bowinn
asked on
Badly infected W2k PC w/ virus or worm
I just signed-up and if this is solved it's worth the first six month's atleast-- I'm stumped.
This Windows 2000 PC is obviously infected with something, but what. The latest Norton 2004 Pro identifies w32.randex.gen in svchost which it cannot repair. When I copy the svchost file to floppy and scan it from a clean PC no virus is detected. I downloaded the HiJackThis and here's the log file:
Logfile of HijackThis v1.98.2
Scan saved at 7:43:55 PM, on 8/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost. exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTEC T.EXE
C:\WINNT\System32\nvsvc32. exe
C:\WINNT\system32\regsvc.e xe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.e xe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\WINNT\SYSTEM32\ZONELABS \vsmon.exe
C:\WINNT\system32\svchost. exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Real\RealPlayer\Real Play.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\BESCH.EX E
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\svhost.e xe
C:\WINNT\system32\svhost.e xe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.e xe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\WINNT\explorer.exe
C:\HiJackThis\HijackThis.e xe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi o - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\system32\msdxm.oc x
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real Play.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BackupExecScheduler] BESCH.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTo ols\ADVCHK .EXE
O4 - HKLM\..\Run: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.e xe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-0 06097DBED3 7} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-0 06097DBED3 7} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-0 06097DBED3 7} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-0 06097DBED3 7} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINNT\System32\Shdocvw. dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-0 0A024541EE 3} (Citrix ICA Client) - http://asp.appraisenj.ws/appraiseasp/wficat.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-0 0104B64F12 6} (Sview Control) - http://www.swiftview.com/product/current/svinstall_a_stat_notiff.cab
O16 - DPF: {A6A216EB-4F7C-11D5-8438-0 000B456BA3 D} (Matn5250 Control) - http://www.co.rockingham.nc.us/mochahtml/matn5250.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{4 B8E773F-41 47-42DF-80 95-BD96ED4 3E01D}: NameServer = 24.28.227.64
O17 - HKLM\System\CS1\Services\T cpip\..\{4 B8E773F-41 47-42DF-80 95-BD96ED4 3E01D}: NameServer = 24.28.227.64
O17 - HKLM\System\CS2\Services\T cpip\..\{4 B8E773F-41 47-42DF-80 95-BD96ED4 3E01D}: NameServer = 24.28.227.64
Thanks,
-bowinn
This Windows 2000 PC is obviously infected with something, but what. The latest Norton 2004 Pro identifies w32.randex.gen in svchost which it cannot repair. When I copy the svchost file to floppy and scan it from a clean PC no virus is detected. I downloaded the HiJackThis and here's the log file:
Logfile of HijackThis v1.98.2
Scan saved at 7:43:55 PM, on 8/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTEC
C:\WINNT\System32\nvsvc32.
C:\WINNT\system32\regsvc.e
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.e
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINNT\SYSTEM32\ZONELABS
C:\WINNT\system32\svchost.
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Real\RealPlayer\Real
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\BESCH.EX
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\svhost.e
C:\WINNT\system32\svhost.e
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.e
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\WINNT\explorer.exe
C:\HiJackThis\HijackThis.e
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real
O4 - HKLM\..\Run: [BackupExecScheduler] BESCH.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTo
O4 - HKLM\..\Run: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.e
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-0
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-0
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-0
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-0
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {238F6F83-B8B4-11CF-8771-0
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-0
O16 - DPF: {A6A216EB-4F7C-11D5-8438-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
Thanks,
-bowinn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, that helped some. NAV now does a scan, finds and removes randex.gen by successfully deleting dc93.exe. THat's progress. However, a subsequent scan with Spybot S&D reports "DSO Exploit" and says it's "fixing it." I scan again and it's still there.
download avast! www.avast.com look for the free version of the software, i had that problem in the win2000 pc of mine, and it helped me a lot
bowinn,,,,, first make sure that u have installed All Updates and Patches from Microsoft,,,,, and if still u get that DSO Exploit errors, then check this link >> http://www.nsclean.com/dsostop.html
Spybot keeps finding DSO exploit
http://www.computing.net/windowsxp/wwwboard/forum/104837.html
http://www.computing.net/windowsxp/wwwboard/forum/104837.html
>> O4 - HKLM\..\RunServices: [Windows Video Drivers] videons32.exe
these entries indicate that the system is infected with W32/Sdbot-KK Worm !!!
Read here the Description and Recovery >> http://www.sophos.com/virusinfo/analyses/w32sdbotkk.html