Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Badly infected W2k PC w/ virus or worm

Posted on 2004-08-10
8
236 Views
Last Modified: 2013-12-04
I just signed-up and if this is solved it's worth the first six month's atleast-- I'm stumped.  
This Windows 2000 PC is obviously infected with something, but what.  The latest Norton 2004 Pro identifies w32.randex.gen in svchost which it cannot repair.  When I copy the svchost file to floppy and scan it from a clean PC no virus is detected.  I downloaded the HiJackThis and here's the log file:

Logfile of HijackThis v1.98.2
Scan saved at 7:43:55 PM, on 8/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\BESCH.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\svhost.exe
C:\WINNT\system32\svhost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\WINNT\explorer.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BackupExecScheduler] BESCH.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://asp.appraisenj.ws/appraiseasp/wficat.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - http://www.swiftview.com/product/current/svinstall_a_stat_notiff.cab
O16 - DPF: {A6A216EB-4F7C-11D5-8438-0000B456BA3D} (Matn5250 Control) - http://www.co.rockingham.nc.us/mochahtml/matn5250.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B8E773F-4147-42DF-8095-BD96ED43E01D}: NameServer = 24.28.227.64
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B8E773F-4147-42DF-8095-BD96ED43E01D}: NameServer = 24.28.227.64
O17 - HKLM\System\CS2\Services\Tcpip\..\{4B8E773F-4147-42DF-8095-BD96ED43E01D}: NameServer = 24.28.227.64

Thanks,
-bowinn
0
Comment
Question by:bowinn
8 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 11768583
Hello bowinn =)

O4 - HKLM\..\Run: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] svhost.exe
=====================================================================

fix these entries then boot into safemode and delete the files videons32.exe and svhost.exe(note its not svchost.exe) from C:\WiNNT\System32.... and run virus scan again to clean the system !!!!

thenn reboot back in Normal mode and now check for the problem ??

!! GOOD LUCK !!
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11768615
>> O4 - HKLM\..\Run: [Windows Video Drivers] videons32.exe
>> O4 - HKLM\..\RunServices: [Windows Video Drivers] videons32.exe

these entries indicate that the system is infected with W32/Sdbot-KK Worm !!!
Read here the Description and Recovery >> http://www.sophos.com/virusinfo/analyses/w32sdbotkk.html
0
 

Author Comment

by:bowinn
ID: 11769009
Well, that helped some.  NAV now does a scan, finds and removes randex.gen by successfully deleting dc93.exe.  THat's progress.  However, a subsequent scan with Spybot S&D reports "DSO Exploit" and says it's "fixing it."  I scan again and it's still there.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 3

Expert Comment

by:4ceReconSniper
ID: 11769354
download avast! www.avast.com look for the free version of the software, i had that problem in the win2000 pc of mine, and it helped me a lot
0
 
LVL 21

Expert Comment

by:jvuz
ID: 11770098
Also do a scan with stinger:

http://vil.nai.com/vil/stinger/
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11771214
bowinn,,,,, first make sure that u have installed All Updates and Patches from Microsoft,,,,, and if still u get that DSO Exploit errors, then check this link >> http://www.nsclean.com/dsostop.html
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11771406
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question