Trojan. dinst

**jacquelinecary** · 08-02-2005 06:09 PM

Here is the first log (l2mfix). I will post the hijack this in a few minutes. About the rebooting....shortly after I posted that it was rebooting every 10 min I realized that if something was running then it did not reboot. So I ran all seven hunded of the antispyware programs that are on my computer right now :wink: ...needless to say the rebooting stopped. If it starts in again I will do what is suggested.
Here is the first log:

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Owner\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1260 'explorer.exe'
Killing PID 1260 'explorer.exe'
Killing PID 1260 'explorer.exe'
Killing PID 1260 'explorer.exe'
Killing PID 1260 'explorer.exe'
Killing PID 1260 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2172 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\hsd.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\hsd.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ksdfi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\ksdfi.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lmexpand.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\lmexpand.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\quut.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\quut.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sqoolss.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\sqoolss.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\uxrvoica.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\uxrvoica.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\vphelper.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\vphelper.dll
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINNT\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINNT\system32\hsd.dll
Successfully Deleted: C:\WINNT\system32\hsd.dll
deleting: C:\WINNT\system32\hsd.dll
Successfully Deleted: C:\WINNT\system32\hsd.dll
deleting: C:\WINNT\system32\ksdfi.dll
Successfully Deleted: C:\WINNT\system32\ksdfi.dll
deleting: C:\WINNT\system32\ksdfi.dll
Successfully Deleted: C:\WINNT\system32\ksdfi.dll
deleting: C:\WINNT\system32\lmexpand.dll
Successfully Deleted: C:\WINNT\system32\lmexpand.dll
deleting: C:\WINNT\system32\lmexpand.dll
Successfully Deleted: C:\WINNT\system32\lmexpand.dll
deleting: C:\WINNT\system32\quut.dll
Successfully Deleted: C:\WINNT\system32\quut.dll
deleting: C:\WINNT\system32\quut.dll
Successfully Deleted: C:\WINNT\system32\quut.dll
deleting: C:\WINNT\system32\sqoolss.dll
Successfully Deleted: C:\WINNT\system32\sqoolss.dll
deleting: C:\WINNT\system32\sqoolss.dll
Successfully Deleted: C:\WINNT\system32\sqoolss.dll
deleting: C:\WINNT\system32\uxrvoica.dll
Successfully Deleted: C:\WINNT\system32\uxrvoica.dll
deleting: C:\WINNT\system32\uxrvoica.dll
Successfully Deleted: C:\WINNT\system32\uxrvoica.dll
deleting: C:\WINNT\system32\vphelper.dll
Successfully Deleted: C:\WINNT\system32\vphelper.dll
deleting: C:\WINNT\system32\vphelper.dll
Successfully Deleted: C:\WINNT\system32\vphelper.dll
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp
deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp

Zipping up files for submission:
adding: hsd.dll (164 bytes security) (deflated 48%)
adding: ksdfi.dll (164 bytes security) (deflated 48%)
adding: lmexpand.dll (164 bytes security) (deflated 48%)
adding: quut.dll (164 bytes security) (deflated 48%)
adding: sqoolss.dll (164 bytes security) (deflated 48%)
adding: uxrvoica.dll (164 bytes security) (deflated 48%)
adding: vphelper.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 83%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 64%)
adding: test.txt (164 bytes security) (deflated 84%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 80%)
adding: backregs/6C441D72-B70B-40CA-A21F-8D8C02B46C74.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: hsd.dll
deleting local copy: hsd.dll
deleting local copy: ksdfi.dll
deleting local copy: ksdfi.dll
deleting local copy: lmexpand.dll
deleting local copy: lmexpand.dll
deleting local copy: quut.dll
deleting local copy: quut.dll
deleting local copy: sqoolss.dll
deleting local copy: sqoolss.dll
deleting local copy: uxrvoica.dll
deleting local copy: uxrvoica.dll
deleting local copy: vphelper.dll
deleting local copy: vphelper.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINNT\system32\hsd.dll
C:\WINNT\system32\hsd.dll
C:\WINNT\system32\ksdfi.dll
C:\WINNT\system32\ksdfi.dll
C:\WINNT\system32\lmexpand.dll
C:\WINNT\system32\lmexpand.dll
C:\WINNT\system32\quut.dll
C:\WINNT\system32\quut.dll
C:\WINNT\system32\sqoolss.dll
C:\WINNT\system32\sqoolss.dll
C:\WINNT\system32\uxrvoica.dll
C:\WINNT\system32\uxrvoica.dll
C:\WINNT\system32\vphelper.dll
C:\WINNT\system32\vphelper.dll
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6C441D72-B70B-40CA-A21F-8D8C02B46C74}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6C441D72-B70B-40CA-A21F-8D8C02B46C74}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

