bowinn
asked on
Badly infected W2k PC w/ virus or worm
I just signed-up and if this is solved it's worth the first six month's atleast-- I'm stumped.
This Windows 2000 PC is obviously infected with something, but what. The latest Norton 2004 Pro identifies w32.randex.gen in svchost which it cannot repair. When I copy the svchost file to floppy and scan it from a clean PC no virus is detected. I downloaded the HiJackThis and here's the log file:
Logfile of HijackThis v1.98.2
Scan saved at 7:43:55 PM, on 8/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTEC
C:\WINNT\System32\nvsvc32.
C:\WINNT\system32\regsvc.e
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.e
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINNT\SYSTEM32\ZONELABS
C:\WINNT\system32\svchost.
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Real\RealPlayer\Real
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\BESCH.EX
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\svhost.e
C:\WINNT\system32\svhost.e
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.e
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\WINNT\explorer.exe
C:\HiJackThis\HijackThis.e
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real
O4 - HKLM\..\Run: [BackupExecScheduler] BESCH.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTo
O4 - HKLM\..\Run: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.e
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-0
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-0
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-0
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-0
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {238F6F83-B8B4-11CF-8771-0
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-0
O16 - DPF: {A6A216EB-4F7C-11D5-8438-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
Thanks,
-bowinn
This Windows 2000 PC is obviously infected with something, but what. The latest Norton 2004 Pro identifies w32.randex.gen in svchost which it cannot repair. When I copy the svchost file to floppy and scan it from a clean PC no virus is detected. I downloaded the HiJackThis and here's the log file:
Logfile of HijackThis v1.98.2
Scan saved at 7:43:55 PM, on 8/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTEC
C:\WINNT\System32\nvsvc32.
C:\WINNT\system32\regsvc.e
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.e
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\WINNT\SYSTEM32\ZONELABS
C:\WINNT\system32\svchost.
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Real\RealPlayer\Real
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\BESCH.EX
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\svhost.e
C:\WINNT\system32\svhost.e
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.e
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\WINNT\explorer.exe
C:\HiJackThis\HijackThis.e
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real
O4 - HKLM\..\Run: [BackupExecScheduler] BESCH.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTo
O4 - HKLM\..\Run: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - HKLM\..\RunServices: [Windows Video Drivers] videons32.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] svhost.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] svhost.exe
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.e
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-0
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-0
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-0
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-0
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {238F6F83-B8B4-11CF-8771-0
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-0
O16 - DPF: {A6A216EB-4F7C-11D5-8438-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
Thanks,
-bowinn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, that helped some. NAV now does a scan, finds and removes randex.gen by successfully deleting dc93.exe. THat's progress. However, a subsequent scan with Spybot S&D reports "DSO Exploit" and says it's "fixing it." I scan again and it's still there.
download avast! www.avast.com look for the free version of the software, i had that problem in the win2000 pc of mine, and it helped me a lot
bowinn,,,,, first make sure that u have installed All Updates and Patches from Microsoft,,,,, and if still u get that DSO Exploit errors, then check this link >> http://www.nsclean.com/dsostop.html
Spybot keeps finding DSO exploit
http://www.computing.net/windowsxp/wwwboard/forum/104837.html
http://www.computing.net/windowsxp/wwwboard/forum/104837.html
>> O4 - HKLM\..\RunServices: [Windows Video Drivers] videons32.exe
these entries indicate that the system is infected with W32/Sdbot-KK Worm !!!
Read here the Description and Recovery >> http://www.sophos.com/virusinfo/analyses/w32sdbotkk.html