PLEASE HELP!!! EXE files shut down CWS???

Discussion in 'adware, spyware & hijack cleaning' started by Doug Kennedy, Jan 29, 2004.

Thread Status:
Not open for further replies.
  1. Doug Kennedy

    Doug Kennedy Guest

    Some EXE files are shut down after a few seconds. CWShredder tells me " a CWS variant was detected that is still loaded into memory. You need to resart your system and run CWShredder again to remove it completely." I get this same message everytime I shut down and re-run the scan / fix. I have run Spy-bot, hijackthis, ad-aware, and delcwssk - all with current updates. Please HELP!!!

    Logfile of HijackThis v1.97.7
    Scan saved at 8:53:05 AM, on 1/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\snmp.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\svchost.exe
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINNT\System32\ctfmon.exe
    C:\WINNT\System32\cidaemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll__SpybotSDDisabled (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38007.515462963
    O17 - HKLM\System\CCS\Services\Tcpip\..\{99C63F9A-9E70-4E47-81B0-783BA0733AE1}: NameServer = 63.110.24.28,63.110.24.53
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9E91C1CC-E9D5-41E9-BE9A-437C8698F33C}: NameServer = 63.110.24.28,63.110.24.53
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A3703D19-70FC-4C6C-8B55-5C6C02E21DEE}: NameServer = 63.110.24.28,63.110.24.53

    :mad:
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Doug,

    Please download, unzip and run http://www.safer-networking.org/files/delcwssk.zip
    CWShredder will then run properly and cleanup the complete parasite.

    Regards,

    Pieter
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Doug,

    Can you please download, install and run APM from

    http://www.diamondcs.com.au/downloads/apm.exe

    Browse through the lists of processes for this entry

    C:\WINNT\svchost.exe

    (make sure it is the one in WINNT and not WINNT\SYSTEM32) and highlight that entry, right-click and select "Exit Process". Then press "F5" on the keyboard to refresh the process list to make sure it is no longer listed there. Then try to run CWSHredder again and let us know how it turns out. (If it does run okay, it would be good to repost a Hijackthis log.)

    Also, before rebooting, can you please download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

    Thanks

    Lol, I took too much time typing :doubt: :D Pieter, would that util address the malware svchost? I noticed it is not shown in the Hijackthis log
     
  4. dcaskennedy

    dcaskennedy Registered Member

    Joined:
    Jan 29, 2004
    Posts:
    2
    Thanks for the help...you all are awsome. Following are the logs you requested after stopping the svchost.exe process. CWShredder cleaned the variant and I thought all was well till I rebooted and it was slowww. I noticed the svchost.exe process was running in c:\WINNT\ again CWShredder gave me the same message "CWS Variant in memory..." I have run delcwssk and it didn't find anything. How do I get rid of this thing?

    Logfile of HijackThis v1.97.7
    Scan saved at 10:23:05 AM, on 1/29/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\snmp.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINNT\System32\ctfmon.exe
    C:\WINNT\System32\cidaemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll__SpybotSDDisabled (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38007.515462963
    O17 - HKLM\System\CCS\Services\Tcpip\..\{99C63F9A-9E70-4E47-81B0-783BA0733AE1}: NameServer = 63.110.24.28,63.110.24.53
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9E91C1CC-E9D5-41E9-BE9A-437C8698F33C}: NameServer = 63.110.24.28,63.110.24.53
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A3703D19-70FC-4C6C-8B55-5C6C02E21DEE}: NameServer = 63.110.24.28,63.110.24.53



