|
Donations |
|
 |
|
|
|
If you found this site helpful, please donate to help keep it online.
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
Churchillohyes
Trooper
Joined: Mar 13, 2004
Posts: 33
Location: Afghanistan
|
 Posted: Wed Mar 24, 2004 12:26 pm Post subject: SVChosts: |
|
|
| On Win 2000 just how many SVChosts are you meant to have running in your task manager? Throughout having my computer it has gone from 2 to 3 and even 4. Dont see why extras would just pop up like that any idea? |
|
| Back to top |
|
 |
Halidon
Cadet
Joined: Mar 23, 2004
Posts: 4
Location: USA
|
| Posted: Wed Mar 24, 2004 1:21 pm Post subject: |
|
|
This Anti-virus site gives some information on the scchost.exe.
http://www.uk.sophos.com/virusinfo/analyses/w32rbota.html |
|
| Back to top |
|
|
Randy_Bell
Symantec
Premium Member
Joined: Mar 13, 2004
Posts: 44
Location: USA
|
| Posted: Wed Mar 24, 2004 7:46 pm Post subject: |
|
|
| Sophos has a writeup on this malware, here: http://www.sophos.com/virusinfo/analyses/w32agobotgy.html |
|
| Back to top |
|
|
pvanwelt
Cadet
Joined: Mar 31, 2004
Posts: 2
Location: USA
|
| Posted: Wed Mar 31, 2004 7:45 am Post subject: |
|
|
the pc of my girlfriend has the wuamgrd.exe worm.
but the strange thing is that norton antivirus sas he sees a virus and moves is to the quarantine directory.
but when i look at the processes running, i can't find anything strange.
even the file wuamgrd.exe isn't @ C:\winnt\system32
so i decided to format the computer and reinstall.
but now the day after the new virus scanner (mcafee enterprise 7.1) sees the virus wuamgrd.exe (aagghh) and even now there's nothing to find.
i decided to search on internet and came out on this forum.
i saw the tool hijack so i made a check and here's the log
i hope any1 can help me out
cheers
Pvanwelt
| Code: |
Logfile of HijackThis v1.97.7
Scan saved at 2:39:14 PM, on 3/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Liza\My Documents\My Received Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zeelandnet.nl/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Threaded] ntsyst32.exe
O4 - HKLM\..\RunServices: [Threaded] ntsyst32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
|
|
|
| Back to top |
|
|
Randy_Bell
Symantec
Premium Member
Joined: Mar 13, 2004
Posts: 44
Location: USA
|
| Posted: Wed Mar 31, 2004 9:25 am Post subject: |
|
|
Pvanwelt, first -- *WELCOME* to Computer Cops!
Next -- I'm not really the local HJT Logs Expert {far from it}, but your log looks "clean" to me -- I don't see any evidence of the "wuamgrd.exe" worm running in memory. If it were active on your system. it would {I think} show up in the list of running processes at the top.
Perhaps McAfee took care of it: is McAfee still alerting on an infection, or have the alerts gone away? You can also try this: Start, Run, MSConfig - click on Startup Tab in the MSConfig utility, and look for any entries that contain or point to "wuamgrd.exe", and disable them.
Report back here with your findings; you might also want to post another HJT log, as this first log looks {to me} to be truncated .. a bit short .. for now though, I can't see anything else to recommend, regarding the worm and the cleaning of it. Good Luck, and again, welcome!  |
|
| Back to top |
|
|
CalamityJane
Security Expert
Premium Member
Joined: Oct 05, 2002
Posts: 2225
Location: Central Florida, USA
|
| Posted: Wed Mar 31, 2004 10:33 am Post subject: |
|
|
Hi pvanwelt 
I don't see the wuamgrd.exe either but you DO have or have had the Sdbot worm noticed in these two entries:
O4 - HKLM\..\Run: [Threaded] ntsyst32.exe
O4 - HKLM\..\RunServices: [Threaded] ntsyst32.exe
More info on that worm and removal instructions here:
http://www.sophos.com/virusinfo/analyses/w32sdbotmr.html
W32/Sdbot-MR
Aliases Backdoor.IRCBot.gen
Type Win32 worm
Description
W32/SdBot-MR is a worm which spreads via network shares.
When first run the worm will create a copy of itself named ntsys32.exe in the Windows system folder and create the following registry entries to ensure that the copy is run every time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Threaded
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Threaded
W32/SdBot-MR searches for shared folders with weak passwords and copies itself to the Windows system folder of a vulnerable computer as ntsyst32.exe.
The worm includes backdoor functions which can be controlled by a remote attacker over IRC.
Recovery
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Threaded
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Threaded
and delete them if they exist.
Close the registry editor.
.............................................
Reboot your PC into SAFE MODE
How to start the computer in Safe mode (all)
http://service1.symantec.com/SUPPORT/ts...2409420406
Delete this file named in bold:
ntsyst32.exe (if found)
I would further recommend a free online AV scan at one (prefereably two) of the following:
Panda's Active Scan
http://www.pandasoftware.com/activescan...ncipal.htm
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/
eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx
Once your PC is clean you need to reset the restore point in Windows XP.....why?