**jacquelinecary** · 08-02-2005 06:11 PM

And here is the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:12:46 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\PROMon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**steamwiz** · 08-03-2005 06:16 AM

Hi

All went well.. your log's are now clean

are your problems resolved ?

steam

**jacquelinecary** · 08-03-2005 02:36 PM

Steam,
I think so. I have not been on the computer long enough to really find out. When I logged on I did get an error. It goes something like this...(kind of like a song :lol: )

Generic Host Process WWin32 encountered a problem and closed.
I clicked to get more information and it said:
SzAppName svchost.exe
Everything else on that page was filled with zeros or unknown.
I clicked again to look at the error report which read:
c\document~1\locals~1\temp\wer72f6.dir00\svchost.exe.mdmp
c\document~1\locals~1\temp\wer72f6.dir00\appcompat.txt

I will goof around here a bit to see if any pop-ups occur. I know I had one last night, but I am not sure if it was before or after I ran the last process.
THANKS!!

Jacqueline

**steamwiz** · 08-03-2005 03:42 PM

Hi

It looks very much as though the blaster worm has tried to take advantage of an exploit Windows XP ... it would appear you need this patch MS03-026 though with sp2 installed, I am surprised you could still be vulnerable to this... I advise you to go to windows update and install any critical updates on offer...

http://www.microsoft.com/technet/tre...n/MS03-026.asp

please read this extract from this page :- http://www.updatexp.com/msblast-exe.html

The worm attempts to infect both Windows 2000 and Windows XP systems. One of the functions used by the worm must be different for each of these operating systems, in order for the exploit it uses to work.

Since the worm does not know what operating system the target machine is running, it guesses. There is an 80% chance it will attempt to exploit Windows XP, and a 20% chance it will attempt to exploit Windows 2000.

If the worm guesses incorrectly and the remote machine is vulnerable, the process svchost.exe on the target machine will crash. The system may become unstable, but the infection will fail.

When svchost.exe crashes, a message like this may appear on Windows XP:

"Generic Host Process for Win32 Services" error report...

When svchost.exe crashes, Windows may create memory dumps of the process. These files are usually called user.dmp, svchost.exe.hdmp, or svchost.exe.mdmp.

Because these files contain the exploit code that caused the crash, they may be detected as DcomRpc.exploit or MS03-026 Exploit.Trojan. These files are harmless, and can safely be deleted.

However, the existence of these files indicates that the system is vulnerable and may still need to be patched.

---

Appcompat.txt is simply a reporting file used when uploading error reports to Microsoft. You've seen the message asking you if you would like to "report this error to Microsoft"? Appcompat.txt is a file that is uploaded if you say yes.

Appcompat.txt is not the problem. It contains information about the problem. Open it up in notepad...

click on Start, Run and enter:-
c\document~1\*****\locals~1\temp\wer72f6.dir00\appcompat.txt

I presume you have removed your name from here ? *****

Put it back in again before running it.... the result will be that the appcompat.txt will open in notepad...

