Ad:

Viruses, Spyware and other Nasties Discussion Thread
Unsolved
Views: 5887

May 7th, 2004

Blaster Worm, I think, cannot remove!

Expand Post »

Hi,

I keep getting the SVCHOST.exe error (running W2k SP4) but have tried all of the blaster removal/patch tools and cannot get rid of it!!

It is really annoying me as it seems to stop me from runing Windows Update and from loging into websites (like this one) that need passwords - Hotmail is a prime example.

I hope that someone can shed some light on this... What log files etc do I need to run and post here?

Thanks

Si

Similar Threads

svchost.exe error in Windows NT / 2000 / XP
Blackout (MS) Blaster? in IT Professionals' Lounge
W32.Blaster.Worm - RPC vulnerability causes reboots in Windows NT, 2K, and XP. in Windows NT / 2000 / XP

Simonsl8er

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

8 posts
since Apr 2004

Permalink

May 7th, 2004

Re: Blaster Worm, I think, cannot remove!

Well, I think that I may have got it sorted!! It was a varient (f) of the Blaster worm..

Can someone have a quick look at the HJT log and let me know if they see anything there that shouldn't be cause i'm not sure what to look for!

Logfile of HijackThis v1.97.7
Scan saved at 14:44:11, on 07/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\DfrgNtfs.exe
C:\Backup\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Thanks
Si

Simonsl8er

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

8 posts
since Apr 2004

Permalink

May 7th, 2004

Re: Blaster Worm, I think, cannot remove!

Moved to the new Security forum, as that's where virus/spyware/malware/etc. questions now belong.

DMR

Team Colleague

Reputation Points: 221

Solved Threads: 369

Wombat At Large

Offline

6,439 posts
since Dec 2003

Permalink

May 8th, 2004

Re: Blaster Worm, I think, cannot remove!

Sad we had to create a fourm for spyware what is the world coming to haha.

MAD_DOG

Reputation Points: 58

Solved Threads: 14

Practically a Master Poster

Offline

626 posts
since Feb 2002

Permalink

May 8th, 2004

Re: Blaster Worm, I think, cannot remove!

Quote originally posted by MAD_DOG ...

Sad we had to create a fourm for spyware what is the world coming to haha.

One coming for Formatting ,you wanna be the host !

caperjack

Team Colleague

Reputation Points: 1056

Solved Threads: 792

I hate 20 Questions

Offline

12,723 posts
since Aug 2003

Permalink

May 8th, 2004

Re: Blaster Worm, I think, cannot remove!

Yeah start it up we can call it Why You Should Reformat Instead Of Fixing The Problem. I should write an article on that. Hmmmmm thanks. You got me thinking.

MAD_DOG

Reputation Points: 58

Solved Threads: 14

Practically a Master Poster

Offline

626 posts
since Feb 2002

Permalink

May 8th, 2004

Re: Blaster Worm, I think, cannot remove!

Quote originally posted by Simonsl8er ...

Well, I think that I may have got it sorted!! It was a varient (f) of the Blaster worm..

Can someone have a quick look at the HJT log and let me know if they see anything there that shouldn't be cause i'm not sure what to look for!

Logfile of HijackThis v1.97.7
Scan saved at 14:44:11, on 07/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\DfrgNtfs.exe
C:\Backup\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Thanks
Si

Log is clean ,good job

caperjack

Team Colleague

Reputation Points: 1056

Solved Threads: 792

I hate 20 Questions

Offline

12,723 posts
since Aug 2003

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: rougewolf: (Another) What is BRIDGE.DLL question

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: HiJackThis Log File...

DaniWeb Message

Cancel Changes

User Name
Password