# Reporting a tough virus. infects svchost.exe



## LocoMente

Hi, I just wanted to leave some info on a virus I got today and spent most of the day trying to get rid of it. It installed an svchost.exe in my Windows directory and every time I tried to delete it it would just come back on start up. I searched many forums looking for answers and followed all the steps and ran 4 different anti virus softwares. The virus corrupted my Norton Anti Virus software, and neither the software or web scan could detect the virus. I found no paths to the virus in my regedit.

*EDIT*

The name of this virus is Backdoor.Beastdoor.201.b. Apparently it wasnt the svchost.exe that turned up infected. My problem is now that after I boot up my computer totally freezes, and I cant do anything. Here is my virus log and hijack log. The hijack log is made in safe mode.. cuz I cant boot normal. Any help is greatly appreciated.

StartupList report, 7/30/2003, 10:33:39 PM
StartupList version: 1.52
Started from : C:\unzipped\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM95\aim.exe
C:\unzipped\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Bobby\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

F-Secure Manager = "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
F-Secure TNB = "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{44CC0112-AB51-22EF-BA32-20AA12E6115C}] *
StubPath = C:\WINDOWS\System32\msfbac.com

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Video Poker]
CODEBASE = http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Video Poker.osd

[Yahoo! Backgammon]
CODEBASE = http://download.games.yahoo.com/games/clients/y/at0_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Backgammon.osd

[Yahoo! Bingo]
CODEBASE = http://download.games.yahoo.com/games/clients/y/xt0_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Bingo.osd

[Yahoo! Blackjack]
CODEBASE = http://download.games.yahoo.com/games/clients/y/jt0_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Blackjack.osd

[Yahoo! Checkers]
CODEBASE = http://download.games.yahoo.com/games/clients/y/kt3_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Checkers.osd

[Yahoo! Chess]
CODEBASE = http://download.games.yahoo.com/games/clients/y/ct0_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Chess.osd

[Yahoo! Chinese Checkers]
CODEBASE = http://download.games.yahoo.com/games/clients/y/cct0_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Chinese Checkers.osd

[Yahoo! Dominoes]
CODEBASE = http://download.games.yahoo.com/games/clients/y/dot2_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Dominoes.osd

[Yahoo! Gin]
CODEBASE = http://download.games.yahoo.com/games/clients/y/nt0_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Gin.osd

[Yahoo! Go Fish]
CODEBASE = http://download.games.yahoo.com/games/clients/y/zt3_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Go Fish.osd

[Yahoo! GoStop]
CODEBASE = http://download.games.yahoo.com/games/clients/y/gst1_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! GoStop.osd

[Yahoo! Klondike Solitaire]
CODEBASE = http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Klondike Solitaire.osd

[Yahoo! Pool 2]
CODEBASE = http://download.games.yahoo.com/games/clients/y/potc_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Pool 2.osd

[Yahoo! Spades]
CODEBASE = http://download.games.yahoo.com/games/clients/y/st2_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Spades.osd

[{00000075-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/voxmsdec.CAB

[{00000161-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/msaudio.cab

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB

[{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}]
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[sys Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitStop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[MiniBugTransporterX Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MiniBugTransporter.dll
CODEBASE = http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[{33363249-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/i263_32.cab

[Pool Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\pool.ocx
CODEBASE = http://mirror.worldwinner.com/games/v44/pool/pool.cab

[{359F7E49-1EA0-4671-92E9-61E32FE25C5E}]
CODEBASE = http://69.0.137.190/version3/Netster.dll

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe

[DepHlp Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\dephlp.ocx
CODEBASE = http://mirror.worldwinner.com/games/shared/dephlp.cab

[GigexCtrl ActiveX]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gigexagent.dll
CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

[DmiReader Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL
CODEBASE = http://ftp.us.dell.com/fixes/PROFILER.CAB

[InstallShield International Setup Player]
InProcServer32 = c:\windows\downlo~1\isetup.dll
CODEBASE = http://www.installengine.com/engine/isetup.cab

