Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Netcfgx32.exe


  • Please log in to reply
2 replies to this topic

#1 bbygirl778

bbygirl778

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 12 November 2007 - 09:32 AM

I have gotten a virus due to letting other people use my computer Lovely huh.....it is the netcfgx32.exe I can not download any spyware or virus protection it stops it so I got defender pro & was able to download the spyware off the cd but it says I have f-secure anti-virus on my system so i cannot download the antivirus section i removed the f-secure & get nothing when i search for it but it still says it is there I got autoruns started in safe mode deleted netcfgx32.exe & it still comes up when i start my computer in normal mode it now has stopped my computer from being able to view certain web pages & e-mail it fried my ie when i try to go to add remove programs to fix it it says invalid inf file so i went to redownload it & when i click the download button of course i get sent to a cannot display page screen regardless of where i go to get it how can i get this defender pro to download on my puter the spyware part I got on there by using safemode & scanned & got rid of what it found but cannot install the antivirus in safe mode

BC AdBot (Login to Remove)

 


#2 bbygirl778

bbygirl778
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 12 November 2007 - 10:18 AM

ok well i guess this question was to hard any way the netcfgx32.exe starts its self upon start of computer when you delete it or even wipe it with a wiper file it copies itself even if you delete it using the autoruns in safe or normal mode I also have 3 svchost.exe processes runnin for system one for network services & one for my user name fgor a total of 5 I think this is to many ....ok well thanks anyway all

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:37 PM

Posted 13 November 2007 - 12:17 PM

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of netcfgx32.exe and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.

I also have 3 svchost.exe processes runnin

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.

It is not unusual for multiple instances of Svchost.exe running at the same time in Task manager in order to optimise the running of the various services.

svchost.exe SYSTEM
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

Other legitimate copies can be found in the following folders:
C:\I386
C:\WINDOWS\ServicePackFiles\i386\
C:\WINDOWS\$NtServicePackUninstall$\
and a prefetch file located here: C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure of the spelling. If it is scvhost.exe, then that is Trojan.

There are several ways to investigate svchost.exe and related processes.

You can download and use Process Explorer or Glarysoft Process Manager to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

The Process Explorer window shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

If you have XP Pro, you can use Tasklist /SVC to view the list of services processes that are running in Svchost. The /SVC switch shows the list of active services in each process.

Go to Start > Run and type: cmd
press Ok
At the command prompt type: tasklist /svc >c:\taskList.txt
press Enter

Go to Start > Run and type: C:\taskList.txt
press Ok to view the list of processes

For help and syntax information, type the following command, and then press ENTER:
tasklist /?
Also see Syntax options and Tasklist Syntax.

You can also use the WMI command-line utility to view and list processes.
Go to Start > Run and type: cmd
press Ok
At the command prompt type:
WMIC /OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid
press Enter.

You can also use (type):
WMIC /OUTPUT:C:\ProcessList.txt path win32_process get Caption,Processid,Commandline
press Enter.

Go to Start > Run and type: C:\ProcessList.txt
press Ok to view the details of all the processes.

And you can search the process name using Google, BC's File Database and read "How to determine what services are running under a SVCHOST.EXE process".

Edited by quietman7, 13 November 2007 - 12:20 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users