"svhost.exe" is doing my nut

[Freeley]

Hi all.

Once windows has loaded on startup, i get several dos boxes coming up on screen, varying from three to seven in number. The dos boxes have nothing but a flashing cursor in them and i have to close them all individually every time i start the pc which is getting very annoying.

The boxes are titled "C:\Users\Jason\Appdata\Local\Temp\svhost.exe"
I have absolutely no idea what has caused this to happen although i imagine it's something i've done!

I've had a look in task manager and can't see anything to help me in there so was wondering if anybody (hello pengipete!) has any idea what could be causing this and how i can stop these dos boxes from appearing.

Cheers,

Jason.

 

[Pete]

I've just done a quick google, as i've not seen this before myself. Quite a few entries about it being a Trojan - so might be worth running your anti virus software..... i'll keep looking for ya.

 

[Nemesis]

you sure you dont mean svchost
if not then http://www.file.net/process/svhost.exe.html

 

[Freeley]

no i googled svhost and a lot of svchost stuff came up, this is definitely svhost.
Will do a screen snip in a bit once i've finished on medal of honor!

 

[vanthus]

Try system restore.

 

[Freeley]

Will i lose files, game savegames if i do that?
I'm suspecting a trojan or something to be honest, MSE caught a couple of the blighters after i downloaded some bittorrents last week which coincides with when this started. And no it wasn't filth before anyone says anything!

 

[Nemesis]

linux distribs was it!!

 

[vanthus]

Will i lose files, game savegames if i do that?
I'm suspecting a trojan or something to be honest, MSE caught a couple of the blighters after i downloaded some bittorrents last week which coincides with when this started. And no it wasn't filth before anyone says anything!

I suspect some sort of malware myself & yes you will lose files & saved games as well,but in my experience it,s the easiest solution if it works.Other than that you can try antivirus scans,the more the merrier,ms security essentials,avg & what have you,good luck.

 

[pengipete]

Regardless of the name, no .exe should run from your temp folders - anything that does should be regarded as potenial malware. The good news is that the process(es) doesn't seem to be trying to hide so it's probably just a mistake - like an update to your browser or add-ons that went gaga. Another way it could happen is if you accidentally dropped something into the Startup folder.

If it's not malicious, it should be very simple to remove.

First, check the Startup folder in the Start Menu - if there's something in there that doesn't belong, just delete it then reboot and you should be done - if you're not sure, post a list of anything you find in that folder and I'll check it first.

Failing that, download and install CCleaner. Make sure that there's nothing in your Recycle Bin that you want to keep as we'll be emptying in during this process. Run CCleaner and select "Options" from the list on the left-hand side then select the "Advanced" option. Un-tick the entry that says "only delete files in the the Windows Temp folders older than 24 hours". Click on the "Cleaner" option and clikcon "Run CCleaner" to remove all files. Reboot and see if the problem has gone.

If neither of these methods work, you are probably looking at malware. Do as Pete says and run a full scan with your AV software. If that doesn't help, post back and we'll look for another solution.

 

[Nemesis]

wehey pengipete saves the day!!!!

EDIT : potentially seeming sarchasm unintended

 

[Pete]

ooh i went and watched a film, sorry about that.... just to add to pengi' if you do download CCleaner (very good program) have a look in the Tools and Startup and see what's in there : somethings are needed, so don't just chop them all out but often a dodgy program can be identified by the folder or name - google is your friend here also we'll help if you're unsure. A good place to stop all those Adobe, Quicktime etc etc startup and updaters.

you can get to similar screen by typing msconfig in the run box (or in Win7 where it says "search programs and files") and selecting startup tab

Edit : As it's already possibly infected would SpyBot SD or Malwarebytes be of more use than an AV ?

 

[Pete]

MSE caught a couple of the blighters after i downloaded some bittorrents last week which coincides with when this started.

LA-LA-LA-LA-LA-LA - We didn't hear that.

linux distribs was it!!

hahaha, open office as well

 

[Freeley]

Regardless of the name, no .exe should run from your temp folders - anything that does should be regarded as potenial malware. The good news is that the process(es) doesn't seem to be trying to hide so it's probably just a mistake - like an update to your browser or add-ons that went gaga. Another way it could happen is if you accidentally dropped something into the Startup folder.

If it's not malicious, it should be very simple to remove.

First, check the Startup folder in the Start Menu - if there's something in there that doesn't belong, just delete it then reboot and you should be done - if you're not sure, post a list of anything you find in that folder and I'll check it first.

