# Backdoor.mosuck and IRC Trojan



## root (Aug 25, 2001)

Help.
I just became infected with 2 viruses. Below are the names of the viruses, and the files infected.

backdoor.mosuck infected the netconfig(5).exe file
IRCtrojan infected the sychost.exe file

AVG did not find these at all.
Norton found them.
Norton quaranteened the sychost.exe file, but could not do that with the netconfig(5).exe file
It said to delete it. Neither could be repaired. Can I delete both of these files without any ill effects? Or does anyone know of some other way to deal with these?

Thank you.


----------



## root (Aug 25, 2001)

I tried to delete the netconfig{5}.exe file, but I can't.
It is telling me access is denied.


----------



## root (Aug 25, 2001)

In addition, I tried doing a system restore. It would restore to an earlier point. And I never had troublewith this before. Any ideas, please?


----------



## $teve (Oct 9, 2001)

hi root........1st of all can you go here: http://www.lurkhere.com/~nicefiles/and download "startuplist"
run the program and copy/paste the generated textfile here in your next post and someone will take a look.
good luck


----------



## root (Aug 25, 2001)

ok
will do...


----------



## root (Aug 25, 2001)

Here it is:

StartupList report, 3/25/2003, 8:15:12 AM
StartupList version: 1.52
Started from : C:\downloads\StartupList1.52\startuplist152\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Downloaded Program Files\eBayTBar.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\FSScrCtl.exe
C:\WINDOWS\netconfig{5}.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXE
C:\downloads\StartupList1.52\startuplist152\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Danny\Start Menu\Programs\Startup]
Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
eBay Toolbar.LNK = ?
EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
Microsoft Office Shortcut.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Microsoft Works Calendar Reminders.lnk = ?
QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,netconfig{5}.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CPQEASYACC = C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
ATIModeChange = Ati2mdxx.exe
WorksFUD = 
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
srmclean = C:\Cpqs\Scom\srmclean.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
fwenc.exe = "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
LWBMOUSE = C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
(Default) = 
AVG_CC = C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
mediadriver{5} = 
COM Services,WinServices,netconfig,mediadriver, = netconfig{5}.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
FourthDay = C:\Program Files\The Fourth Day\FourthDay.exe
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=C:\WINDOWS\System32\DONTTO~1.SCR
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\ANIMAL~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\Downloaded Program Files\eBayBand.dll - {001F2570-5DF5-11d3-B991-00A0C9BB0874}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\WINDOWS\SYSTEM32\Meca Plugin.dll - {E868656B-F0D3-4A61-8FE8-F47C90119E39}
(no name) - (no file) - {EF99BD32-C1FB-11D2-892F-0090271D4F88}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[eBay Helper Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\eBayBand.dll
CODEBASE = http://download.ebay.com/toolbar/eBayTBar.cab

[VivoActive Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\VvWeb.OCX
CODEBASE = http://player.vivo.com/ie/vvweb.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Video Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\videox.dll
CODEBASE = http://stream10k.redhotnetworks.com/cabs/videox.cab

[IEDial Class]
InProcServer32 = C:\WINDOWS\System32\IEAccess2.dll
CODEBASE = http://usa-download.nocreditcard.com/download/Object/ieaccess2XP.cab

[AxgviewerCtrl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\AXGVIE~1.DLL
CODEBASE = http://marketrac.nyse.com/mt/3D/Axgviewer.cab

[AXClientUtil2 Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\AXCLIE~1.OCX
CODEBASE = http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

[OTXMovie Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\OTXMedia.dll
CODEBASE = http://otx.ifilm.com/OTXMedia/OTXMedia.dll

[FVLiteLoad Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\FVLiteX.dll
CODEBASE = http://flipbrowser.com.sg/fvlite/fvliteY.cab

[MSN Chat Control 4.2]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MSNChat42.ocx
CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

[{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}]
CODEBASE = http://search.warez.com/stuff/xxx_movieplayer.cab

