Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware troubles


  • Please log in to reply

#46
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Did some research on the Trojan and it turns out that it's only an email message that is spoofed and wants you to visit a website and log into your bank account etc. So unless you actually do that, there is no problem. This is not an "infection."
McAfee had the info on it. Kaspersky had no info.

thanks.

John
  • 0

Advertisements


#47
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

I deleted all of the files except for the .pst file. That's the outlook mail file
so I don't want to lose all the messages that are saved in there. I hope we can clean the file somehow.

I have not rebooted yet. Should I try something else on the .pst file?


Open Outlook and search for any mail with attachments unless they are from someone you know delete them,

Go ahead and reboot.

I believe I had you download Cleanup! that will clean most of the files found in your temp folders,
  • 0

#48
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I have not used "cleanup" unless it goes by another name. I will reboot now.

Thanks.

John
  • 0

#49
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
sorry I replied at the same time you did, see you got the e-mail issue,

Reboot and let us know how it goes
Below find cleanup! for keeping your temp folders clean
  • Go Here download and install Cleanup!
  • Open up the program and click on the cleanup button, Let it do it’s thing.
    It will ask you to reboot allow it to do so,
  • When the computer restarts it will open again and finish running, allow it to do so please,

  • 0

#50
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Ran Cleanup. deleted over 12,000 files, 572 Mb.
Rebooted and still had the svchost.exe error message pop up.
Otherwise normal.

Thanks.

John
  • 0

#51
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
  • Search for svchost.exe search for all pf them
  • Right-click on it and choose "Properties", then click on the "Version" tab at the top. Click on "Comments", "Company", "File Version", and "Internal Name"
  • please post whatever the text in the box immediately to the right says for each.

  • 0

#52
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
svchost.exe search results:

C:\WINNT\system32
Version:
File Version 5.0.2134.1
Description: Generic Host Process for Win32 Services
Copyright © Microsoft Corp. 1981-1999
Company Name: Microsoft Corporation
Internal name: svchost.exe
Language: English (United States)
Original Filename: svchost.exe
Product Name: Microsoft® Windows ® 2000 Operating System
Product Version: 5.00.2134.1

C:\WINNT\system32\dllcache
Version:
File Version 5.0.2134.1
Description: Generic Host Process for Win32 Services
Copyright © Microsoft Corp. 1981-1999
Company Name: Microsoft Corporation
Internal name: svchost.exe
Language: English (United States)
Original Filename: svchost.exe
Product Name: Microsoft® Windows ® 2000 Operating System
Product Version: 5.00.2134.1

Both seem identical.

Thanks.

John
  • 0

#53
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

When I look at Processes in the Task Manager, I find 3 instance of svchost.exe running, all with different memory usage.

Can you tell me what the different usages are,
  • 0

#54
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
svchost.exe PID 464 Mem Usage 1,696K
svchost.exe PID 532 Mem Usage 4,088K
svchost.exe PID 968 Mem Usage 1,532K

Thanks.

John
  • 0

#55
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi JohnOpen up the registry search tool I had you download earlier
Copy and paste the following in to the box please,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost


Let it run and again post back the contents from notepad when it opens please
  • 0

Advertisements


#56
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost" 5/8/2005 1:32:52 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\BITSGroup]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\wugroup]

Thanks.

John
  • 0

#57
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please go Here
Download Reglite, Open Reistrar Lite,
Open the program, In the top address bar, copy and paste the following
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}\LocalServer32]

Double click on it when found in the window to the right,
In the smaller window that opens , Click export data, (looks like a disk)
Export to the desk top ( double check to make sure its there)
Click cancel on the smaller window,
Now highlight the reg again please, Click on the red X and delete,

Restart your computer
  • 0

#58
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I think the program is a little different but I pasted the value in the address bar.
then a tree opens up on the left with the value found. When you click on the directory "LocalServer32" you get a value of "default" on the right. When you double click that, the data editor opens up. The keyname is the string we searched for. Value Name is (default). Type is REG_SZ, Size 30, Value
C:\WINNT\System32\svchost.exe

I click the disk icon and it saves it to the desktop. If I open that with notepad, the only thing I see is C:\WINNT\System32\svchost.exe

Do I close the data editor, and then highlight "LocalServer32" in the tree and then click the red cross? Don't want to do it unless I'm sure.

Thanks.

John
  • 0

#59
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Looking for the CLSID that has this value
{E9376CC6-121A-447e-81CF-D8BCC200007C}
  • 0

#60
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I have the CLSID value on the left directory tree.
Under that directory are two subdirectories:
InProcHandler32 & LocalServer32

If I highlight the localserver32, the file "default" appears on the right window.

Do I double click on that to bring up the data editor window and then save it to the desktop? Or should I be doing something else, like deleting the entire CLSID directory?

Thanks.

John
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP