Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cannot remove Trojan horse downloader generic kpw

Started by stang , Dec 16 2005 12:59 PM

  • Please log in to reply

#16
Metallica
Posted 02 January 2006 - 02:57 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
So the file gets started from somewhere.
  • Download the Registry Search Tool.
  • Unzip the contents of RegSrch.zip to a convenient location.
  • Double-click on RegSrch.vbs.
  • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
  • In the "Enter search string (case insensitive) and click OK..." box paste this string:
    • svchost
  • Click "OK" to search the registry for that string.
  • Wait for a few minutes while it completes the search.
  • Click "OK" to open the results in WordPad.
  • Copy and paste the entire results into your next post.
Regards,
  • 0

Advertisements

#17
stang
Posted 03 January 2006 - 12:16 PM

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
OK here is the info. When I tried to run the program the same blank untitled notepad window kept coming up, and yesterday the notepad file that I created in the cmd you had asked me to make tried to take over my cpu when I looked into the file properties. I just recently got my cpu to work again using HDD regen. and windows recovery chkdsk /r Should I delete this file?.........stang

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "svchost" 1/3/2006 11:49:02 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1E75357-881A-419E-83E2-BB16DB197C68}\LocalServer32]
@="C:\\WINDOWS\\System32\\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1F4E726-8CF1-11D1-BF92-0060081ED811}\LocalServer32]
@="C:\\WINDOWS\\System32\\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}\LocalServer32]
@="C:\\WINDOWS\\system32\\svchost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost\Cache Manager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost\DEBUG]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost\OS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost\OS\SLV]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost\System Parameter Overrides]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\DComLaunch]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\HTTPFilter]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\PCHealth]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Parameters]
"ServiceMain"="SvchostEntry_W32Time"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\W32Time\Parameters]
"ServiceMain"="SvchostEntry_W32Time"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"ServiceMain"="SvchostEntry_W32Time"

[HKEY_USERS\S-1-5-21-1390067357-688789844-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"h"="E:\\svchost.rar"

[HKEY_USERS\S-1-5-21-1390067357-688789844-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"b"="C:\\WINDOWS\\system32\\DirectX\\svchost.exe"

[HKEY_USERS\S-1-5-21-1390067357-688789844-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"c"="E:\\svchost.exe"

[HKEY_USERS\S-1-5-21-1390067357-688789844-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"d"="E:\\svchost\\svchost.exe"

[HKEY_USERS\S-1-5-21-1390067357-688789844-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\rar]
"a"="E:\\svchost.rar"

"C:\\Documents and Settings\\Jay\\Local Settings\\Temporary Internet Files\\Content.IE5\\81G563K1\\noadware[1].exe"="NoAdware Setup "
"C:\\WINDOWS\\system32\\svchost.exe"="Generic Host Process for Win32 Services"

"C:\\Documents and Settings\\Jay\\Local Settings\\Temporary Internet Files\\Content.IE5\\89QFK9QN\\HijackThis[1].exe"="HijackThis"
"E:\\svchost.exe"="svchost"

"C:\\Documents and Settings\\Jay\\Local Settings\\Temporary Internet Files\\Content.IE5\\89QFK9QN\\HijackThis[1].exe"="HijackThis"
"E:\\svchost\\svchost.exe"="svchost"

"C:\\Documents and Settings\\Jay\\Local Settings\\Temporary Internet Files\\Content.IE5\\W5W3KNKV\\GoogleEarth-0762[1].exe"="Setup.exe"
"C:\\WINDOWS\\system32\\DirectX\\svchost.exe"="svchost"

[HKEY_USERS\S-1-5-21-1390067357-688789844-854245398-1004\Software\WinRAR\ArcHistory]
"0"="E:\\svchost.rar"

[HKEY_USERS\S-1-5-21-1390067357-688789844-854245398-1004\Software\WinRAR\DialogEditHistory\ArcName]
"0"="svchost.rar"
  • 0

#18
Metallica
Posted 03 January 2006 - 12:38 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you please empty your IE cache?

In IE cliock Tools > Internet Options > on the General Tab > click Delete Files > and put a chechmark in the "Include Offline Content" prompt.

Then click Start > Run > and copy this command:
regedit.exe /e C:\svchost.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost"
then click OK

This will produce the file C:\svchost.txt
Post the content of that file please.

Regards,
  • 0

#19
stang
Posted 03 January 2006 - 01:01 PM

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Nothing happens when I hit OK the run box just goes away. I did a search in my registry and found two paths. Here they are:
regedit.exe /e C:\svchost.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost"\1
regedit.exe /e C:\svchost.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost\1
  • 0

#20
Metallica
Posted 03 January 2006 - 01:35 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Tested and the command works.

Please note that it creates the file C:\svchost.txt

Let me know if you can find it.