[Yahoo! WebCam Upload Wrapper]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yuplapp.dll
CODEBASE = http://chat.yahoo.com/cab/yuplapp.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINDOWS\System32\nsupdate.dll
CODEBASE = http://204.177.92.201/quickdl/action/NSupd9x.cab

[GpcContainer Class]
InProcServer32 = C:\WINDOWS\Downlo~1\ieatgpc.dll
CODEBASE = https://greatplains.webex.com/client/latest/webex/ieatgpc.cab

[Yahoo! Webcam Viewer Wrapper]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.4\yvwrctl.dll
CODEBASE = http://chat.yahoo.com/cab/yvwrctl.cab

[Live Collaboration]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RntX.dll
CODEBASE = https://rr.esecurecare.net/rnt/rnl/java/RntX.cab

[{E87A6788-1D0F-4444-8898-1D25829B6755}]
CODEBASE = http://sc.communities.msn.com/controls/chat/msnchat4.cab

[YBIOCtrl Class]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio4_0_2_10.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,730 bytes
Report generated in 0.221 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## IMM (Feb 1, 2002)

> _Originally posted by root:_
> *I tried to delete the netconfig{5}.exe file, but I can't.
> It is telling me access is denied. *


If you can end the task in some fashion before you delete it should work. (I forget what part of control panel that is in XP)
As an alternative you could do it from a DOS boot floppy if you're FAT32 rather than NTFS.

--
I'd run regedit and remove the 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 
value which refers to it if you can.

------
I've no idea what this is
C:\WINDOWS\SYSTEM32\Meca Plugin.dll

additionally I can see a dialer and videox stuff.
When you get the virus issue sorted - run SpybotSD (update it first) on this one.
www.tomcoyote.org/SPYBOT


----------



## root (Aug 25, 2001)

is this a necessary file?
if I delete it, where there be any problems.....
how can I replace it with a clean copy...

and the other file, norton cant repair that either...is that one safe to delete?..and the same questions apply?


----------



## IMM (Feb 1, 2002)

edited the above post to add some info.
----
sychost.exe is certainly not required (unless that's a typo)
If you feel better about it, then rename the nethost(5).exe file to net_temp.tmp or something else first and reboot - but keep it from running with the regedit.
Here's the symantec page on mosuck.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.mosuck.html

The trouble with trojans is that (if it's been used) I can't tell what system changes have been made by whomever (if anyone) was at the other end.


----------



## IMM (Feb 1, 2002)

Is that actually svchost.exe you mean? If so, it will depend where it is on the machine and if the original one was affected.


----------



## root (Aug 25, 2001)

first of all when I deleted the value that you recommended in your previous post.....
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

When I rebooted...desktop (explorer) was gone...


----------



## root (Aug 25, 2001)

and the file norton is reporting is indeed sychost.exe


----------



## root (Aug 25, 2001)

I got my desktop back....
However, I did once again eliminate the netconfig value from that key again....but it gets put back....
I had also previously deleted the same values from the Run keys


----------



## root (Aug 25, 2001)

Done nothing different....
now computer wont boot up
desktop pic comes up...then after a pause...goes back to welcome screen
also, tried booting into safe mode, but just brings up user choices, but then lets me do nothing

HELP!


----------



## root (Aug 25, 2001)

when I click on the user, or administrator, it says it is loading settings, then right after, saving settings
the only choice it gives me is to turn off the computer


----------



## root (Aug 25, 2001)

what do I need to do to be able to get back in...
go thru dos
if so, I need an emergency boot disk...can I download that...I saw that once where you can download one

why did that happen....any idea


----------



## root (Aug 25, 2001)

I cant get my computer to even read a CD rom, in case I need to do a reinstall...
If I find a way to boot into DOS, how can I fix this...
I don't understand what happened...I did what was recommended here, and also referred to symantecs site


someone help....


----------



## root (Aug 25, 2001)

I was able do download, on another computer, XP boot disks.
This got me into the recovery console, I assume...
any way I can repair the problem from here, or do I need to do an install
I want to do a top install...will this work?...I would hate to lose all I have on there...
It is just a logon problem...If I can only log into windows
even in safe mode I can't
when it shows me the user choices, it just wont log them in...


