next »

[Splinter]

I found this a bugger to remove, including the ending processes (svchost....) when you then get 60 secs to countdown and click to accept the registry change between second 1 and 0 remaining, which didn't work.
Booting to Ubuntu was the only solution that worked.

[Wooster]

Svchost covers a pile of different services under different Process ID's

I.E. svchost PID 408



I.E. svchost PID 752



I'd guess you used Task Manager to shut down the svchost entries and accidentally killed Remote Procedure Call...which forces the system to shut down.  

You can get around this by using Procexp and either killing the svchost entry the rogue service is running under, or suspending it (hopefully stalling the shutdown procedure).
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Btw, this comes in well handy for those Viruses that just pop up under a different name while you're trying to remove them. If you suspend them, you can get to work removing the bastards while they think they're still working.

[Splinter]

Nice one mate, I'll try that.
Was extremely tempted to zap the drive (client said nothing worth keeping), but I was determined to find a way and actually enjoyed it.
Will take you up on that procexp though.
Cheers