[Michelle]

It's your computer, I'm letting you make the call on this one!

I'll just say if it were on my computer, I would have already deleted it LOL

OR, we can try just disabling it for now, until we find out any information from the place you uploaded the file to...

[Advertisements]

Let's just try disabling it for now:

Press CTRL ALT DELETE, click on the Processes tab and end the following:

INETSVC.EXE

Exit Task Manager.

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

Internet Service Manager (or INETSVC)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok. Exit.

And on that note, I think I'm going to bed. Need to give my brain a rest from this nasty stuff!!

[Michelle]

Let's just try disabling it for now:

Press CTRL ALT DELETE, click on the Processes tab and end the following:

INETSVC.EXE

Exit Task Manager.

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

Internet Service Manager (or INETSVC)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok. Exit.

And on that note, I think I'm going to bed. Need to give my brain a rest from this nasty stuff!!

[racinmason001]

I've found stuff on the internet about Inetsvc.exe and everyone says it is bad.There is also Inetmgr.exe I guess they are related I dont understand to much of what people are saying about viruses I just know they are bad.

[racinmason001]

My task manager does not open so I cant disable it like that sorry

[Michelle]

Yes, I know about that one. However, location is important with all files. The location of the file you're talking about is in Program Files. This is in Windows which is why I didn't know what it was... And, they just responded as to what it was: Sdbot.xd worm. So we're definitely deleting it!!

Open HiJackThis click on None of the above just start the program. Click on Config, click on Misc Tools. Click on "Open Process Manager". Scroll down until you find this:

C:\WINDOWS\System32\INETSVC.EXE

click on it to highlight it, then click Kill Process - answer yes to the prompt!

Then do this:

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

Internet Service Manager (or INETSVC)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok. Exit.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

INETSVC

Click ok.

It should pull up information about the service, then ask if you want to reboot. Click YES.

After it reboots, go into Windows Explorer and make sure this file is gone:

C:\WINDOWS\System32\INETSVC.EXE

Post a new HiJackThis log and Let me know if you received any error messages or had any problems.

Edited by bananafanafo, 29 April 2005 - 02:46 AM.

[racinmason001]

my task manager does not open

[Michelle]

Post #50 please (edited)

[racinmason001]

I'm sorry I'm an idiot I will open HJT and kill the process.It must be getting late for me I cant even comprehend what I am reading

[Michelle]

Yep, I understand that! Hopefully, it'll run better once we get rid of that worm...

[Michelle]

I'm going to bed now!

Shut down your computer!! We don't want it to "pick up" anything else!

[racinmason001]

Well I've had a serious problem.My computer wouldn't log on to windows it said NTLDR is missing and told me to ALT+CTRL+DEL to restart I did it about a hundred times and it would just come up as the same message so I had to do an emergency restore with my millenium restore disc.Then when I checked the services hwclock was back so I rebooted inj safe mode and deleted the files and deleted it in the registry with regedit I hope I did good.Now I cant download hijackthis :mad: maybe you can help.

[Michelle]

Do you not have the XP CD? Missing NTLDR error is not good at all...

[racinmason001]

No When I bought the comp last year it just came with the restore cd I used netscape to download hijackthis and here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 4:43:06 PM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\mswin32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mswin32.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Netscape\Netscape 6\HijackThis.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKLM\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKCU\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[racinmason001]

for some reason my comp shuts down hijackthis after it is on for 15-30 seconds.

[Michelle]

Your computer keeps getting infected with a bunch of worms. They are making use of the vulnerabilities in XP - it seriously needs to be patched! Ugh! We get rid of one worm, but the next day there is another worm.