BackDoor.Afcore.BN Help Please!

I read a similar post a few messages down but it does not address my problem. This file is located in SYSTEM32/scesovc.dll. There is no way I can boot the computer, it stops short of windows and reboots. I can boot in safemode.

I searched for scesovc.dll in an attempt to delete the file. In safemode it doesn't find the file. I know it was there because before I had this major problem I found it in windows/system32 when the computer booted normally. I searched the registry and found the key, did a backup but it keeps comming back even in safemode.

My Question is, can I install TDS on the XP machine using a floppy or CD while in safemode? It's the only way since I can't download it in safemode. Will it run in safemode?

Any other suggestions to rid myself of this problem Is Appreciated.

Thanks, reeo

 

Hi Reeo, and welcome,
i don't expect it to work, but you can give it a try.
Aren't you on XP and can't you go back to an older system restore point?
It doesn't effect your data, only the system is put back.

Also make sure your folders are set to display all hidden files and extensions.
And if you run AVG close that completely so it can't hide any files from sight either, although idon't expect AVG to run in save mode.

As i don't think you'll get TDS installed properly, i wonder if you can grab the F-Prot somewheer which also works in DOS, or the Trendmicro free scanner which might work in safe mode too, as that has nothing to install, only unpack, drop the latest updates in the folder and scan i hope in safe mode too.

 

Hi,

http://www.diamondcs.com.au/index.php?page=asviewer
Use ASViewer to find its startup method, it may read like this ?

RunDLL32 C:\Windows\System32:scesovc.dll,Install

Then click Start > Run and type

RunDLL32 C:\Windows\System32:scesovc.dll,Uninstall

If you cant find it, email me a saved log from ASViewer to support

 

Hi and thanks for the welcome. I disabled System Restore thinking AVG would delete the file/s. I haven't a restore point. Hindsight tells me I should not have bothered with trying to delete the file but use SR instead. The reason I didn't I downloaded some stuff earlier and didn't want to do it again.

I'll make sure to check, display hidden files.

Thanks, reeo

 

Thanks for the help, can I install the file in safemode? I'm on my other computer that is working so I won't know unless I try. It won't boot into windows but I heard installing programs in safemode is not wise. Ill check back in a few to see if you have replied.

Thanks, reeo

 

AVG does hide files from sight, even with "show hidden files" in your folder settings.
Hmmm these days with so many infections, spyware adware etc flying around i think i wouldn't like to be without system restore if possible.
So Gavin's advice with the AutoStartViewer log is the first option to do which might solve the problem so you can reboot and start Windows normal and get TDS installed normal as well.
ASViewer is just unzip and run it, nothing to install, choose all options to be displayed and create your log.
Fingers crossed!

 

Thank you so much for the quick reply. Ok I'll give it a try and see what happens. I sure don't want to be without SR but I have to be until I can get back into windows. Hopefully I can set msconfig .ini or when I boot into safemode to have access to the internet. I read a way for AVG to run in safemode but it won't delete the file.

Thanks, reeo

 

I didn't find it . However It said you didn't accept emails so here is the file. If you want more data like show services I can send more. Thanks


DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Owner@COMPUTER, 07-18-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VTTimer
VTTimer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdateManager
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Sunkist2k
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Recguard
C:\WINDOWS\SMINST\RECGUARD.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PS2
C:\WINDOWS\system32\ps2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /installquiet /keeploaded /nodetect
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mmtask
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LTMSG
LTMSG.exe 7
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KBD
C:\HP\KBD\KBD.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\hpsysdrv
c:\windows\system\hpsysdrv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPHUPD05
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPHmon05
C:\WINDOWS\System32\hphmon05.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
C:\WINDOWS\System32\hkcmd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CamMonitor
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PivotSoftware
C:\Program Files\WinPortrait\wpctrl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HP Software Update
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
C:\WINDOWS\system32\dumprep 0 -k
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NVIEW
rundll32.exe nview.dll,nViewLoadHook
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BackupNotify
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Acme.PCHButton
C:\PROGRA~1\HPINST~1\Pavilion\XPHNABP4EN\plugin\bin\PCHButton.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MoneyAgent
C:\Program Files\Microsoft Money\System\mnyexpr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Easy Internet Sign-up.job
C:\Program Files\Easy Internet signup\HPSdpApp.exe
C:\WINDOWS\Tasks\System Restore.job
C:\WINDOWS\system32\Restore\rstrui.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\NaturalColorLoad.lnk
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll

 

Sorry I wasn't paying attention, I'm tired. Here is a copy of the complete log file. Sorry for so many posts.

