bit nasty... 2

[pawz]

hello, infected machine is XP SP2.

There are two exe's in startup that I think are malicious

svhost.exe
csnss.exe

they re-enable even in safe mode when unticked
I think they are hidden
I deleted svhost via a search - I can't enable show all files as the Folders Option no longer appears.I couldn't turn up a result on csnss.exe, though it is in system32

I can't access the registry via regedit
I can't access Norton antivirus
I can't get on the web

I have tried in safe mode and normal

any ideas what particular nasty I might have and how to begin disabling it please?

 

[markso]

This should cover both. You are right they are nasties.

http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.c.html

If sunflower oil comes from sunflowers, and vegetable oil comes from vegetables, where does baby oil come from?

 

[gizmo1973]

Mark,

I have got svchost.exe running on mine, is that a baddy???

Regards, Phil.

M.U.F.C. Show your true support here:

http://shareholdersunited.org/join.php?ref=125059000

"Shares not Shirts

 

[MasterRacker]

svchost is part of Windows. It's an enabling process that is used with many other processes.

[purple]Jeff
It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day

 

[pawz]

markso. I went to symantec after posting here, and yes, that is the one. Problem is how to get rid of?

I have deleted the hosts it put in so I can now access the web, but the second I go to any site that might have a solution I am back on the desktop.

To re-iterate:

I can't access the registry.
I can't access hidden files
I can't access any of the antispyware or AV utils on the system
I can't access services
I can't access system restore
I can't access Task Manager


what to do?

Does anyone know if there is a fixer for it yet......?

ho-hum, there must be a way, it is just amatter of finding it.

 

[jrbarnett]

If you can't get into task manager, Download Process Explorer from

http://www.sysinternals.com

Run either of them.

See if you can terminate any processes or process trees involving either or both of those executables.
If you can, then update everything and run a full antivirus and antispyware scan and clean anything it finds.

John

 

[pawz]

ah, hello John. I will see if I can download that, though it somehow knows when I am on a site that could be useful -I could burn it onto a cd-rom couldn't I. However, I think there is already a process explorer on there. Faber Toys, so I will see if I can use that first... I got Nortons running once by enabling it from its folder, and it found the virus but could not delete it as access was denied.

Thank you

 

[markso]

Phil,

Sly one this. svchost is as MasterRacker says, part of Windows.

svhost is the nasty critter (and easy to see why the 2 would be mistaken!

Pawz, I'll try and find some more info on manual removal



If sunflower oil comes from sunflowers, and vegetable oil comes from vegetables, where does baby oil come from?

 

[erikhertzel]

You can also post a Hijack this file and we will analyze it for you.

Erik

 

[MarkhP]

If you can get an uptodate copy of AVG 'Free' from another pc, install that in safe mode and restart and see if AVG finds and fixes it. If not these are roughly the steps from symantec text:

Restart in safe mode
Then disable system restore
Then in safe mode run regedit -
Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"[Value]" = "[File name]"

Where [Value] is one of the following:

NDAv
SDAv

and where [File name] is one of the following:

%System%\csnss.exe
%Window%\svhost.exe

Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right pane, delete the value:

"Userinit" = "%System%\userinit.exe %System%\mcsv.com"

Remove or restore the registry values if appropriate:

"DisableConfig" = "1"
"DisableSR" = "1"

In the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore

Reset the following registry entries if appropriate:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced\"Hidden" = "2"
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoWindowsUpdate" = "1"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger\"AvEnbl"= "0"

Exit the Registry Editor.

Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C and that "Include subfolders" is checked.
In the "Named" or "Search for..." box, type: hosts
Then manually edit the Hosts file(s) and remove all the entries that the threat added.

 

[pawz]

erik, I will see if I can get hijackthis on there from a cd. The section of reg that really needs attention is current version run, maybe HJT will be able to help -ta

MarkHP, yes I will try the AVG from a cd. Can't do any of the other stuff as recommended by Symantec though, I have already tried

ta

 

[pawz]

I couldn't post the HJT log on here. It returned me to desktop after I put my password in.

There did not seem to be much amiss in the HJT, apart from lots of hosts names, which I have already sorted and this

F2-REG:system.ini:UserInit=C:\WINDOWS\system32\userinit.exe,C: windows\system32\mcsv.com

I wasn't sure what to make of that so have left it for now.

I put AVG on but it would not initialise...
I shall try John's process explorer now, but am not too hopeful as the Faber Toys didn't turn up anything I could recognise as to do with the virus. I am not experienced with such utilities mind, so maybe it is just me. Anyway, thanks for help so far folks, much appreciated

 

[jrbarnett]

Clear that one out.

Remember also to switch off system restore before doing a virus check to ensure that the virus won't get restored after reloading it.

John

 

[pawz]

John, it wont let me run your processor explorer, but I have found the mcsv file in Faber Toys, so shall I terminate it there as well?

I can't access system restore (yet)

 

[pawz]

ps I will be away from here for a short while as I have to feed the four legs who are all complaining that their stomachs think their throats have been cut - but please keep your suggestions coming if you have time as I am sure this can be beat...much appreciated

 

[pawz]

hello again. Am pleased to report that getting rid of the mcsv.exe file has brought a good result. I can now access the registry and ( I think)the AV. I have been able to enable folder options again by modifying the registry entry and checked to see what other alterations the worm made, some of which I have corrected. Don't know what to do about the entries it deleted but sure I will it work out. It remains to be discovered what else I might have to deal with,and what has to be repaired, but the worm is no longer in charge - thank you all

 

[diogenes10]

Hi pawz,

For next time you can't get regedit to work:

1) If hjt will run on the machine, look for an O7 line.

http://www.spywareinfo.com/~merijn/htlogtutorial.html#o7

2) carrr or bcastner posted a link awhile back to a spiffy little program called ierestrictions that would help with that issue.

3) This gets recommended in the help forums:

http://www.resplendence.com/reglite

I think one of its benefits is that it will run when regedit is shut out.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[crow053]

As far as svchost, if it is running under windows/system32, they are ok. There may be as many as 5. If svchost is running somewhere else, like windows/system, it probably is bad.

 

[pawz]

diogenes hi that looks a useful bunch of links indeed...yup, bookmarked that - and that, and downloaded that. Brilliant! reckon that is worth a star...

thank you Crow, as you say thems legal, but this was just svhost, a lookalike. It wasn't so difficult to get rid of that virus ( w32. serflog.c) as it first appeared to be since it had disabled or modified the registry so nothing worked.If I had not had a copy of HJT on a cd and a process viewer installed on the drive already it might have been a good deal more difficult - but we won, it lost and one happy owner is wending his long way home as I write. Time I had a cuppa methinks. Night night all

Gracie