----------



## $teve (Oct 9, 2001)

you can follow the instructions to install windows until you see the repair "option"......this will install an undamaged copy and your files will be intact but you will need to re-scan your computer for the trojans.
come back in and let us know how you do.


----------



## root (Aug 25, 2001)

Well, as I think I said previously, I have a Compaq laptop Presario 1720. This has the deal where you have either the floppy drive in or the CD/DVD drive in. I used the 6 XP boot floppies. That brings me to the recovery console. However, if I choose the repair option, there is really not much I can do here, once it drops me into a windows prompt.
If I choose the install XP, I can't.....my CD drive isn't recognized when I swap it in.
The system starts windows to the point that my backgrouind comes up. But then it goes back the the welcome screen.
It will come up with the screen where you choose a user. But, when I do, it says it is loading the personal settings, but then immediately says it is saving the settings and logs out the user. At no point then does the desktop come back with my icons. Any way I can boot into DOS, where I can have more control where and what I can do? Can an individual entry in the registry me modified from DOS?


----------



## $teve (Oct 9, 2001)

hmm..........if i were you root i would post this in the 2k/xp forum to get you the tech help you need to get back into windows.
you can always come back here if you still have the trojan problem.
just got your pm by the way.


----------



## IMM (Feb 1, 2002)

Sorry I was gone for a while 

You did just delete the C:\WINDOWS\system32\userinit.exe,netconfig{5}.exe 
value from the registry?

I didn't realize you wouldn't have both the floppy and CD rom at the same time.
Can you enter the bios and set the Boot Order to CD first - then boot from the CD to get the recovery console?

Unfortunately (as I tried to indicate earlier) - it's possible that an external operator has made some signifigant changes.


----------



## root (Aug 25, 2001)

well, guys....I have made some progress with getting it up
Early this morning, before I checked these messages, I was able to drop into the BIOS and have it look at the CD first...
I did a parallel top install....
I am going to then do my backups of what I want to save, and then probably do a full reinstall...since I will probably still be infected...

And, yes, IMM, I only deleted the netconfig part of that value, since the userinit.exe is necessary...
So, that is why I am surprised it gave me problems...

So, I am not out of the woods yet. If you find any info on these viruses, and how to get rid of them without doing damage...that would be great...for reference, at least.


----------



## root (Aug 25, 2001)

Steve, I might do that...
I would like to know what actually went wrong, and how I could fix something like that without having to do a reinstall...if something like this ever happens again....


----------



## $teve (Oct 9, 2001)

ok root.....1st of all there is a big difference between a virus and a trojan....yours was a trojan and most are not detected by antivirus software you need a trojan specific scanner/cleaner.
there are a few on the market like boclean,trojan hunter,the cleaner......i use the cleaner and it works fine,it has an option to monitor your registry for any attempted key changes or additions and an alarm goes off if any attempt is made.
just because youve been attacked once dont mean it will happen again.just do a little browsing of security forums and make sure your as well protected as you can.
good luck


----------



## JakeKool (May 23, 2003)

Hi

Just use TDS-3

http://tds.diamondcs.com.au


----------



## root (Aug 25, 2001)

OK...thanks


----------



## TOGG (Apr 2, 2002)

root,

Check this thread from the Security forum;
http://forums.techguy.org/t135052/s.html

I have The Cleaner but I've also got Trojan Remover, which isn't a real time scanner but can be configured to scan single files, the usual launching places of trojans or a whole HD.

I am not connected with the author of this program and I have never used it to remove a trojan so I cannot claim that it is 100% safe to use or guaranteed to work in every case.

It does have a Moosucker trojan in it's latest database, which is updated much more frequently than The Cleaners' is.


----------



## root (Aug 25, 2001)

Thanks, Togg.


