BackDoor.Afcore.BN Help Please!

Discussion in 'Trojan Defence Suite' started by reeo, Jul 18, 2004.

Thread Status:
Not open for further replies.
  1. reeo

    reeo Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    I read a similar post a few messages down but it does not address my problem. This file is located in SYSTEM32/scesovc.dll. There is no way I can boot the computer, it stops short of windows and reboots. I can boot in safemode.

    I searched for scesovc.dll in an attempt to delete the file. In safemode it doesn't find the file. I know it was there because before I had this major problem I found it in windows/system32 when the computer booted normally. I searched the registry and found the key, did a backup but it keeps comming back even in safemode.

    My Question is, can I install TDS on the XP machine using a floppy or CD while in safemode? It's the only way since I can't download it in safemode. Will it run in safemode?

    Any other suggestions to rid myself of this problem Is Appreciated.

    Thanks, reeo
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Reeo, and welcome,
    i don't expect it to work, but you can give it a try.
    Aren't you on XP and can't you go back to an older system restore point?
    It doesn't effect your data, only the system is put back.

    Also make sure your folders are set to display all hidden files and extensions.
    And if you run AVG close that completely so it can't hide any files from sight either, although idon't expect AVG to run in save mode.

    As i don't think you'll get TDS installed properly, i wonder if you can grab the F-Prot somewheer which also works in DOS, or the Trendmicro free scanner which might work in safe mode too, as that has nothing to install, only unpack, drop the latest updates in the folder and scan i hope in safe mode too.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    http://www.diamondcs.com.au/index.php?page=asviewer
    Use ASViewer to find its startup method, it may read like this ?

    RunDLL32 C:\Windows\System32:scesovc.dll,Install

    Then click Start > Run and type

    RunDLL32 C:\Windows\System32:scesovc.dll,Uninstall

    If you cant find it, email me a saved log from ASViewer to support
     
  4. reeo

    reeo Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    Hi and thanks for the welcome. I disabled System Restore thinking AVG would delete the file/s. I haven't a restore point. Hindsight tells me I should not have bothered with trying to delete the file but use SR instead. The reason I didn't I downloaded some stuff earlier and didn't want to do it again.

    I'll make sure to check, display hidden files.

    Thanks, reeo
     
  5. reeo

    reeo Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    Thanks for the help, can I install the file in safemode? I'm on my other computer that is working so I won't know unless I try. It won't boot into windows but I heard installing programs in safemode is not wise. Ill check back in a few to see if you have replied.

    Thanks, reeo
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    AVG does hide files from sight, even with "show hidden files" in your folder settings.
    Hmmm these days with so many infections, spyware adware etc flying around i think i wouldn't like to be without system restore if possible.
    So Gavin's advice with the AutoStartViewer log is the first option to do which might solve the problem so you can reboot and start Windows normal and get TDS installed normal as well.
    ASViewer is just unzip and run it, nothing to install, choose all options to be displayed and create your log.
    Fingers crossed!
     
  7. reeo

    reeo Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    Thank you so much for the quick reply. Ok I'll give it a try and see what happens. I sure don't want to be without SR but I have to be until I can get back into windows. Hopefully I can set msconfig .ini or when I boot into safemode to have access to the internet. I read a way for AVG to run in safemode but it won't delete the file.

    Thanks, reeo
     
  8. reeo

    reeo Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8

    I didn't find it . However It said you didn't accept emails so here is the file. If you want more data like show services I can send more. Thanks


    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Owner@COMPUTER, 07-18-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VTTimer
    VTTimer.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdateManager
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Sunkist2k
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Recguard
    C:\WINDOWS\SMINST\RECGUARD.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PS2
    C:\WINDOWS\system32\ps2.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /installquiet /keeploaded /nodetect
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mmtask
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LTMSG
    LTMSG.exe 7
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KBD
    C:\HP\KBD\KBD.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\hpsysdrv
    c:\windows\system\hpsysdrv.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPHUPD05
    c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPHmon05
    C:\WINDOWS\System32\hphmon05.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
    C:\WINDOWS\System32\hkcmd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CamMonitor
    c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
    C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PivotSoftware
    C:\Program Files\WinPortrait\wpctrl.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HP Software Update
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
    C:\WINDOWS\system32\dumprep 0 -k
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NVIEW
    rundll32.exe nview.dll,nViewLoadHook
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BackupNotify
    c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Acme.PCHButton
    C:\PROGRA~1\HPINST~1\Pavilion\XPHNABP4EN\plugin\bin\PCHButton.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MoneyAgent
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Easy Internet Sign-up.job
    C:\Program Files\Easy Internet signup\HPSdpApp.exe
    C:\WINDOWS\Tasks\System Restore.job
    C:\WINDOWS\system32\Restore\rstrui.exe
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\NaturalColorLoad.lnk
    C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
    C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
    C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
     
  9. reeo

    reeo Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    Sorry I wasn't paying attention, I'm tired. Here is a copy of the complete log file. Sorry for so many posts.