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.as...-us;310405
_________________
Microsoft MVP 2003/2004
Windows - Security |
|
| Back to top |
|
|
Churchillohyes
Trooper
Joined: Mar 13, 2004
Posts: 33
Location: Afghanistan
|
| Posted: Wed Mar 31, 2004 12:17 pm Post subject: Hey since youre on a roll.... |
|
|
| Was wonderin if youd heard of - cftmon.exe this keeps loadin and doesnt show up with trojan hunter and when 'fixed' with HJThis! comes up next time my comp loads. |
|
| Back to top |
|
|
CalamityJane
Security Expert
Premium Member
Joined: Oct 05, 2002
Posts: 2225
Location: Central Florida, USA
|
| Posted: Wed Mar 31, 2004 12:46 pm Post subject: Re: Hey since youre on a roll.... |
|
|
| Churchillohyes wrote: |
| Was wonderin if youd heard of - cftmon.exe this keeps loadin and doesnt show up with trojan hunter and when 'fixed' with HJThis! comes up next time my comp loads. |
CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see here. CTFMON can be disabled from Control Panel, Text & Speech Services
Microsoft Knowledge Base Article - 282599
OFFXP: What Is CTFMON and What Does It Do?
http://support.microsoft.com/default.as...-us;282599
_________________
Microsoft MVP 2003/2004
Windows - Security
|
|
| Back to top |
|
|
Churchillohyes
Trooper
Joined: Mar 13, 2004
Posts: 33
Location: Afghanistan
|
| Posted: Wed Mar 31, 2004 1:17 pm Post subject: Thanks |
|
|
..... thanks.  |
|
| Back to top |
|
|
pvanwelt
Cadet
Joined: Mar 31, 2004
Posts: 2
Location: USA
|
| Posted: Thu Apr 01, 2004 10:42 am Post subject: |
|
|
tnx all for the good replys
the virus scanner is always running and is up2date.
i have cleaned the 2 registry settings now, but the file "ntsyst32.exe" isn't on the computer as far as i can see now.
i hope some problems are solved now, i'm going to surch further for the file.
but when i don't find it i hope the virus is all gone now. |
|
| Back to top |
|
|
CalamityJane
Security Expert
Premium Member
Joined: Oct 05, 2002
Posts: 2225
Location: Central Florida, USA
|
| Posted: Fri Apr 02, 2004 8:02 am Post subject: |
|
|
| pvanwelt wrote: |
i have cleaned the 2 registry settings now, but the file "ntsyst32.exe" isn't on the computer as far as i can see now.
i hope some problems are solved now, i'm going to surch further for the file.
but when i don't find it i hope the virus is all gone now. |
pvanwelt,
That's why I said either you do or have had meaning the infected files may have already been deleted but those registry entries were left behind.
Make sure your PC is configured to show hidden files:
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
If ntsyst32.exe is still not found, nor your AV indicating presence of the file, then it was just those registry entries that needed fixing.
HTH 
_________________
Microsoft MVP 2003/2004
Windows - Security
|
|
| Back to top |
|
|
moxx
Cadet
Joined: Apr 24, 2004
Posts: 1
Location: USA
|
| Posted: Sat Apr 24, 2004 1:42 am Post subject: SecThought.E |
|
|
I can't find ANY information on this pain-in-the-ass trojan. I ran Spybot, Ad-Aware, and my Anti-Virus (AVG by www.grisoft.com). AVG found it and tried to kill it but it wouldn't die; a second scan revealed no viruses found (yeah right. i know it's still there).
I found this forum which is the ONLY forum with any information related to this SecThought.E thing.
I downloaded Hijack This and ran it. Here is my log. Thanks for ANY assistance in removing this trojan.
I know a bit about computers, and nothing in this log (giving it a quick once-over) shows any threat. I know what a lot of those programs do and why they're there. But... if there's anything that shouldn't be... PLEASE help. Thank you very much in advance.
-Skip
Logfile of HijackThis v1.97.7
Scan saved at 1:35:10 AM, on 4/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Documents and Settings\skip\My Documents\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stamphistory.net/cool/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...mv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab |
|
| Back to top |
|
|
Randy_Bell
Symantec
Premium Member
Joined: Mar 13, 2004
Posts: 44
Location: USA
|
| Posted: Sat Apr 24, 2004 2:46 am Post subject: |
|
|
Hello moxx, I pasted your logs into Norepad and did a search on the string "WUAMGRD" and received no hits: you don't seem to have this particular malware. I am really not trained to examine HJT logs for spyware etc., about the only thing I notice in your logs is that realsched.exe and qttask.exe are running:
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
{from RealPlayer and QuickTimie, respectively} .. those you can do without, they aren't needed. Perhaps someone else can take a look at your logs to see if they find something .. good luck.
_________________
But now abide faith, hope, love, these three; but the greatest of these is love. (1 Cor. 13:13) |
|
| Back to top |
|
|
Walrus
Cadet
Joined: May 07, 2004
Posts: 1
Location: Finland
|
| Posted: Fri May 07, 2004 5:56 am Post subject: |
|
|
| Thanks fellas, I just wanted to express my gratitude for everybody out there combatting these nuisances. After two days work I finally found this site, and with the instructions given I successfully got rid of wuamgrd.exe. I am your fan forever! |
|
| Back to top |
|
|
lilliebet65
Site Moderator
Premium Member
Joined: Dec 03, 2003
Posts: 1482
Location: UK
|
| Posted: Fri May 07, 2004 3:04 pm Post subject: |
|
|
Thank you Walrus glad we were able to help.
NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.
To reduce the chances of future Spyware/Hijacking problems, please follow the suggestions here: http://www.computercops.biz/postt7736.html
_________________
If you think you've learned a little here, or had a little help ... please feel free to give a little back. Your donations are always welcome |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