Regards,
  • 0

#21
stang
Posted 03 January 2006 - 04:10 PM

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
OK I found it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost\Cache Manager]
"Enable RO Cache Image"=""
"Enable Opportune Writes"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost\DEBUG]
"Trace Level"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost\OS]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost\OS\SLV]
"Space Grant Size (B)"=""
"EA List Time-To-Live (ms)"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\svchost\System Parameter Overrides]
"SystemPath"=""
"TempPath"=""
"LogFilePath"=""
"LogFileFailoverPath"=""
"BaseName"=""
"MaxSessions"=""
"MaxOpenTables"=""
"PreferredMaxOpenTables"=""
"MaxCursors"=""
"MaxVerPages"=""
"GlobalMinVerPages"=""
"PreferredVerPages"=""
"MaxTemporaryTables"=""
"LogFileSize"=""
"LogBuffers"=""
"LogCheckpointPeriod"=""
"CommitDefault"=""
"CircularLog"=""
"DbExtensionSize"=""
"PageTempDBMin"=""
"PageFragment"=""
"VERTasksPostMax"=""
"CacheSizeMin"=""
"CacheSizeMax"=""
"CheckpointDepthMax"=""
"LRUKCorrInterval"=""
"LRUKHistoryMax"=""
"LRUKPolicy"=""
"LRUKTimeout"=""
"StartFlushThreshold"=""
"StopFlushThreshold"=""
"ExceptionAction"=""
"EventLogCache"=""
"Recovery"=""
"EnableOnlineDefrag"=""
"AssertAction"=""
"RFS2IOsPermitted"=""
"RFS2AllocsPermitted"=""
"CheckFormatWhenOpenFail"=""
"EnableIndexChecking"=""
"EnableTempTableVersioning"=""
"ZeroDatabaseDuringBackup"=""
"IgnoreLogVersion"=""
"DeleteOldLogs"=""
"EnableImprovedSeekShortcut"=""
"BackupChunkSize"=""
"BackupOutstandingReads"=""
"CreatePathIfNotExist"=""
"PageHintCacheSize"=""
  • 0

#22
Metallica
Posted 04 January 2006 - 12:44 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
As it should be.

I still haven't received your mail. :tazz:

I'm afraid I'll ready need to have a look at that file to figure this one out.

Can you try uploading the RAR file at TheSpykiller?

Regards,
  • 0

#23
stang
Posted 04 January 2006 - 12:58 PM

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I was able to upload the file at spykiller............stang
  • 0

#24
Metallica
Posted 04 January 2006 - 01:13 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Yay. I got it. Am looking now.

It's definitely malware:

AntiVir Found Trojan/Dldr.Small.bym
ArcaVir Found Trojan.Downloader.Small.Bym
AVG Antivirus Found Downloader.Generic.KPW
Dr.Web Found Trojan.DownLoader.6152
Fortinet Found W32/Small.BYM-tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.bym
VBA32 Found Trojan-Downloader.Win32.Small.bym

Can you do a Find Files for a file called Down.exe

Let me know if and where you find it.

Regards,
  • 0

#25
Metallica
Posted 04 January 2006 - 01:15 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Also copy the code below into notepad and save it as lookup.bat
Set Filetype to "All files" 
dir %Systemdrive%\WITCHERY.* /a h /s > files.txt
start notepad files.txt

Start the file by doubleclicking lookup.bat
That will open a file called files.txt. Post the content of that file.

Regards,
  • 0

Advertisements

#26
stang
Posted 04 January 2006 - 01:20 PM

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I did a C: drive search for down.exe and all it found was some system 32 shutdown file.

Here is the lookup.bat info.

Volume in drive C is MAIN1
Volume Serial Number is 28F4-11C7

Edited by stang, 04 January 2006 - 01:32 PM.

  • 0

#27
Metallica
Posted 04 January 2006 - 02:42 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I have been unable to find a useful description of this infection.

That means I'll have to run it on my testmachine to see what makes it so persistent.
This will probably have to wait until the weekend, since I don't have the time at the moment.

Sorry about that.

Regards,
  • 0

#28
Metallica
Posted 07 January 2006 - 06:30 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hi stang,

Running svchost.exe on my testbox it contacted a site called alibaba.com and fetched two files to my system32 folder.

Can you check if you can find:
WITBLOG.OCX
MSDATGRPS.OCX

Delete them if you do and empty your Temporary Internet files.

Then reboot and delete C:\WINDOWS\system32\DirectX\svchost.exe before you connecvt to the internet.

Now reboot once more and let me know if it stays gone.

Regards,
  • 0

#29
stang
Posted 08 January 2006 - 08:45 PM

stang

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I only found one of the files (WITBLOG.OCX) and deleted it and did the rest of what you asked and the svchost file still returns.............stang
  • 0

#30
Metallica
Posted 09 January 2006 - 01:11 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Does the domain alibaba.com mean anything to you?

That is the site where I found WITBLOG.OCX to be spread from.

As an experiment can you add this line to your hosts file?

127.0.0.1 alibaba.com

You can find out how to do this here:
http://www.mvps.org/...sfaq.htm#Editor

This will hopefully block the contact to that domain.

Then delete the C:\WINDOWS\system32\DirectX\svchost.exe file
and search for the other two again before you reboot.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP