deleted all reference to svchost.exe in registry - help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

chessbuff77

Thread Starter
Joined
Jan 4, 2003
Messages
5
I realized yesterday that my computer was hacked and had a trojan on it. In the process of cleaning up the trojan, I also deleted all references to svchost.exe from my win 2k machine registry. ( I saw mutiple version of it in task manager and I thought it was also a trojan - I now know it was a mistake).

In an effort to tighten my security I disabled many services like rpc rpc locator , internet connection sharing etc. In fact I disabled the at the hardware profile level. After a reboot I can't now view the properties windows for these services. That mean that I'm unable to enable these sevices.

Now ofcourse I have a computer that has its networking completely screwed up. File search does not work, neither does copy paste operations.

Help wanted
------
1. Is there a way for me to restore my registry entries without having to rebuild my machine?

2. Is there a way to associate/enable a hardware profile with the services directly in the registry or using command prompt. I did extensive serach in the registry but could not figure out where to make the change

thanks for helping I'm going crazy here.
 
Joined
Aug 17, 2001
Messages
7,486
I don't think you backed up the registry first? Or exported the keys you deleted for safe keeping? That's good practice for the future.


I do not use 2000. But I have XP and don't know how you would restore without the ability of a having a restore point. Which 2k doesn't have. Here are some suggestions.


Having a look at creating another Hardware Profile might be something to consider. If you go to help and do a search for Hardware Profile, the directions will be there for you.



Have you considered doing a Repair Install?

Here's a link to a page which will help you to configure Services in Win 2k.

http://www.blackviper.com/WIN2K/servicecfg.htm

In the Win XP registry here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
All the services should be listed as subkeys. I would bet Win2k is the same.

If you click on each service and look in the right pane for the DWORD Start you can change that value.

A value of 4 is disabled.
A value of 3 is manual
A value of 2 is automatic

I can disable a service and still be able to see its property page. So I am not sure what your situation is. Without the svchost keys I don't know. EDIT: See the next post for more information.


Please backup your registry before you try anything again.
 
Joined
Aug 17, 2001
Messages
7,486
http://support.microsoft.com/default.aspx?scid=kb;EN-US;250320

Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and is displayed as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service_names extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service


MORE INFORMATION
To view the list of services that are running in Svchost:
From the Windows 2000 installation CD's Support\Tools folder, Extract the Tlist.exe utility from the Support.cab file.
On the Start menu, click Run, and then type cmd.
Change folder to the location from which you extracted the Tlist.exe utility.
Type tlist -s.
Tlist.exe displays a list of active processes. The -s switch shows the list of active services in each process. For more information about the process, type tlist pid.

The following sample Tlist output shows two instances of Svchost.exe running:

0 System Process
8 System
132 smss.exe
160 csrss.exe Title:
180 winlogon.exe Title: NetDDE Agent
208 services.exe Svcs: AppMgmt,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,LanmanWorkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi
220 lsass.exe Svcs: Netlogon,PolicyAgent,SamSs
404 svchost.exe Svcs: RpcSs
452 spoolsv.exe Svcs: Spooler
544 cisvc.exe Svcs: cisvc
556 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,RasMan,SENS,TapiSrv
580 regsvc.exe Svcs: RemoteRegistry
596 mstask.exe Svcs: Schedule
660 snmp.exe Svcs: SNMP
728 winmgmt.exe Svcs: WinMgmt
852 cidaemon.exe Title: OleMainThreadWndName
812 explorer.exe Title: Program Manager
1032 OSA.EXE Title: Reminder
1300 cmd.exe Title: D:\WINNT5\System32\cmd.exe - tlist -s
1080 MAPISP32.EXE Title: WMS Idle
1264 rundll32.exe Title:
1000 mmc.exe Title: Device Manager
1144 tlist.exe

The registry setting for the two groupings for this example are as follows:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost:
netsvcs: Reg_Multi_SZ: EventSystem Ias Iprip Irmon Netman Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess Tapisrv Ntmssvc
rpcss :Reg_Multi_SZ: RpcSs
 

chessbuff77

Thread Starter
Joined
Jan 4, 2003
Messages
5
Thanks for your reply mosiac.

I left the Win 2K Cd in office so repair install could only be attempted tomorrow.

Most of the services I disabled are dependent on RPC service. However unfortunately I disabled the the service @ the hardware profile level. I did put 02 in the service and made it automatic. but now when i try to start it says that cannot start the service because there is no enable device or profie assosiated with it. I'll try the new hardware profile and see if it would be enabled for all the services.

You wouldn't happen to know where the association of services to hardware profile is in the registry?

thanks for your help.
Chessbuff
 
Joined
Aug 17, 2001
Messages
7,486
I have never done this before. So I don't know.
Have a look here too. You can always look. Making changes is another thing. HKLM\System is a dangerous place. Be careful and backup. Otherwise you may be in for some big problems.


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles

EDIT: Let me do some research and see what else I can find. The Hardware Profile might be the best bet other than the Repair Install.
 
Joined
Aug 17, 2001
Messages
7,486
I can't find that exact message .

I hope the new profile works. If you do a repair install you are going to have to reinstall all service packs and updates etc. I did a repair install of XP last week and it took a while to get everything back.
 

chessbuff77

Thread Starter
Joined
Jan 4, 2003
Messages
5
hardware profile uses the existing profile as model so it would not help. My problem is that different applications are not spawning a new window. so I cant look at properties etc. I think I'll try the repair install tomorrow.

I'll let you know if that solves the problem.
thanks for your help Mosiac. I still wonder where the linkage between the services and hardware profile in registry is though. looked for hours yesterday but could not pin it down.
 
Joined
Aug 17, 2001
Messages
7,486
I am new to XP. I see what you mean about the Hardware Profiles.
I have been doing some research and have found a command line you can use to work with Services.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;166819

sc.exe
Open a prompt type sc
Type that and you will have access to the properties you need.

When you type sc and press enter, the screen will fill with information on how to use sc.exe

Not sure if this will help you at this point.
 

chessbuff77

Thread Starter
Joined
Jan 4, 2003
Messages
5
I looked at sc. It helps you modify the properties but did not help with the assoiation of hardware profile with services. After the repair install the registry entries for svchost were restored but the machine still did not function. It was because of Remote Procedure Call service. Apparently this service in Win 2K should NOT ever be disabled. Especially not at the hardware profile level.

Mosiac I had to reinstall windows 2000. I lost my documents folder but saved the photos on my machine so all was not lost. I think I also blew my wireless network adapter. It has stopped blinking. Well after three days of misery (research was fun) I'm kind of getting back on my feet.

Thanks for your help Mosiac. Your postings were a big help.
 
Joined
Aug 17, 2001
Messages
7,486
chessbuff77,

I am sorry to hear that. You're welcome. Although I was of little if any help, though. I think your conclusion about RPCSS is on the money.

And this was the result of a trojan? I really think people who write nasties should be ... strung up.


Mo
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top