Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware troubles


  • Please log in to reply

#61
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I highlighted the CLSID value and then clicked the Disk icon on the toolbar and saved it. Heres what it returns in Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}]
"AppId"="{653C5148-4DCE-4905-9CFD-1B23662D3D9E}"
@="Updates Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}\InProcHandler32]
@="Ole32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}\LocalServer32]
@="C:\\WINNT\\System32\\svchost.exe"

Maybe this is what I should be saving before deleting that directory?
  • 0

Advertisements


#62
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hold off on that for now lets double check this

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]


Export to your desk top open it post post back the contents from notepad Please
  • 0

#63
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Heres the entire svchost directory including the netsvcs subdirectory:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"netsvcs"=hex(7):45,76,65,6e,74,53,79,73,74,65,6d,00,49,61,73,00,49,70,72,69,\
70,00,49,72,6d,6f,6e,00,4e,65,74,6d,61,6e,00,4e,77,73,61,70,61,67,65,6e,74,\
00,52,61,73,61,75,74,6f,00,52,61,73,6d,61,6e,00,52,65,6d,6f,74,65,61,63,63,\
65,73,73,00,53,45,4e,53,00,53,68,61,72,65,64,61,63,63,65,73,73,00,54,61,70,\
69,73,72,76,00,4e,74,6d,73,73,76,63,00,57,6d,64,6d,50,6d,53,4e,00,77,7a,63,\
73,76,63,00,00
"rpcss"=hex(7):52,70,63,53,73,00,00
"wugroup"=hex(7):77,75,61,75,73,65,72,76,00,00
"BITSgroup"=hex(7):42,49,54,53,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\BITSGroup]
"DefaultRpcStackSize"=dword:00000008

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\wugroup]
"CoInitializeSecurityParam"=dword:00000001


Thanks.

John
  • 0

#64
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Ok, Lets go ahead and delete this one

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}]
  • 0

#65
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
should I reboot after deleting?
  • 0

#66
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
sorry, Yes
  • 0

#67
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Rebooted. The svchost.exe error window did come up. It seemed a little sluggish when I clicked ok, but it continued to boot into Windows. That window does say that an error log will be created. Is that something we can find?

Thanks.

John
  • 0

#68
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Double click the reg you saved on your desk top and when asked to merge click yes,
If it doesn't ask you to reboot do so,


Next,

Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#69
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"xifwts" = "C:\WINNT\system32\xifwts.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"LTWinModem1" = "ltmsg.exe 9" ["Agere Systems"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "ShimLayer Property Page"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\apppatch\slayerui.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"]
"{DB8DC413-C0AA-11D0-9545-080009B1C2F3}" = "Hummingbird Neighborhood"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hummingbird\Connectivity\7.00\HostExplorer\Ftp\HESHELL.DLL" ["Hummingbird Ltd."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{A58686ED-FC46-44C3-95C6-4A812AB776F1}" = "NetFerret IE Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\FerretSoft\WebFerret\FerretBand.dll" [null data]
"{fe7634c0-f7b3-11cf-b9b4-444553540000}" = "NetFerret"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\NetFerret.dll" [null data]
"{80230FFA-53DD-11D2-AE5F-0000832F3A64}" = "West Group CiteLink Microsoft IE DeskBand Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\West Group\CiteLink\clie\clie.dll" ["West Group"]
"{80230FFC-53DD-11D2-AE5F-0000832F3A64}" = "West Group CiteLink Microsoft IE Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\West Group\CiteLink\clie\clie.dll" ["West Group"]
"{80230FFE-53DD-11D2-AE5F-0000832F3A64}" = "West Group CiteLink Microsoft IE Shell"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\West Group\CiteLink\clie\clie.dll" ["West Group"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Laura11.jpg"


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\palmOne\HOTSYNC.EXE" ["Palm, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Instant Wireless Configuration Utility" -> shortcut to: "C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe" ["The Linksys Group, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Hummingbird Inetd, HCLInetd, "C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe" ["Hummingbird Ltd."]
Hummingbird Jconfig Daemon, Jconfigd, "C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe" ["Hummingbird Ltd."]
IBM PM Service, IBMPMSVC, "C:\WINNT\system32\ibmpmsvc.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Thanks,
John
  • 0

#70
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Not showing us anything,
Aside from the svchost error evrything seem to be running better ?

