010 20:39:44

it's in your regedit back up!
And is Being Scheduled Tasks bacK

 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by MyNew » Wed, 15 Dec 2010 20:49:39

P.S.

http://www.yqcomputer.com/

If you seeing Svchost.exe it can be the one made by Spybot
For 99.999% of Svchost.exe good!
 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by BillJohnst » Thu, 16 Dec 2010 00:26:01


After a little more searching I found that a reference when booting to
not finding csrss.exe in My Documents\..\Temp\csrss.exe was located in
\HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache.
Besides the key data pointing to that, now gone, csrss.exe, there was
also a key pointing to The_Yale_Law_Journal.pdf, which failed to
download about the time of the virus start, a reference to conhost.exe
and finally a line referencing something that appeared to be from a new
4GB thumbdrive I bought on Ebay a month ago.

The Yale Law Journal file was "The_Yale_law_journal.PDF.exe". After
downloading, double clicking the executable file seemed to have no
effect.

There was one other registry entry to the ...\Temp\csrss.exe file and
that in
\HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows.

The My Documents\..\Application Data\Microsoft\conhost.exe key data was
found under
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
entry as well.

Although I've removed these from the registry, I suspect whatever is
putting the keys there may still be around.
 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by Elmo » Thu, 16 Dec 2010 04:12:45

n 12/13/2010 10:26 PM, BillJohnston wrote:

Try one of these. Surely one will get control of conhost and disable
it. You probably have a rootkit along with the other problems, so you
need something outside of the Windows OS to scan.

Download this Avira Antivir Rescue System program which will burn a CD
image to a blank CD. It's updated a few times per day. Insert the CD
into the damaged machine and let it do a scan of your system. Before
starting the scan, select "Configuration" and set to repair or rename
the infected files. Sometimes your machine won't restart after such a
repair process, so you might want to save needed files to another system
before using this. If you can't, then you can move the hard drive to
another machine to copy needed files. You can do that before, or after
this scan.

http://www.avira.com/en/support-download-avira-antivir-rescue-system

Then run these:

MalwarebytesCorporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html

AVG now has a Rescue CD that's free. They also have a free USB download
that should work on newer systems that can boot from a USB device. Get
them here:

http://www.avg.com/us-en/avg-rescue-cd

You can try some of the CD's mentioned at the following site.
BitDefender was my favorite, but if the infected machine can't connect
to the internet to get updates, Avira comes with current virus
definitions. Also, some of these just won't run on some systems,
perhaps because there's no drivers available for some system devices,
motherboard, graphics card, etc. So try a few of these till you find
one that works:

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is available,
(though no .exe is available for BitDefender).

After the scan is run, if you elect to quarantine files, they're
quarantined to RAM and lost after you reboot. You'll need to copy any
quarantined files to the hard drive, a thumb drive or elsewhere before
exiting.


--

Joe =o)

 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by BillJohnst » Thu, 16 Dec 2010 06:12:50


Stopping conhost.exe in Task Manager doesn't work as it's immediately
replaced. Running Spybot deletes \Temp\csrss.exe but not
\Microsoft\conhost.exe.

Booting to save mode I can delete both files from the c:\Documents and
Settings subdirectories. I then ran regedit32 and deleted all keys
referencing those files in those locations and rebooted. After booting,
both files are again in those directories. F-Prot has failed to clear
the Trojan.

I had tried to install Malwarebytes the other day but the install
stalls because the Windows install wizard service isn't running.

The Yale_Law_journal file was downloaded on 12/4 and had a time of
12:00PM. I see in C:\System Volume Information I have a registry backup
from 3:34PM on 12/4 so I had started making changes then. The next
previous registry backup is 11/22. I think I'll next follow the
instructions in Microsoft Article 307545 and replace the registry with
the backup from 11/22 afterwhich I should be able to install
Malwarebytes.
 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by BillJohnst » Thu, 16 Dec 2010 23:17:33


Microsoft's article, #307545, How to recover from a corrupt registry...,
doesn't seem to be working for me. I change the
\Windows\System32\Config files to a previously booting version and it
hangs. I'm probably on my fifth repair install. This time I tried the
repair install config files but ran WindowsServer2000 SP2 upgrade
before attempting the config files changeout. While I was at it I went
into the registry and changed the drive letter back to C: and rebooted
before attempting the config files change. Now it's *** and won't
even boot into Safe Mode but hangs at a Microsoft Windows splash screen.
 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by BillJohnst » Fri, 17 Dec 2010 00:12:09


Thanks, MyNews and Joe. I didn't get your replies until I properly set
my timezone this morning.