[WTHoster Class]
InProcServer32 = C:\WINDOWS\wt\webdriver\wthostctl.dll
CODEBASE = http://install.wildtangent.com/bgn/partners/shockwave/bounce/install.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[Chess Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\chess.ocx
CODEBASE = http://mirror.worldwinner.com//games/v43/chess/chess.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

[H2hPool Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\h2hpool.ocx
CODEBASE = http://mirror.worldwinner.com//games/v44/h2hpool/h2hpool.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: \SystemRoot\System32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\System32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\System32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\System32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: \SystemRoot\System32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVERS\asc3550.sys (disabled)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ati2mpaa: System32\DRIVERS\ati2mpaa.sys (manual start)
ati2mtaa: System32\DRIVERS\ati2mtaa.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
F-Secure Anti-Virus: C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (autostart)
basic2: System32\DRIVERS\basic2.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Chameleon Mega Digital Camera: System32\Drivers\Bulk503.sys (manual start)
cbidf: \SystemRoot\System32\DRIVERS\cbidf2k.sys (disabled)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation Service: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
cd20xrnt: \SystemRoot\System32\DRIVERS\cd20xrnt.sys (disabled)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
CmdIde: \SystemRoot\System32\DRIVERS\cmdide.sys (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\System32\DRIVERS\cpqarray.sys (disabled)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.EXE (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Creative SBLive! Gameport: System32\DRIVERS\ctljystk.sys (manual start)
dac2w2k: \SystemRoot\System32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\System32\DRIVERS\dac960nt.sys (disabled)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver: System32\DRIVERS\DM9PCI5.SYS (manual start)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
Deterministic Network Enhancer Miniport: System32\DRIVERS\dne2000.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
dpti2o: \SystemRoot\System32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Creative SB Live! Value (WDM): system32\drivers\emu10k1f.sys (manual start)
Creative Interface Manager Driver (WDM): system32\drivers\ctlface.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
F-Secure File System Filter: \??\C:\Program Files\F-Secure Anti-Virus\Anti-Virus\Win2K\FSfilter.sys (autostart)
F-Secure Gatekeeper: \??\C:\Program Files\F-Secure Anti-Virus\Anti-Virus\Win2K\FSgk.sys (autostart)
F-Secure Gatekeeper Handler Starter: "C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe" (autostart)
F-Secure File System Recognizer: \??\C:\Program Files\F-Secure Anti-Virus\Anti-Virus\Win2K\FSrec.sys (autostart)
Fallback: System32\DRIVERS\fallback.sys (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
F-Secure Authentication Agent: "C:\Program Files\F-Secure Anti-Virus\Common\FSAA.EXE" (autostart)
fsbwsys: C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe (autostart)
Fsks: System32\DRIVERS\fsksnt.sys (autostart)
F-Secure Management Agent: "C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE" (autostart)
F-Secure Policy Manager: \??\C:\Program Files\F-Secure Anti-Virus\Common\FSPM.SYS (autostart)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
hpn: \SystemRoot\System32\DRIVERS\hpn.sys (disabled)
hpt3xx: \SystemRoot\System32\DRIVERS\hpt3xx.sys (disabled)
hsf_msft: System32\DRIVERS\HSF_MSFT.sys (manual start)
i2omp: \SystemRoot\System32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: \SystemRoot\System32\DRIVERS\ini910u.sys (disabled)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Chameleon Mega Video Camera: System32\Drivers\ISO503.SYS (manual start)
K56: System32\DRIVERS\k56nt.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
mraid35x: \SystemRoot\System32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
MySql: C:/mysql/bin/mysqld-max-nt.exe (disabled)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
WinProxy Firewall: \??\C:\PROGRA~1\OSITIS~1\WINPRO~2.0\NAT.sys (manual start)
Norton AntiVirus Auto Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20030723.016\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20030723.016\NavEx15.Sys (manual start)
Motorola SurfBoard USB Cable Modem Windows 2000 Driver: System32\DRIVERS\NetMotCM.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
perc2: \SystemRoot\System32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\System32\DRIVERS\perc2hib.sys (disabled)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
ql1080: \SystemRoot\System32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\System32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\System32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\System32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Rksample: System32\DRIVERS\rksample.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\WINDOWS\System32\Drivers\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Creative SoundFont Manager Driver (WDM): system32\drivers\sfman.sys (manual start)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\System32\DRIVERS\sisagp.sys (disabled)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
SoftFax: System32\DRIVERS\faxnt.sys (autostart)
Sparrow: \SystemRoot\System32\DRIVERS\sparrow.sys (disabled)
SpeakerPhone: System32\DRIVERS\spkpnt.sys (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{B0A2456C-F1A2-47D9-8A39-CB9111F04968} (manual start)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\System32\DRIVERS\symc8xx.sys (disabled)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMREDRV: \??\C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\System32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tones: System32\DRIVERS\tonesnt.sys (autostart)
TosIde: \SystemRoot\System32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: \SystemRoot\System32\DRIVERS\ultra.sys (disabled)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
V124: System32\DRIVERS\v124nt.sys (autostart)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 39,806 bytes
Report generated in 0.157 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