Download: StartDreck from: http://www.niksoft.a.../startdreck.htm
  • Extract the file into c:\startdreck.
  • Navigate to c:\startdreck and double-click on Startdreck.exe
  • When the program opens click on the Config button.
  • Then click on the unmark all button.
  • Put checkmarks in the following checkboxes:
  • Under Registry put a checkmark in the Run Keys checkbox.
  • Under System/Drivers put a check in the Running Proccess checkbox.
  • Press the OK button.
  • Press the Save button.
Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

Open the StartDrek.log, copy and paste the results of that log here
  • 0

Advertisements


#71
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
StartDreck (build 2.1.7 public stable) - 2005-05-08 @ 19:12:32 (GMT -04:00)
Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 4)
Internet Explorer: 6.0.2800.1106
Logged in as Administrator at LPAPAY-T22-01

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
*AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
舞unOnce
腿ocal Machine
舞un
*Synchronization Manager=mobsync.exe /logon
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*LTWinModem1=ltmsg.exe 9
*AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
*SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+0=<idle>
+8=<system>
+196=\SystemRoot\System32\smss.exe
+224=\??\C:\WINNT\system32\csrss.exe
+220=\??\C:\WINNT\system32\winlogon.exe
+272=C:\WINNT\system32\services.exe
+284=C:\WINNT\system32\lsass.exe
+400=C:\WINNT\system32\ibmpmsvc.exe
+460=C:\WINNT\system32\svchost.exe
+556=C:\WINNT\system32\spoolsv.exe
+636=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
+656=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
+696=C:\Program Files\ewido\security suite\ewidoctrl.exe
+720=C:\Program Files\ewido\security suite\ewidoguard.exe
+752=C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
+768=C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
+804=C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
+852=C:\WINNT\system32\regsvc.exe
+856=C:\Program Files\Java\jre1.5.0_01\bin\javaw.exe
+884=C:\WINNT\system32\MSTask.exe
+984=C:\WINNT\system32\stisvc.exe
+256=C:\WINNT\System32\WBEM\WinMgmt.exe
+668=C:\WINNT\System32\mspmspsv.exe
+516=C:\WINNT\system32\svchost.exe
+1096=C:\WINNT\Explorer.EXE
+1172=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+1184=C:\WINNT\system32\ltmsg.exe
+1216=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
+1236=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
+1156=C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
+1240=C:\Program Files\palmOne\HOTSYNC.EXE
+832=C:\WINNT\System32\svchost.exe
+1452=C:\WINNT\system32\wuauclt.exe
+600=C:\Program Files\Internet Explorer\IEXPLORE.EXE
+384=C:\Startdreck\StartDreck.exe
翠pplication specific


The computer is running with no popups. It is pretty sluggish but I think it is because it needs more ram. only has 128 and there are lots of things to load on startup. I will shop for another 256 to help it along. This laptop is my daughters. She finally brought it to me when she couldn't do anything on it because of the malware takeover.

thanks.

John
  • 0

#72
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Nothing there either, still getting the svchost error message ?


She finally brought it to me when she couldn't do anything on it because of the malware takeover


have you sqaured that away ?
  • 0

#73
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
We can live with the svchost error. It's just something you have to click on bootup. There is no sign of malware troubles. Maybe we should just quit and leave it at that. What do you think?

John
  • 0

#74
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
I will look into if there is anything else that I can find on it We have run a couple of the recommendations,

I will ask a few of the experts as well and see if they can shed any light on it

Don
  • 0

#75
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Sounds good. But don't spend too much effort on this. She can live with it as long as we can keep the malware from coming back. I think we will leave Ewido on there unless you think I should uninstall it and just put spywareblaster on instead. We have AVG free virus detection. I have firefox browser which she will use instead of IE on most applicaitons. She will still use Outlook. I have a router for her cable modem hookup and that will help. Should I install a software firewall like Sygate? She may be using this on other connections without a hardware firewall.

Thanks,

John
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP