Highlighted
Jenn7285
1 Nickel

HELP PLEASE! after windows xp os rebuild, system acting like its infected with blaster (among other things) butis not infected with it also svchos1.exe bug

I had to wipe my hard drive and do a system rebuild Wed night but then yesterday morning I checked the task manager and svchos1.exe was using up all the memory... system idle was using none. i ended the process and the memory use went to another process... svchost.exe. still 100%cpu in use. i ended that also. also since the rebuild i have had about 4 or 5 instances where a pop up message will come up stating that windows will shut down in 60 seconds and then it counts down and restarts the computer.I know this is an indicator of the Blaster Worm, but when I download the patch and removal tool from microsoft (or FixBlast) it says that the computer is not infected.  When I try and install the patch by itself, run msconfig, Norton, or a few other programs the windows will dissapear within about 15 seconds.  I know I have the svchos1.exe bug but cant get rid of it because Norton wont run..  I have been dealing with this nonstop since tuesday night and I am really frustrated. Any help would be greatly appreciated.

 

Hijackthis log:

 

Logfile of HijackThis v1.97.7
Scan saved at 4:50:34 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchos1.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\AMSNMGR.EXE
C:\WINDOWS\System32\iexplore.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Configuration Loading] svchos1.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\Run: [WinSock Control] iexplore.exe
O4 - HKLM\..\RunServices: [Configuration Loading] svchos1.exe
O4 - HKLM\..\RunServices: [WinSock Control] iexplore.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Winsock2 driver] AMSNMGR.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/223c9c8774639c5ebd06/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7

thanks

Jenna

0 Kudos
14 Replies

Re: HELP PLEASE! after windows xp os rebuild, system acting like its infected with blaster (among other things) butis not infected with it also svchos1.exe bug

You have a couple of issues.  First you have a virus which is a version of the W32/SPybot worm. 

Run one of the online virus scanners such as housecall.

Then close all windows and have hijackthis fix the following if they are still present:

O4 - HKLM\..\Run: [Configuration Loading] svchos1.exe
O4 - HKLM\..\RunServices: [Configuration Loading] svchos1.exe

O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE (This is the virus startup)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/223c9c8774639c5ebd06/netzip/RdxIE601.cab

Reboot to safe mode and delete the following file:

C:\WINDOWS\System32\AMSNMGR.EXE

Post another log when finished

0 Kudos
Jenn7285
1 Nickel

new log and other info

ok, I ran housecall... 3 files all worm agobot.bk   I pressed delete but it could only delete 2: svchos1.exe was "in use"

I ran hjt again and fixed what you said to, rebooted in safe mode, but there was no amsnmgr.exe file to delete.

 

here is the new logfile:

Logfile of HijackThis v1.97.7
Scan saved at 5:52:34 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchos1.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\iexplore.exe
C:\WINDOWS\System32\AMSNMGR.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinSock Control] iexplore.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\Run: [Configuration Loading] svchos1.exe
O4 - HKLM\..\RunServices: [WinSock Control] iexplore.exe
O4 - HKLM\..\RunServices: [Configuration Loading] svchos1.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Winsock2 driver] AMSNMGR.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7

 

Jenna

0 Kudos
Jenn7285
1 Nickel

New HJT Log Help Please!!! also cwshredder scan results

My new HJT log is posted above after following the instructions given.  Please Help if you can, I am desperate!

Also I dont know if this helps any but this is the CW shredder scan results

0 Kudos
Jenn7285
1 Nickel

Re: New HJT Log Help Please!!! also cwshredder scan results

whoops... here they are

CWShredder v1.46.4 scan only report

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Owner\Application Data
Username: Owner

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (472 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)

- END OF REPORT -

0 Kudos

Re: new log and other info

You still have the same issue as before.

First make sure you can view hidden files and folders.  That is probably why you did not see AMSNMGR.EXE  Ooen My Computer and select Tools>Folder Options>View and make sure Show Hidden Files and Folders is checked.

Close all windows and have hijackthis fix the following.

O4 - HKLM\..\Run: [WinSock Control] iexplore.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] AMSNMGR.EXE

Then reboot to safe mode and delete the file: C:\WINDOWS\System32\AMSNMGR.EXE

Post another log when done.

 

 

0 Kudos
Jenn7285
1 Nickel

Re: HELP PLEASE! after windows xp os rebuild, system acting like its infected with blaster (among other things) butis not infected with it also svchos1.exe bug

Here's the new log

 

Logfile of HijackThis v1.97.7
Scan saved at 8:28:01 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\spools.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Configuration Loader] spools.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\RunServices: [Configuration Loader] spools.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7

 

 

I am sure I deleted it, but is that it under winsock2?

0 Kudos

Re: HELP PLEASE! after windows xp os rebuild, system acting like its infected with blaster (among other things) butis not infected with it also svchos1.exe bug

Have you run Trendmicro's housecall?  Let's see if we can get rid of it that way.  Also you must enable your firewall if it is not enabled.

Message Edited by Yellowhammer on 01-23-2004 07:47 PM

0 Kudos
Jenn7285
1 Nickel

Re: HELP PLEASE! after windows xp os rebuild, system acting like its infected with blaster (among other things) butis not infected with it also svchos1.exe bug

Firewall is and has been enabled

ok, ran houscall again and this time it got more than the first time...

6 files:

BKDR SDBOT.GEN   NON CLEANABLE   IN DOCUMENTS AND SETTINGS  temp internet files maybe?  cant see the rest of the line

WORM AGOBOT.BK  NON CLEANABLE  IN RECYCLER (there are 2 of these..maybe the deleted ones...)

3 more named BKDR SDBOT.GEN  all non cleanable in:

windows\system32\spools.exe

windows\system32\spools.exe.poly

windows\system32\winhlpp32.exe

 

I pulled up task manager and it showed that both spools.exe and IEXPLORE.EXE were taking up all or most of the CPU.  there are 2 processes running under IEXPLORE.EXE and then spools.ese and spoolsv.exe.

should I try and delete all of these with housecall even though it wont delete some since they are running?

0 Kudos

Re: HELP PLEASE! after windows xp os rebuild, system acting like its infected with blaster (among other things) butis not infected with it also svchos1.exe bug



@Jenn7285 wrote:

ok, ran houscall again and this time it got more than the first time...

6 files:

BKDR SDBOT.GEN   NON CLEANABLE   IN DOCUMENTS AND SETTINGS  temp internet files maybe?  cant see the rest of the line - Delete all your temp internet files

WORM AGOBOT.BK  NON CLEANABLE  IN RECYCLER (there are 2 of these..maybe the deleted ones...) - Empty your recycle bin

3 more named BKDR SDBOT.GEN  all non cleanable in:

windows\system32\spools.exe
windows\system32\spools.exe.poly
windows\system32\winhlpp32.exe

ALL three of these are not legitimate files.  Use Housecall to delete them if it will.  If not, shut them down using task manager and then delete them and remove them from your recycle bin.  You may have to be in safe mode to do so.



0 Kudos