C:\WINDOWS\SYSTEM32\msfbac.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\WINDOWS\MSAGENT\mscgsn.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP4\A0000246.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP4\A0000247.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0000230.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP3\A0000231.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000171.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000172.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000186.exe Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000187.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000188.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000189.exe Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000190.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2\A0000191.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000002.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000003.com Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000012.exe Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000013.exe Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000014.exe Infection: Backdoor.Beastdoor.201.b Renamed.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000016.exe Infection: Backdoor.Beastdoor.201.b Renamed.
C:\RECYCLER\S-1-5-21-3091673561-1698683601-3399203189-1006\Dc4.exe Infection: Backdoor.Beastdoor.201.b Renamed.
C:\Documents and Settings\Bobby\Local Settings\Temporary Internet Files\Content.IE5\TG83X1W9\exitpop[1].htm Infection: Trojan.JS.NoClose Renamed


----------



## mal1930

HI, I tried Google and found 3 items but in german.

I went to Symantec and pasted in your title of the virus,did a search , and came up with nothing. 

svchost.exe is a legitimate file and can have 5 or 6 instances of it in your start up files.

Change your title as it does not look like you need help but are just reporting it.
Peace Mal


----------



## TonyKlein

It's a clean log.

BTW, this is a Startuplist log, and not a Hijack This log.

Re-run Hijack This, but this time hit "Scan" immediately.

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

BTW, have you tried reverting to a previous moment in time using Sysrtem Restore?

That would seem the easiest fix.


----------



## LocoMente

svchost.exe is a legitimate file when its in the Window\system32. This one was in the Windows folder and was running as my username. It also had a different icon then the normal svchost.exe. Anyway this virus was a simple password stealer that also infected my norton anti virus. The download of the other anti virus software just seemed to make my problems worse.. even though it did find 2 virus's norton couldnt. Anyway I finally got this back to normal.. and btw, wouldnt system restore bring me back to a point where the virus was? In the log it said it was infecting system restore.


----------



## mal1930

Hi, Yes it could affect the restore but you might have been able to go back before the virus was present. Usually there are a few dates to chose from. 

I would delete your restore saving and only start from after you fixed the virus. Peace Mal


----------



## Lilian

Hi I recently found one problem related to svchost.exe, after i connected using dialup and browsed on the web, i got a message saying something like "svchost.exe is creating an error message", from that point, i couldn't disconnect the dialup connection and found lots of things not working (like copy and paste, explorer search etc). I don't know where to find the log for it. Is this related to the virus? If anyone has an idea of what it is, please reply to me. thanks a lot in advance.


----------



## mal1930

HI, It sounds very much like what others are having trouble with. There seems a rash of them at the moment.
Go here and download Spybot and also Highjack This. Make sure each is up to date by downloading the latest reference file in regard to Spybot. Run it and delete the items with a red ! Mark in the left Column. This will get rid of spyware. Then scan with HighJack This and post the log here and someone will check it. I am not expert enough as yet. Read the instructions. Peace Mal
http://lurkhere.com/~nicefiles


----------



## ellevog

I have run in to similar problems lately, with the error message saying that the svchost.exe file has created errors and will be closed by Windows. I read through the different scenarios and did as mal1930 instructed. Here is a copy of my Hijack This log:

Logfile of HijackThis v1.95.0
Scan saved at 2:24:23 AM, on 8/13/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\WINNT\System32\PRPCUI.exe
C:\WINNT\loadqm.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\DELL\AccessDirect\DadTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\LEXARM~1\LEXARSNS\LSnSTray.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINNT\System32\msblast.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINNT\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\DllHost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Downloads\Software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=*.r5.attbi.com;localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.searchalot.com
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {058FC709-D5CD-4A95-92DB-59E6488ECDA4} - C:\Program Files\AT&T\BBClient\Programs\SaBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LexarAutoStart] C:\PROGRA~1\LEXARM~1\LEXARSNS\LSnSTray.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BEH] C:\WINNT\BEH.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://www.skandiabanken.no/CertControl/x86/xenroll.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {62360003-D8A7-418B-9DC6-2B9DE95273A0} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v8/0326/ticker.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.broadcast.com/wsp/VisionBrowser.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/sonystyle/sonystyle/rnt/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wmbpumps.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wmbpumps.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wmbpumps.com

I hope that someone can help me out here. At the same time I would like to ask a question related to MSN Messenger. I logged on some time back for the first time, and have not been able to log off since. When I try to do it on the MSN webpage, I get a satatus message saying that it was unable to disconnect me from the MSN Messenger. This has led to a significant increase in pop-ups, and it seemed like I got more errors. Can anyone tell me how I can log off?


----------



## C. K.

Hi, 
just to let u know ur not alone with this svchost problem cause, I'm experiencing it too. About your messenger problem, I have never heard of it b4, so if this helps unless u already know about is just End Task the messenger program in Task Manager, this shud log u off and shut the program too. Hope this helps.
Seeya


----------



## dvk01

ellevog

you have the blaster worm, follow instructions here to fix, then we can sort out your other malware problems later

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html


----------



## MPSkull23

Been tackling with that svchost.exe virus with the generated errors and must be restarted. Here's my log from HijackThis, take a look and someone help me out please...

Logfile of HijackThis v1.96.1
Scan saved at 8:53:01 PM, on 8/18/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\HPConfig.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\essspk.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\WINNT\ESSD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\Oadaemon.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\System32\msblast.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://onlinebanking.entfederal.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [ESS Daemon] C:\WINNT\ESSD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Oadaemon] Oadaemon.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Compaq C3-1000 Settings Utility.lnk = C:\Program Files\Compaq\Compaq C3-1000 Software\CPQC31K.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE529FB9-FD6E-43F1-BEC0-FF49D3453AF8}: NameServer = 205.171.3.65 205.171.30.251

Much appreciated!


----------



## tedsky

MPSkull23,

As already mentioned by another writer, you have the MSBlaster worm.

Check his/her suggestions, and consider them ASAP!

Ted


----------



## tedsky

Also, you have several instnces of Spyware.

This very thorough article will help explain the 5 categories of spyware ...
http://www.consumerwebwatch.org/news/articles/spyware_categories.htm

An excellent source for SpyBot Search & Destroy (SBSD) is here ...
http://www.lurkhere.com
<Nice Files>
<SBSD v1.2>

Install, then immediately ...
<Online>
<Update> then ...
<Check for Problems> then ...
<Fix Selected Problems>

Red-lettered items will be removed and backed up (you don't want these).
Blue-lettered items are merely usage tracks (you'll want to keep these).

Hope all of this helps!
Ted


----------



## smckdwn989

i think I have this too... but everything I do doesn't work... heres what hijackthis did...

Logfile of HijackThis v1.96.2
Scan saved at 4:18:00 PM, on 8/30/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch\iTouch.exe
D:\System Utilities\Daemon-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Logitech\MouseWare\MouseWare\system\em_exec.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
D:\PROTEC~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Protection Utilities\Norton SystemWorks\Norton AntiVirus\Navapsvc.exe
C:\WINDOWS\System32\rundll32.exe
D:\Protection Utilities\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\PROTEC~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\PROGRA~1\Yahoo!\PARENT~1\YPCSER~1.EXE
D:\Internet Utilities\AOL Instant Messenger\aim.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Joshua A. Cohen\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Art Utilities\Adobe\Acrobat\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O2 - BHO: (no name) - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - D:\Internet Utilities\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Protection Utilities\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Protection Utilities\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - D:\Internet Utilities\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_0_8_6.dll
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch\iTouch.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\System Utilities\Daemon-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TrojanScanner] D:\Protection Utilities\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = D:\Protection Utilities\Zone Alarm 3 Pro\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\WORDPR~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50023/QDow.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06603c10478097ce9a16/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.5543518519
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

whats occurring is that svchost.exe keeps my cpu at 100% load every minute or so... ts crippling my computer