Failing that, download and install CCleaner. Make sure that there's nothing in your Recycle Bin that you want to keep as we'll be emptying in during this process. Run CCleaner and select "Options" from the list on the left-hand side then select the "Advanced" option. Un-tick the entry that says "only delete files in the the Windows Temp folders older than 24 hours". Click on the "Cleaner" option and clikcon "Run CCleaner" to remove all files. Reboot and see if the problem has gone.

If neither of these methods work, you are probably looking at malware. Do as Pete says and run a full scan with your AV software. If that doesn't help, post back and we'll look for another solution.

OK the only thing in my startup folder is "rundll32", when i click on this the dos boxes spring up!
Am i safe to delete this from the startup folder?

 

[PokerFace]

OK the only thing in my startup folder is "rundll32", when i click on this the dos boxes spring up!
Am i safe to delete this from the startup folder?

Don't delete this file.

Wait for someone who knows more to come to advise you.

 

[pengipete]

OK the only thing in my startup folder is "rundll32", when i click on this the dos boxes spring up!
Am i safe to delete this from the startup folder?

Right-click on that file and select "Properties" from the pop-up menu. In the window that opens, go to the "Shortcut" tab. Copy the details written in the "Target:" box and post them here.

 

[pengipete]

I'm off to bed and I'll be unavailable for a while tomorrow so here's the next steps...

I reckon that this file is going to be one of two things - either it's bengin (a leftover from something you uninstalled or something that got accidentaly dropped into the Startup folder when you were using the Start menu) or it's the w32dll Blaster worm.

Blaster is a very old piece of malware thatwas blocked by Microsoft back in the early 2000's but it keeps re-appearing. The good news is that it is very basic and usually pretty easy to remove.

The first thing to do is to delete that file from the Startup folder and reboot. If the problem is gone and you have no other problems such as being unable to run programs, you're fine as it was just an old file in the wrong place.

If the file has magically reappeared, you have a malware infection. You can usually remove Blaster by running Microsoft's Mailicious software removal tool. Download it from the following links...

32 Bit - http://www.microsoft.com/downloads/...E0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=585d2bde-367f-495e-94e7-6349f4effc74

 

[Freeley]

Right-click on that file and select "Properties" from the pop-up menu. In the window that opens, go to the "Shortcut" tab. Copy the details written in the "Target:" box and post them here.

Don't know if i'm being dense but i can't see a shortcut tab?

I ran a scan with MSE which didn't detect anything and ran the microsoft malicious removal tool, that didn't find anything either.

So if i delete the rundll32 file from the startup folder will i have problems when restarting (like not starting windows or something?)

 

[pengipete]

You're not doing anything wrong - it just means that there's an executable file in that folder rather than a shortcut pointing to one. It definitely shouldn't be there but we just need to check one thing before deleting it.

Double-click on the "My Computer" icon, then open the "C:" drive. Open the "Windows" folder then open the "System32" folder. Scroll down past the folders and look at the files listed further down. Make sure that there is a file called "Rundll32". If there is, close those windows and delete the "Rundll32" file from your Startup folder. If there isn't a "Rundll32" in your Windows/System32 folder - don't do anything yet - just post back.

 

[pengipete]

I'm off out so this is what you can do next if you found Rundll32 in the System32 folder.

Close all running programs and close all folders. Open Task Manager (CTRL+SHIFT+ESC) and go to the Processes tab. Click on the Image Name heading to sort the tasks into alphabetical order. There shouldn't be an entry for Rundll32.

Open Control Panel and run Internet Options - leave it running.

Go back to Task Manager and there shold now be a Rundll32 entry in that list. Right-click on it and select Properites. In the window that opens, check the "Location". If it says "C:\Windows\System32" you are safe to close all of those windows and delete the file from your Startup Folder. When you've done that, reboot and when Windows has reloaded, run Internet Options again - as long as that will run, you have nothing to worry about in terms of programs working correctly. If it doesn't run, post back and I'll tell you how to re-install Rundll32 properly. (Just for info - we're only using Internet Options because I know that it uses Rndll32 when it starts)

What you must do after removing that file is to run another full virus scan - preferably in safe mode. The real Rundll32 executable is only a few kb in size - the one in your Startup folder which was huge by comparison was a fake and that means it was connected to an infection. I suspect it was Blaster and your AV software blocked and removed it as soon as it tried to activate but this file was missed. It should be safe - as long as the active parts of the infection were removed and this file was just required to run those. If the Windows tool and your own AV software give you the all-clear, I'd say you should be fine.

 

[Freeley]

Ok this is worrying me now.
Have done as you suggested pengi, removed rundll32 from the startup folder, restarted pc and the dos boxes were back again and rundll32 was back in the startup folder.

Have run anti-malware which detected and removed the svhost.exe and something else(pic below), removed rundll32 from startup folder, restarted and svhost.exe was up and running again.

What should i do now?