[k8yse]

I highlighted the CLSID value and then clicked the Disk icon on the toolbar and saved it. Heres what it returns in Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}]
"AppId"="{653C5148-4DCE-4905-9CFD-1B23662D3D9E}"
@="Updates Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}\InProcHandler32]
@="Ole32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}\LocalServer32]
@="C:\\WINNT\\System32\\svchost.exe"

Maybe this is what I should be saving before deleting that directory?

[Advertisements]

Hold off on that for now lets double check this

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]


Export to your desk top open it post post back the contents from notepad Please

[don77]

Hold off on that for now lets double check this

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]


Export to your desk top open it post post back the contents from notepad Please

[k8yse]

Heres the entire svchost directory including the netsvcs subdirectory:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"netsvcs"=hex(7):45,76,65,6e,74,53,79,73,74,65,6d,00,49,61,73,00,49,70,72,69,\
70,00,49,72,6d,6f,6e,00,4e,65,74,6d,61,6e,00,4e,77,73,61,70,61,67,65,6e,74,\
00,52,61,73,61,75,74,6f,00,52,61,73,6d,61,6e,00,52,65,6d,6f,74,65,61,63,63,\
65,73,73,00,53,45,4e,53,00,53,68,61,72,65,64,61,63,63,65,73,73,00,54,61,70,\
69,73,72,76,00,4e,74,6d,73,73,76,63,00,57,6d,64,6d,50,6d,53,4e,00,77,7a,63,\
73,76,63,00,00
"rpcss"=hex(7):52,70,63,53,73,00,00
"wugroup"=hex(7):77,75,61,75,73,65,72,76,00,00
"BITSgroup"=hex(7):42,49,54,53,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\BITSGroup]
"DefaultRpcStackSize"=dword:00000008

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\wugroup]
"CoInitializeSecurityParam"=dword:00000001


Thanks.

John

[don77]

Ok, Lets go ahead and delete this one

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}]

[k8yse]

should I reboot after deleting?

[don77]

sorry, Yes

[k8yse]

Rebooted. The svchost.exe error window did come up. It seemed a little sluggish when I clicked ok, but it continued to boot into Windows. That window does say that an error log will be created. Is that something we can find?

Thanks.

John

[don77]

Double click the reg you saved on your desk top and when asked to merge click yes,
If it doesn't ask you to reboot do so,


Next,

Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[k8yse]

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"xifwts" = "C:\WINNT\system32\xifwts.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"LTWinModem1" = "ltmsg.exe 9" ["Agere Systems"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "ShimLayer Property Page"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\apppatch\slayerui.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"]
"{DB8DC413-C0AA-11D0-9545-080009B1C2F3}" = "Hummingbird Neighborhood"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hummingbird\Connectivity\7.00\HostExplorer\Ftp\HESHELL.DLL" ["Hummingbird Ltd."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{A58686ED-FC46-44C3-95C6-4A812AB776F1}" = "NetFerret IE Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\FerretSoft\WebFerret\FerretBand.dll" [null data]
"{fe7634c0-f7b3-11cf-b9b4-444553540000}" = "NetFerret"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\NetFerret.dll" [null data]
"{80230FFA-53DD-11D2-AE5F-0000832F3A64}" = "West Group CiteLink Microsoft IE DeskBand Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\West Group\CiteLink\clie\clie.dll" ["West Group"]
"{80230FFC-53DD-11D2-AE5F-0000832F3A64}" = "West Group CiteLink Microsoft IE Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\West Group\CiteLink\clie\clie.dll" ["West Group"]
"{80230FFE-53DD-11D2-AE5F-0000832F3A64}" = "West Group CiteLink Microsoft IE Shell"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\West Group\CiteLink\clie\clie.dll" ["West Group"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Laura11.jpg"


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\palmOne\HOTSYNC.EXE" ["Palm, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Instant Wireless Configuration Utility" -> shortcut to: "C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe" ["The Linksys Group, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Hummingbird Inetd, HCLInetd, "C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe" ["Hummingbird Ltd."]
Hummingbird Jconfig Daemon, Jconfigd, "C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe" ["Hummingbird Ltd."]
IBM PM Service, IBMPMSVC, "C:\WINNT\system32\ibmpmsvc.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Thanks,
John

[don77]

Not showing us anything,
Aside from the svchost error evrything seem to be running better ?