----------



## smckdwn989

anyone?


----------



## vsharma87

Hello,

I'm not an expert enough to read through your HJT log,
but you can do a couple of things.

For one, update your Norton AV with the latest updates
and do a system scan to see if you have some version of
the Blaster Worm. The svchost.exe problem is an almost
sure sign that you have it. (However, on scanning your HJT log, I wasn't able to locate the msblast.exe that usually shows up.)

Alternatively, run the free Panda Scan from here 
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

and see what they find and fix for you. This is a pretty good scanner, which, at least for me, found stuff that NAV didin't.

-Vishal


----------



## $teve

smckdwn989.........welcome to T.S.G

check these items in hijackthis,close all open browser windows and "fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O3 - Toolbar: &Search Toolbar - {6A85D97D-665D-4825-8341-9501AD9F56A3} - C:\PROGRA~1\SEARCH~1\stoolbar.dll
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06603c10478097...ip/RdxIE601.cab

r-boot after.


----------



## smckdwn989

http://www.theforumisdown.com/uploadfiles/0103/worm%202.jpg

http://www.theforumisdown.com/uploadfiles/0103/worm.jpg

they are pics of what the comp is doing... maybe that will help


----------



## smckdwn989

anyone have a clue as to what its doing?


----------



## $teve

smckdwn989

and anyone else posting hijackthis logfiles.

can you please post them as a NEW thread in a separate post as it gets very confusing when dealing with multiple posters in the same thread. 

thankyou


----------



## humpty

RPC DCOM Worm/Virus.

Note that the problem may still be there even after SP4.
A seperate patch is needed.
=========
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20621670.html

Quote:
This is the bug:
http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0073.html

This is probably the patch:
http://microsoft.com/downloads/deta...46-F541-4C15-8C9F-220354449117&displaylang=en

:UnQuote
========

If all else fails, try disabling DCOM:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole - EnableDCOM="N"


----------



## purge

Try stopping SSDP in Services.
That should do it.

JR


----------



## heyz

hi
my pc is showing someof the symptms - xp freeze etc

my prob is - my ne usb eyboard is not being detected by xp.
am guessing its cos of the svchost virus. am using xp onscreen keyboard so cant explain more


----------



## Spanner_(01)

My Mcafee virus scan detected a virus in my svchost.exe file. i tried to clean the file but it failed - now i am stuck with it unless i can get my hands on an un-infected svchost file. The virus was called "w32/jeefo" - apparantly it is not a worm. this virus was restarting numerous system tasks, causing drops in performance evry 2 minutes or so - this also stops screensavers etc. it seems like you (smackdown989) have the same problem as me and i suggest getting a new svchost file (i dont know where from yet) or getting some virus scan software to quarantine the file.

F.Y.I - i have just tried to quarantine the file but it seems to have no effect. sorry.


----------



## JohnnyPanic

To anyone out there still struggling to get rid of the virus that keeps on hijacking your browser & putting shortcut icons on your desktop: I had the ******* too, & nothing I tried managed to get rid of it. I finaly discovered it is Trojan.Digits & got the following instructions from Symantec's site. I followed it & it worked. Be very careful, though, because it requires deleting a lot of keys & values from the registry.

***

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1.	Disable System Restore (Windows Me/XP). 
2.	Update the virus definitions. 
3.	Run a full system scan and delete all the files detected as Trojan.Digits. 
4.	Reverse the changes that were made to the registry. 
5.	Reverse the changes that were made to the Hosts file.
For specific details on each of these steps, read the following instructions.