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Owner@COMPUTER, 07-19-2004
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VTTimer
    VTTimer.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdateManager
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Sunkist2k
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Recguard
    C:\WINDOWS\SMINST\RECGUARD.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PS2
    C:\WINDOWS\system32\ps2.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /installquiet /keeploaded /nodetect
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mmtask
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LTMSG
    LTMSG.exe 7
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KBD
    C:\HP\KBD\KBD.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\hpsysdrv
    c:\windows\system\hpsysdrv.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPHUPD05
    c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HPHmon05
    C:\WINDOWS\System32\hphmon05.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
    C:\WINDOWS\System32\hkcmd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CamMonitor
    c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
    C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PivotSoftware
    C:\Program Files\WinPortrait\wpctrl.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HP Software Update
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
    C:\WINDOWS\system32\dumprep 0 -k
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NVIEW
    rundll32.exe nview.dll,nViewLoadHook
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BackupNotify
    c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Acme.PCHButton
    C:\PROGRA~1\HPINST~1\Pavilion\XPHNABP4EN\plugin\bin\PCHButton.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MoneyAgent
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Easy Internet Sign-up.job
    C:\Program Files\Easy Internet signup\HPSdpApp.exe
    C:\WINDOWS\Tasks\System Restore.job
    C:\WINDOWS\system32\Restore\rstrui.exe
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\NaturalColorLoad.lnk
    C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
    C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NaturalColorLoad.lnk
    C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
    C:\WINDOWS\System32\rundll32.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
    HKLM\Software\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\Alerter\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\AvgCore\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
    HKLM\System\CurrentControlSet\Services\AvgFsh\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
    HKLM\System\CurrentControlSet\Services\AvgServ\
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\nvcap\
    C:\WINDOWS\System32\DRIVERS\nvcap.sys
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINDOWS\System32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\NVXBAR\
    C:\WINDOWS\System32\DRIVERS\NVxbar.sys
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\vsdatant\
    \??\C:\WINDOWS\System32\vsdatant.sys
    HKLM\System\CurrentControlSet\Services\vsmon\
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Gavin can be reached by email support@diamondcs.com.au

    (This board is set to not allowing emails via the board to nobody)
    I'll leave reacting on the ASVierwer to Gavin.
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Ok it seems like a newer variant of this. Do you remember what the registry key was which you removed ? It might have caused this since it wasn't removed fully :(

    I thought it was a stream one, but if you saw the file itself then it wasn't a stream variant. If you deleted it then the infection should be gone !

    I might suggest a reinstall, but you have a System Restore job which runs sometimes ? You should try using System Restore in Safe Mode first to revert to an older backup :) Hope this is suitable to get you back up and running quick.

    If you reinstall, choose to install Windows but then when it searches and finds the old Windows folder, choose REPAIR install. Then enable the firewall, get online, get all Windows Update critical patches..
     
  12. reeo

    reeo Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    Hi and thanks for looking,

    In regedit-under the key, HKey Current User/Software/Microsoft/Search Assistant/ACmru/5603. To the right it had BackDoor, Scesovc.dll,Scesovc. It had a couple of others but I don't remember. First I deleted BackDoor and scesovc.dll. That didn't work so I deleted the whole 5603 key. I did a resistry backup so I could put it back if necessary.

    I don't have any useful restore points without the trojan. Before I opened regedit I did a search in safe mode of drive C for scesovc.dll, it wasn't there. Keep in mind when the computer did boot normally I found scesovc.dll but was afraid to delete it without asking.

    The computer is up to date and it is a near new HP A450n that I made 8 recovery discs for. It has a recovery partition in drive D but as I understand it quite drastic as it recovers it back to when I purchased it.

    I was on line in safemode last night and tried HouseCall but it come up clean once again. Since I can get on line in safemode, is there a site available that cleans? Your thoughts and suggestions are appreciated.

    reeo
     
  13. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    That reg key has nothing to do with your trojan; it's only most-recently-used (MRU) search history for files and folders.

    Deleting it doesn't remove the infection.
     
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  15. reeo

    reeo Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    System Restore takes me back to an infected computer. Thanks for the link but it didn't list my particular variant, so I'm afraid to use it. Mine as mentioned must be quite new. It looks like I'm in trouble.

    reeo
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, maybe with a system restore job and back to the infected state could help you to get rid of it in a more proper way and not getting back in this not-booting windows. In a normal bootable windows we can do so much more for you too.
    You might be able to grab the nasty file and send it to Gavin to find a proper cleaning for it for you.
    Or maybe Tony's tool works then already.
    Better trying the infected computer state than a whole windows rebuild which might not even work properly with the corrupted (?) registry.

    BTW: how did you come to this infection name and which software detected it for you? Was that AVG? Make sure AVG is closed in every way as it hides files from sight and makes removal extra complicated! In safe mode it will not run one might suppose.
    (Keeping AVG closed during scan with other scanners, creating ASViewer log, other scanners, housecall, etc i mean!) Housecall might be able to locate it with AVG closed, or AVG might find it itself if you use that again on the sytem-restored computer.
     
    Last edited: Jul 20, 2004
  17. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    If your antivirus does detect this now (?), then you could be able to download the updated defs and while NOT online revert to the older configuration with System Restore. Then apply the definitions if needed (surely they wont be reverted though) and reboot into Safe Mode. Allow the scanner to remove everything it can, and see how you go ? How does this sound
     
Thread Status:
Not open for further replies.