Feel free to post the contents here... It will be full of technical information about the error (I may not understand any of it) then again it may help...

steam

**jacquelinecary** · 08-03-2005 06:09 PM

I guess I am confused. I went to install the patch. After it was downloaded it said it could not install because there was a newer service pack already installed. That makes sense because I do try to keep up to date with the updates and patches as that reduces the risk of getting into trouble with viruses and spyware...what not. When attempting to download it clicked on run instead of save. Could that be the problem?
And if this is any help...I think at one time we did have that blaster worm. I removed it with the Symantek removal tool. So, what should I do?

**steamwiz** · 08-04-2005 04:52 AM

Hi Jacqueline

I am also confused...don't worry about that patch, if windows says you already have a newer version installed... that's good enough for me.

Let me try and explain...

I am not saying you have the blaster worm only that it tried to get onto your computer by using a certain exploit... and failed causing svchost.exe to crash and resulting in these files mentioned in your error message :-

c\document~1\locals~1\temp\wer72f6.dir00\svchost.exe.mdmp
c\document~1\locals~1\temp\wer72f6.dir00\appcompat.txt

Please read this again and I'll explain it as I go....

Once upon a time....

The Blaster worm attempts to infect both Windows 2000 and Windows XP systems. One of the functions used by the worm must be different for each of these operating systems, in order for the exploit it uses to work.

Since the worm does not know what operating system the target machine is running, it guesses. There is an 80% chance it will attempt to exploit Windows XP, and a 20% chance it will attempt to exploit Windows 2000.

If the worm guesses incorrectly and the remote machine is vulnerable, the process svchost.exe on the target machine will crash. The system may become unstable, but the infection will fail.

in your case the worm guessed wrong, causing svchost.exe to crash... giving these error message files :-

c\document~1\locals~1\temp\wer72f6.dir00\svchost.exe.mdmp
c\document~1\locals~1\temp\wer72f6.dir00\appcompat.txt

When svchost.exe crashes, a message like this may appear on Windows XP:

"Generic Host Process for Win32 Services" error report...

which is what you got...

Generic Host Process WWin32 encountered a problem and closed.

Because these files contain the exploit code that caused the crash, they may be detected as DcomRpc.exploit or MS03-026 Exploit.Trojan. These files are harmless, and can safely be deleted.

However, the existence of these files indicates that the system is vulnerable and may still need to be patched.

As you have these files I assumed you still needed the patch

---
This is what I suggest you do now...

c\document~1\user name\locals~1\temp

Delete the entire contents of this temp folder (there may be a couple of files you can't delete - don't worry about them)

PLEASE NOTE The local settings folder is a hidden folder.....Click here >>> How to Show Hidden/System Files <<<

Then run a blaster worm removal tool again (just in case some part of it still resides on your computer... most av companies have a version of the removal tool ... if you want a link, let me know.

After that, just wait and see if the problem persists.

Good luck

steam

**jacquelinecary** · 08-04-2005 02:57 PM

Thank you so much for your help. I have reccommended this site to everyone I know. :mrgreen:

**steamwiz** · 08-04-2005 11:12 PM

HI

You're very welcome

Keep an eye on things for a few days, then come back and let us know if everything is resolved. :wink:

steam

**jacquelinecary** · 08-06-2005 09:51 AM

I do have to admit that I did try to go into the hidden files (c/doc~1username/locals~1/temp
and I tried to delete the files as reccommended, but it really wouldnt let me. I may have been doing it wrong, or in the wrong place, (but I dont think so) so I decided to just back out. It would start to delete and then stop and say that I could not delete a certain file...I would say ok, and then it would just stick there and not continue. I did upload SP3 the other day, so...I dont know. I understood what you were telling me the other day, that there MAY be a threat. I got that. I wanted to fix it, but.......I just got scared of messing something up.

Thread: Trojan. dinst

LinkBack

Thread Tools