    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Owner@DOUG, 01-29-2004
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    c:\winnt\system.ini [drivers]
    timer=timer.drv
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\GWMDMMSG
    C:\WINNT\GWMDMMSG.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTHelper
    C:\WINNT\system32\CTHELPER.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
    C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdaptecDirectCD
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ADUserMon
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Iomega Drive Icons
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Deskup
    C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RealTray
    C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Jet Detection
    C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
    C:\WINNT\System32\ctfmon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\SHELL32.dll
    C:\WINNT\system32\SHELL32.dll
    C:\WINNT\System32\webcheck.dll
    C:\WINNT\System32\stobject.dll
    C:\WINNT\Tasks\ISP signup reminder 1.job
    C:\WINNT\System32\OOBE\oobebaln.exe
    C:\WINNT\Tasks\ISP signup reminder 2.job
    C:\WINNT\System32\OOBE\oobebaln.exe
    C:\WINNT\Tasks\ISP signup reminder 3.job
    C:\WINNT\System32\OOBE\oobebaln.exe
    C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job
    C:\PROGRA~1\NORTON~1\NAVW32.exe
    C:\WINNT\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\WINNT\Tasks\weekly.job
    C:\WINNT\system32\ntbackup.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKCU\Software\Microsoft\Windows\Currentversion\Policies\Explorer\run\COM Service
    C:\WINNT\msagent\msxcnr.com
    HKLM\Software\Microsoft\Windows\Currentversion\Policies\Explorer\run\COM Service
    C:\WINNT\msagent\msxcnr.com
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\mswsock.dll
    C:\WINNT\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINNT\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINNT\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{86EEAFA8-6F38-4657-B4F7-ED1033D2EA1C}S04947\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINNT\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINNT\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}\
    C:\WINNT\System32\msfbpd.com
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINNT\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\fxsocm.inf,Fax.Install.PerUser
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINNT\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\VxD\mrtRate\
    MRTRATE.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINNT\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ccEvtMgr\
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    HKLM\System\CurrentControlSet\Services\cisvc\
    C:\WINNT\System32\cisvc.exe
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINNT\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINNT\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\Fax\
    C:\WINNT\system32\fxssvc.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\HidServ\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Iomega App Services\
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINNT\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\MDM\
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\navapsvc\
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    HKLM\System\CurrentControlSet\Services\NMSSvc\
    C:\WINNT\System32\NMSSvc.exe
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINNT\System32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PfModNT\
    \??\C:\WINNT\System32\PfModNT.sys
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINNT\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\PrismXL\
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINNT\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINNT\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINNT\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\SAVRTPEL\
    \??\C:\WINNT\System32\Drivers\SAVRTPEL.SYS
    HKLM\System\CurrentControlSet\Services\SBService\
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINNT\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SNMP\
    C:\WINNT\System32\snmp.exe
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINNT\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SYMTDI\
    \??\C:\WINNT\System32\Drivers\SYMTDI.SYS
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINNT\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\UPS\
    C:\WINNT\System32\ups.exe
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINNT\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINNT\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WmdmPmSp\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINNT\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\_IOMEGA_ACTIVE_DISK_SERVICE_\
    C:\Program Files\Iomega\AutoDisk\ADService.exe
     
  5. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hey dcas,
    just see whether running this helps... stinger

    lets see if it catches the worm...

    just a try

    thx
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Well, I don't see where the winnt\svchost.exe is starting from and that worries me. I am assuming that your AV has been circumvented and that is why it has not alerted you. Can you please change the extention of that file to .xxx and email it to the address in my profile?

    Also, I would recommend that you download and install DCS's TDS3 from

    http://www.diamondcs.com.au/tds/downloads/tds3setup.exe

    and before you open it, download the latest radius database file from the same page and save it to your TDS install directory (overwriting the one that is there). When you open TDS set all "Scan Control" settings to their highest sensitivity and scan your local drives.

    You might also want to try an online AV scanner such as Panda's at

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    let us know how things turn out and check back here periodically to see of there is any additional input/ideas from others
     
  7. dcaskennedy

    dcaskennedy Registered Member

    Joined:
    Jan 29, 2004
    Posts:
    2
    I've had a miserable time downloading anything right now. I think the ISP is overloaded. I did finally get a version of AVG downloaded and updated and it found and cleaned Beast door GTo_O don't know much about it. Thanks for all of your help. Hopefully I won't have to come back soon...but if I should have any problems, I know where to go. Later
     
Thread Status:
Not open for further replies.