________________________________________
Note: Steps 4 and 5 are somewhat complex and are only necessary if the Trojan has actually executed. 
________________________________________

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: 
	"How to disable or enable Windows Me System Restore" 
	"How to turn off or turn on Windows XP System Restore"
________________________________________
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents. 
________________________________________

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions: 
	Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate). 
	Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Scanning for and deleting the infected files 
a.	Start your Symantec antivirus program and make sure that it is configured to scan all the files. 
	For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files." 
	For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files." 
b.	Run a full system scan. 
c.	If any files are detected as infected with Trojan.Digits, click Delete.

4. Reversing the changes made to the registry
________________________________________
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions. 
________________________________________
a.	Click Start, and then click Run. (The Run dialog box appears.) 
b.	Type regedit

Then click OK. (The Registry Editor opens.)
c.	Navigate to each of these keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
d.	In the right pane, delete the values:

Local Page="http:/ /www.idgsearch.com/"
Search Page="http:/ /www.idgsearch.com/"
Search Page_bak="http:/ /www.idgsearch.com/"
SearchURL="http:/ /www.idgsearch.com/"
Start Page="http:/ /www.idgsearch.com/"
Start Page_bak="http:/ /www.idgsearch.com/"
Search Bar="http:/ /www.2020search.com/search/9884/search.html"
e.	Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
f.	In the right pane, delete the value:

CustomizeSearch="http:/ /www.idgsearch.com/"
SearchAssistant="http:/ /www.2020search.com/search/9884/search.html"
g.	Navigate to and delete these registry keys:

HKEY_CLASSES_ROOT\CLSID\{17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972}
HKEY_CLASSES_ROOT\Interface\{212552CF-D5B0-49F0-961D-95CA146CDE03}
HKEY_CLASSES_ROOT\SearchWord.ExcelExport
HKEY_CLASSES_ROOT\SearchWord.ExcelExport.1
HKEY_CLASSES_ROOT\TypeLib\{FB19BC08-E664-462C-909B-3E9C3F4FF90E}
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972
HKEY_LOCAL_MACHINE\Software\CLASSES\Interface\{212552CF-D5B0-49F0-961D-95CA146CDE03}
HKEY_LOCAL_MACHINE\Software\CLASSES\SearchWord.ExcelExport
HKEY_LOCAL_MACHINE\Software\CLASSES\SearchWord.ExcelExport.1
HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{FB19BC08-E664-462C-909B-3E9C3F4FF90E}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972}
h.	Exit the registry Editor.

5. Reversing the changes made to the Hosts file

The Hosts file is not found on all the computers, and if it does exist, the location can vary. For example, if the file exists in Windows 98, it will usually be in C:\Windows; and in Windows 2000, it is in the C:\WINNT\SYSTEM32\DRIVERS\ETC folder. Also, there may be multiple copies of this file in different locations.

The most efficient way to locate the file is to search for it.

Follow the instructions for your operating system: 
	Windows 95/98/Me/NT/2000 
a.	Click Start, point to Find or Search, and then click Files or Folders. 
b.	Make sure that "Look in" is set to (C and that "Include subfolders" is checked. 
c.	In the "Named" or "Search for..." box, type:

hosts
d.	Click Find Now or Search Now. 
e.	For each one that you find, right-click it, and then click "Open With." 
f.	Deselect the "Always use this program to open this program" check box. 
g.	Scroll through the list of programs and double-click Notepad. 
h.	Look for the following lines and delete them, if found:

<numeric address which will vary> t.rack.cc
<numeric address which will vary> www.alfa-search.com
<numeric address which will vary> webcoolsearch.com
<numeric address which will vary> in.webcounter.cc
<numeric address which will vary> i-lookup.com
<numeric address which will vary> www.hand-book.com
<numeric address which will vary> www.maxxxhosters.com
<numeric address which will vary> allneedsearch.com
<numeric address which will vary> nativehardcore.com
<numeric address which will vary> teen-biz.com
<numeric address which will vary> tits.hardcore4ever.net
<numeric address which will vary> best.royalsearch.net
<numeric address which will vary> default-homepage-network.com
<numeric address which will vary> xwebsearch.biz
<numeric address which will vary> www.rightfinder.net
<numeric address which will vary> www.search-1.net
<numeric address which will vary> www.searchv.com
<numeric address which will vary> www.websearch.com
<numeric address which will vary> mysearchnow.com
<numeric address which will vary> www.therealsearch.com
<numeric address which will vary> www.find-itnow.com
<numeric address which will vary> find.microgirls.com
<numeric address which will vary> super-spider.com}
<numeric address which will vary> www.searching-the-net.com
<numeric address which will vary> www.firstbookmark.com
i.	Close Notepad and save your changes when prompted.
	Windows XP 
a.	Click Start, and then click Search. 
b.	Click All files and folders. 
c.	In the "All or part of the file name" box, type:

hosts
d.	Verify that "Look in" is set to "Local Hard Drives" or to (C. 
e.	Click "More advanced options." 
f.	Check "Search system folders." 
g.	Check "Search subfolders." 
h.	Click Search. 
i.	Click Find Now or Search Now. 
j.	For each one that you find, right-click it, and then click "Open With." 
k.	Deselect the "Always use this program to open this program" check box. 
l.	Scroll through the list of programs and double-click Notepad. 
m.	Look for the following lines and delete them, if found:

<numeric address which will vary> t.rack.cc
<numeric address which will vary> www.alfa-search.com
<numeric address which will vary> webcoolsearch.com
<numeric address which will vary> in.webcounter.cc
<numeric address which will vary> i-lookup.com
<numeric address which will vary> www.hand-book.com
<numeric address which will vary> www.maxxxhosters.com
<numeric address which will vary> allneedsearch.com
<numeric address which will vary> nativehardcore.com
<numeric address which will vary> teen-biz.com
<numeric address which will vary> tits.hardcore4ever.net
<numeric address which will vary> best.royalsearch.net
<numeric address which will vary> default-homepage-network.com
<numeric address which will vary> xwebsearch.biz
<numeric address which will vary> www.rightfinder.net
<numeric address which will vary> www.search-1.net
<numeric address which will vary> www.searchv.com
<numeric address which will vary> www.websearch.com
<numeric address which will vary> mysearchnow.com
<numeric address which will vary> www.therealsearch.com
<numeric address which will vary> www.find-itnow.com
<numeric address which will vary> find.microgirls.com
<numeric address which will vary> super-spider.com}
<numeric address which will vary> www.searching-the-net.com
<numeric address which will vary> www.firstbookmark.com

n. Close Notepad and save your changes when prompted.


----------



## dvk01

An even easier way is to run cwshredder 

Trojan digits as Norton call it is another name for a CWS hijack


----------



## $teve

Yep.
http://www.spywareinfo.com/~merijn/junk/CWShredder.exe


----------



## brz_gustavo

I've experienced, I think, the same problem on my computer.
First im my personal computer, and when I looked to my bussiness computer, the surprise: it was infected too!
Symptoms: the computer start to looks alive, own will, didn't copy, NT AUTHORITY when try to end process SVCHOST.EXE, and worst: when I connect to internet the task bar changes color!

Detect: Something about 5 or 6 process SVCHOST.EXE and almost all services (set to automatic) with path executable "C:\WINDOWS\System32\svchost.exe -k netsvcs", some of then with option "-l localservice". If you try to stop and set the service to disabled, in the next boot it creates new services with same ridiculous names and set to start automatic, like a self-defense system.

Question: Why to many services with same path?! What the **** this SVCHOST.EXE do exactly?! Is the MS System a secure system?! (This one is a joke, because everyone knows the answers).

Conclusion: Or we are deal with a new worm never seem it before, talking about self-defense system, or I'm geting crazy and my computer finally toke over me!

I'm still trying to solve the problem, but I think the solution is to format.
I realize that, if you don't try do to anything, nothing happen, but if you try to remove it, you will be in trouble.

thanks for any help
gustavo - Network Analyst - Brazil


----------



## jjaded

It's necessary to install Microsoft's patch for Win2000/XP/NT after running the fix for this particular virus.



Jami


----------



## sledwrench

Ooops.


----------