----------



## jeannette77 (Jun 28, 2003)

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Downloads Now\Nerladdade Prog starups\iclogin1.3pre5-release\iclogin1.3pre5.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\system32\msmonk32.exe
C:\documents and settings\bb443b11-7d12-450c-9f85-2d32804655f9\temp\services.exe
C:\winnt\system32\fritre\systroy.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\program files\altnet\points manager\points manager.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.514\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
P2P Networking = C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
IC Login = "D:\Downloads Now\Nerladdade Prog starups\iclogin1.3pre5-release\iclogin1.3pre5.exe"
Detect = C:\Program Files\iNTERNET Turbo\iDetect.exe /auto
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
Services = C:\WINNT\system32\msmonk32.exe
Windows 2000 Services = c:\documents and settings\bb443b11-7d12-450c-9f85-2d32804655f9\temp\services.exe
Systei32lin = c:\winnt\system32\fritre\systroy.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PopUpStopperFreeEdition = "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
IncrediMail = C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssflwbox.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37798.6736226852

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 5,393 bytes
Report generated in 0.190 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

******'

HOW DO i UN-INFECT MY COMPUTER?? why doesn't norton 2002 take care of this?? and I am not able to delete them, and the only I can see, C:\winnt\system32\fritre\systroy.exe and something called dvl...something also known blackdoor.exe

aaaaaaaaaaaaaaaaaaaaaa

HELP HELP HELP

[email protected]

Sweden gal.


----------



## JakeKool (May 23, 2003)

I sent you a PM do you know how to stop the files from starting with Windows ?

XP has MSCONFIG, if you have XP click start > Run and type MSCONFIG then press OK. Untick the ones I told you to, then msg me back. You will be safe without them starting by themselves..


----------



## l3atman (Jul 17, 2003)

Help me PLEASE please please.
Hi, my name is Andrew, I am having a problem with my backdoor. mosuck virus. I have one on my computer. Norton will have a popup saying that it has detected the Backdoor.Mosuck virus in :
File name: C:\System Volume Information\_restore{C5B7D048-7A57-4C65-B49C-A9E80875C25C}\RP34\A0003620.exe
Domain Name: Home
System Name: Andrew
User Name: System


Norton is unable to repair this file. I believe it says access denied. My only guess to this is that it is because the file is still running. When I search for the file, in a file search I cannot find it, and when I open up my end task menu, I dont see a system file running with that name, or anything similar to it such as System Volume or something. I really dont know what to do. Please help me. 
Andrew


----------



## IMM (Feb 1, 2002)

Access is denied because it's part of the backup.
I'm guessing this is XP?
see http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

Here's a bit of info on that folder
http://support.microsoft.com/defaul...port/kb/articles/q309/5/31.asp&NoWebContent=1


----------



## l3atman (Jul 17, 2003)

Thanks,

I didnt really expect such a speedy response. Thanks, that helped. I now know what to do. BUT I cannot do it. I need to access and turn off the system restore function. I am in the administrators profile, but i cannot do it. When I open the properties of my computer it reads this rundll32.exe - Entry Point Not Found error : 
"The procedure entry point RemoteAssistancePrepareSystemRestore could not be located in the dynamic link library WINSTA.dll"

Am I totally screwwed, or is there a way I can fix this file?
thank you.


----------



## JakeKool (May 23, 2003)

The WINSTA.dll file should be protected by file protection.. so it should not have been modified. So I guess there might be a virus on the system, do you have a good virus scanner ?

I-Worm.Klez drops a polymorphic virus and seems to make the system unstable, this would be my guess. Try the free common virus remover from Kaspersky, www.avp.ch has a link to it here

ftp://ftp1.avp.ch/utils/clrav.com

Hope this cleans something, if it does, run it again till it says nothing to clean..


----------



## l3atman (Jul 17, 2003)

:-( says nothing to clean. Damn. I got a new WINSTA.dll file, and tried to replace the old one, but my access was denied. Is their anyway to gain access to it? It is quite the perdicament. I need to access the WINSTA.dll file in a non accessable folder to fix it. And the WINSTA.dll file is the one prohibitting me from gaining access. Darn.


----------