Download: StartDreck from: http://www.niksoft.a.../startdreck.htm

• Extract the file into c:\startdreck.
• Navigate to c:\startdreck and double-click on Startdreck.exe
• When the program opens click on the Config button.
• Then click on the unmark all button.
• Put checkmarks in the following checkboxes:
• Under Registry put a checkmark in the Run Keys checkbox.
• Under System/Drivers put a check in the Running Proccess checkbox.
• Press the OK button.
• Press the Save button.

Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

Open the StartDrek.log, copy and paste the results of that log here

[k8yse]

StartDreck (build 2.1.7 public stable) - 2005-05-08 @ 19:12:32 (GMT -04:00)
Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 4)
Internet Explorer: 6.0.2800.1106
Logged in as Administrator at LPAPAY-T22-01

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
*AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
»RunOnce
»Local Machine
»Run
*Synchronization Manager=mobsync.exe /logon
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*LTWinModem1=ltmsg.exe 9
*AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
*SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+0=<idle>
+8=<system>
+196=\SystemRoot\System32\smss.exe
+224=\??\C:\WINNT\system32\csrss.exe
+220=\??\C:\WINNT\system32\winlogon.exe
+272=C:\WINNT\system32\services.exe
+284=C:\WINNT\system32\lsass.exe
+400=C:\WINNT\system32\ibmpmsvc.exe
+460=C:\WINNT\system32\svchost.exe
+556=C:\WINNT\system32\spoolsv.exe
+636=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
+656=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
+696=C:\Program Files\ewido\security suite\ewidoctrl.exe
+720=C:\Program Files\ewido\security suite\ewidoguard.exe
+752=C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
+768=C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
+804=C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
+852=C:\WINNT\system32\regsvc.exe
+856=C:\Program Files\Java\jre1.5.0_01\bin\javaw.exe
+884=C:\WINNT\system32\MSTask.exe
+984=C:\WINNT\system32\stisvc.exe
+256=C:\WINNT\System32\WBEM\WinMgmt.exe
+668=C:\WINNT\System32\mspmspsv.exe
+516=C:\WINNT\system32\svchost.exe
+1096=C:\WINNT\Explorer.EXE
+1172=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+1184=C:\WINNT\system32\ltmsg.exe
+1216=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
+1236=C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
+1156=C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
+1240=C:\Program Files\palmOne\HOTSYNC.EXE
+832=C:\WINNT\System32\svchost.exe
+1452=C:\WINNT\system32\wuauclt.exe
+600=C:\Program Files\Internet Explorer\IEXPLORE.EXE
+384=C:\Startdreck\StartDreck.exe
»Application specific


The computer is running with no popups. It is pretty sluggish but I think it is because it needs more ram. only has 128 and there are lots of things to load on startup. I will shop for another 256 to help it along. This laptop is my daughters. She finally brought it to me when she couldn't do anything on it because of the malware takeover.

thanks.

John

[don77]

Nothing there either, still getting the svchost error message ?

She finally brought it to me when she couldn't do anything on it because of the malware takeover

have you sqaured that away ?

[k8yse]

We can live with the svchost error. It's just something you have to click on bootup. There is no sign of malware troubles. Maybe we should just quit and leave it at that. What do you think?

John

[don77]

I will look into if there is anything else that I can find on it We have run a couple of the recommendations,

I will ask a few of the experts as well and see if they can shed any light on it

Don

[k8yse]

Sounds good. But don't spend too much effort on this. She can live with it as long as we can keep the malware from coming back. I think we will leave Ewido on there unless you think I should uninstall it and just put spywareblaster on instead. We have AVG free virus detection. I have firefox browser which she will use instead of IE on most applicaitons. She will still use Outlook. I have a router for her cable modem hookup and that will help. Should I install a software firewall like Sygate? She may be using this on other connections without a hardware firewall.

Thanks,

John