I couldn't run Malwarebytes as all services seemed stopped. I've
been doing repair installs but running into difficulties. My last
change of drive letters and WindowsServer upgrade, figuring either might
be preventing my reverting to earlier \Windows\system32\config files
hung the system. I made my DVD drive E:, changed the Windows drive to
C: from E: and changed my previous drive, to D:. The previous drive
kept being listed in the registry as C: and is not currently installed.
I wonder if Windows rejects the DVD boot drive as being listed as E: or
maybe it was the Security update I installed, but where I was booting to
the repaired Windows listed as drive E: I wanted my old configuration,
e.g. scheduled tasks, etc. The Windows repair install is really a
bummer. It had been objecting to files not passed Windows Logo
testing but now can't find a slew of files, possibly installed when I
ran the server upgrade. It's asking for compressed files .dl_ and when
I give it the already installed files having .dll, it won't accept.
That may have been repair install # 6 and now into repair install #7

Repair install is failing to extract files from the CD. It seemed to
extract most that it needed, took the product key, went on to installing
windows, now won't extract files that are clearly there, e.g.
E:\\AMD64\WBEMDISP.DL_.
 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by BillJohnst » Fri, 17 Dec 2010 00:46:24


That video or commercial of the cubical guy going into a rage and
smashing his monitor with his keyboard really comes to mind.

Setup cannot set the required Windows configuration information. This
indicates an internal Setup error. Contact your administrator.
 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by BillJohnst » Fri, 17 Dec 2010 01:26:36


What da ya know, magic. I used the recovery console to delete the
\windows\system\config\ sam, system, software, default, and security
files and replaced with what I thought was a set from a repair install,
e.g. minimal desktop files. I rebooted and couldn't enter a password as
the USB keyboard was being ignored. I noticed the login screen had both
administrator and my user name, unusual. I rebooted with a DIN plug
keyboard and after logging in find I have a fully populated, 103
folders, programs and shortcuts icons. Only problem is that I'm back to
the no servers running problem, e.g. scheduled tasks>task>run gets
Service stopped, do you want to start the service now? > yes > Unable to
start service.

I may have deleted an Ole entry with regedit some days ago. I have a
laptop with XP Pro but it's not x64 so its registry entries aren't fully
helpful.

..later
Okay, have it. I copied the mid-November files to the config
directory with distinct extensions, rebooted into the recovery console
and changed those for the following boot. This has booted me into my
old system but although drag and drop now works, Scheduled tasks don't
run unless I go to each task and re-enter the password, then it runs.
I'[m sure I'll find other problems but for now I'm going to run F-Prot,
then Spybot and then try and install Malwarebytes,

I believe the change worked today while yesterday I got something like
"A connected device isn't working properly." and couldn't get into
windows because I had both the old, reformated drive as a second SATA
drive on the system as well as the SATA DVD drive. Today there's only a
single hard drive.
 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by BillJohnst » Sat, 18 Dec 2010 14:52:32


Well I installed Malwarebytes, ran the AVG CD and ran the Avira CD.
Each finds a virus or trojan. The conhost.exe and csrss.exe continue to
be placed in a subdirectory of Documents and Settings and continue to be
deleted by by Malwarebytes and Spybot.

Since replacing the necessary files in /Windows/system32/config, after
reinstalling device drivers with the Repair from the Windows x64 install
disc, I've been seeing a Generic Mount Control Device is not digitally
signed and asks if I still want to install the device, answering yes, it
later comes back with Cannot Install Device; if I answer now it comes
back with The data is invalid. The drive is a SATA. So, thinking it
was a driver that needed to be updated, although the driver was working
last month, I tried running Microsoft Update but even running as
administrator it wouldn't run and this is genuine software. I logged
out and logged in as Administrator. Using IE, although I use Firefox
almost exclusively, IE couldn't get out for the Administrator until I
unchecked Use a Proxy. Actually there's an interesting story, as I had
added Administrator to the login screen by going into the registry,
Windows Update still wouldn't run logging in as Administrator, nor would
it run if I unchecked "limited privileges". It would only run if I ran
as Administrator Administrator if you get what I mean. But from then on
Firefox opens with a Manual proxy configuration set to 127.0.0.1 Port
62848. Even in safe mode. This means that tomorrow morning, all my
scheduled web pages to be ready when I sit down with coffee and
breakfast will say The proxy server is refusing connections. But of
course IE works. IE is not scheduled to open the web pages with morning
news because IE doesn't block distracting ad's.

Oh well, it's late.
 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by BillJohnst » Sat, 18 Dec 2010 23:54:37


Okay, leaving a firefox session open set to no proxy allowed the
scheduled firefox sessions to run and connect. I believe I may have
found a significant problem. When I made the drive clone I made the new
drive a basic drive but I now see it should have been a dynamic drive.
To convert to a dynamic drive I must back up the drive however having
moved from an almost full 500GB C:\ with a 250GB D:\ also almost full, I
have 700GB of data and no where to back this volume up. It's clear that
backup is needed to convert from dynamic to basic and although they say
to back up all data before conversion to dynamic they don't clearly say
it will destroy data.

..later that night, a run of Spybot has Congratulations, no immediate
threat found.


Uninstall/reinstall of Firefox has it working properly.
 
 
 

svchost.exe, conhost.exe & csrss.exe

Post by Elmo » Wed, 22 Dec 2010 06:33:27


Try the AVG Linux Command Line CD. It will run independent of your XP
Pro system, so it can remove rootkits that otherwise would get control
during the Windows startup.

AVG now has a Rescue CD that's free. They also have a free USB download
that should work on newer systems that can boot from a USB device. Get
them here:

http://www.yqcomputer.com/

After burning that to a CD, running and removing infections, go into
Safe Mode and run Malwarebytes. At least that's how I would attack it..

--

Joe =o)