sochost.exe

so each time i reboot my computer, nod32 tells me it has found an infiltration...sochost.exe in the windows/system32 folder. I googled it and found multiple websites that explained how to remove/disable it, but the removal programs were unsuccessful. There was one website that said to reboot in safe mode and use the sysinternals startup program(forgot what it was called), and to find sochost.exe and uncheck the box. I did. Then it said to go to where the file is and delete the file. I could not find the file. I even set windows to show hidden files, but no luck.

Any1 have any ideas? I can't reformat right now because I have finals in a few days, but is it dangerous to use my computer while infected? I mean, I'm not gonna use my credit card to order anything or enter any of my personal info(anything bank related). I should be ok for a few days right?

Thanks for your help in advance.

 

did u try using task manager to kill the process sochost.exe and then deleting it ??? this must work

 

It doesn't show up in task manager, and I've tried going to the system32 folder, it wasnt there. Even though nod32 says it is. Here's what the scan shows:

NOD32 version 2949 (20080315) NT
Command line: c:\windows\system32\sochost.exe
Checking CRC of NOD32.EXE: Status OK
Scanning memory: Not performed (option disabled)
Date: 16.3.2008 Time: 11:13:33
Scanned disks, folders and files: c:\windows\system32\sochost.exe
Path c:\windows\system32\sochost.exe\ is invalid.
Number of scanned files: 0
Number of threats found: 0
Time of completion: 11:13:33 Total scanning time: 0 sec (00:00:00)

 

I don't know, but... maybe nod32 removed it already?

Also, in Explorer, be sure to set it to show system files as well as hidden files.

And Sysinternals' RootkitRevealer can detect if malware is "cloaking" a file (making it invisible).

But from what you wrote, it kind of looks like msconfig is still set to run the file at startup, but the file itself has been removed. That could be why NOD32 found a "command line" but didn't find the file... I'm guessing.

If you want to be absolutely sure if the file is there or not, you'll need to mount the volume from a different (and trusted) OS. (Because a compromised OS can lie to you.) You can burn a CD (or USB stick) of a specialized, lightweight version of Linux for this purpose and run it off the CD: http://www.sysresccd.org/Main_Page

 

RootkitRevealer doesn't want to work. When I run it windows automatically says Rootkit detection utility has stopped working.

 

This link might able to help you.
http://www.greatis.com/appdata/d/s/sochost.exe.htm

 

i tried that, the patches they have are only for winxp and previous, nothing for vista. I think i'll just stick it out till finals are over and then do a clean install.

 

Path c:\windows\system32\sochost.exe\ is invalid.
NOD is telling you the file is gone. To delete the entry you'll have to open regedit and delete references to sohost.exe.

 

or try deleting the entry using ccleaner...

 

ok after deleting the registry entry for sochost.exe NOD32 doesn't alert me about it anymore. Should I reformat anyways? or am I good to go?

 

Update, then do a full scan in safe mode. You're probably fine.

 

hmmm looks like a clean install is necessary as uac has been disabled and so has windows update. i cant even manually update.

 

It's probably an easy fix by re-registering the associated dll files, BUT a clean install is probably best. Be sure to backup ANYTHING you feel may be valuable and scan it well.

 

I will...its Tuesday today, Saturday I'm done with finals yay.

 

do a complete format paji. Saves time. !

 

yes paji, i will do that.

 

ok done. this time i turned on the HIPS thing in the security guide, and also installed comodo. theres no threatfire x64 yet