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Owner@COMPUTER, 07-19-2004
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VTTimer
VTTimer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdateManager
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Sunkist2k
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Recguard
C:\WINDOWS\SMINST\RECGUARD.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PS2
C:\WINDOWS\system32\ps2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /installquiet /keeploaded /nodetect
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mmtask
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LTMSG
LTMSG.exe 7
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KBD
C:\HP\KBD\KBD.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\hpsysdrv
c:\windows\system\hpsysdrv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPHUPD05
c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPHmon05
C:\WINDOWS\System32\hphmon05.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
C:\WINDOWS\System32\hkcmd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CamMonitor
c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PivotSoftware
C:\Program Files\WinPortrait\wpctrl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HP Software Update
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
C:\WINDOWS\system32\dumprep 0 -k
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NVIEW
rundll32.exe nview.dll,nViewLoadHook
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BackupNotify
c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Acme.PCHButton
C:\PROGRA~1\HPINST~1\Pavilion\XPHNABP4EN\plugin\bin\PCHButton.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MoneyAgent
C:\Program Files\Microsoft Money\System\mnyexpr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Easy Internet Sign-up.job
C:\Program Files\Easy Internet signup\HPSdpApp.exe
C:\WINDOWS\Tasks\System Restore.job
C:\WINDOWS\system32\Restore\rstrui.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\NaturalColorLoad.lnk
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\inf\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
C:\WINDOWS\System32\rundll32.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
HKLM\Software\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\Alerter\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\AvgCore\
\??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
HKLM\System\CurrentControlSet\Services\AvgFsh\
\??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
HKLM\System\CurrentControlSet\Services\AvgServ\
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\nvcap\
C:\WINDOWS\System32\DRIVERS\nvcap.sys
HKLM\System\CurrentControlSet\Services\NVSvc\
C:\WINDOWS\System32\nvsvc32.exe
HKLM\System\CurrentControlSet\Services\NVXBAR\
C:\WINDOWS\System32\DRIVERS\NVxbar.sys
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\vsdatant\
\??\C:\WINDOWS\System32\vsdatant.sys
HKLM\System\CurrentControlSet\Services\vsmon\
C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs

 

Gavin can be reached by email support@diamondcs.com.au

(This board is set to not allowing emails via the board to nobody)
I'll leave reacting on the ASVierwer to Gavin.

 

Hi,

Ok it seems like a newer variant of this. Do you remember what the registry key was which you removed ? It might have caused this since it wasn't removed fully

I thought it was a stream one, but if you saw the file itself then it wasn't a stream variant. If you deleted it then the infection should be gone !

I might suggest a reinstall, but you have a System Restore job which runs sometimes ? You should try using System Restore in Safe Mode first to revert to an older backup Hope this is suitable to get you back up and running quick.

If you reinstall, choose to install Windows but then when it searches and finds the old Windows folder, choose REPAIR install. Then enable the firewall, get online, get all Windows Update critical patches..

 

Hi and thanks for looking,

In regedit-under the key, HKey Current User/Software/Microsoft/Search Assistant/ACmru/5603. To the right it had BackDoor, Scesovc.dll,Scesovc. It had a couple of others but I don't remember. First I deleted BackDoor and scesovc.dll. That didn't work so I deleted the whole 5603 key. I did a resistry backup so I could put it back if necessary.

I don't have any useful restore points without the trojan. Before I opened regedit I did a search in safe mode of drive C for scesovc.dll, it wasn't there. Keep in mind when the computer did boot normally I found scesovc.dll but was afraid to delete it without asking.

The computer is up to date and it is a near new HP A450n that I made 8 recovery discs for. It has a recovery partition in drive D but as I understand it quite drastic as it recovers it back to when I purchased it.

I was on line in safemode last night and tried HouseCall but it come up clean once again. Since I can get on line in safemode, is there a site available that cleans? Your thoughts and suggestions are appreciated.

reeo

 

That reg key has nothing to do with your trojan; it's only most-recently-used (MRU) search history for files and folders.

Deleting it doesn't remove the infection.

 

... you could try this Aflooder removal tool:

http://www.sophos.com/support/disinfection/corefloo.html

If no joy, you should follow Gavin's advice and try a system restore...

 

System Restore takes me back to an infected computer. Thanks for the link but it didn't list my particular variant, so I'm afraid to use it. Mine as mentioned must be quite new. It looks like I'm in trouble.

reeo

 

Hi there, maybe with a system restore job and back to the infected state could help you to get rid of it in a more proper way and not getting back in this not-booting windows. In a normal bootable windows we can do so much more for you too.
You might be able to grab the nasty file and send it to Gavin to find a proper cleaning for it for you.
Or maybe Tony's tool works then already.
Better trying the infected computer state than a whole windows rebuild which might not even work properly with the corrupted (?) registry.

BTW: how did you come to this infection name and which software detected it for you? Was that AVG? Make sure AVG is closed in every way as it hides files from sight and makes removal extra complicated! In safe mode it will not run one might suppose.
(Keeping AVG closed during scan with other scanners, creating ASViewer log, other scanners, housecall, etc i mean!) Housecall might be able to locate it with AVG closed, or AVG might find it itself if you use that again on the sytem-restored computer.

 

Hi,

If your antivirus does detect this now (?), then you could be able to download the updated defs and while NOT online revert to the older configuration with System Restore. Then apply the definitions if needed (surely they wont be reverted though) and reboot into Safe Mode. Allow the scanner to remove everything it can, and see how you go ? How does this sound