regsvr.exe can't access to delete

Hi, This computer (not mine)was put on-line without any protection or windows updates which it has now, I have gotten rid of several nasties. Trendmicro scan can't access c:windows\system32\regsvr.exe to delete it, when I try to find this exe I can't locate it (show all hidden files is enabled). I lost track of how many virus,worms and trojans were on this machine, adaware and spybot were a big help as well as the search function in this forum. Also curious about svmhost.exe.
Thank you
Paul


Logfile of HijackThis v1.98.2
Scan saved at 12:20:56 PM, on 11/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svmhost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\regsvr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\A.C\Scroll-In-Mouse V2.0\Scroll.exe
C:\Documents and Settings\rthfthrthb\Desktop\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.bellnet.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bell Business ISP
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\Run: [DHCP Server] regsvr.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunServices: [DHCP Server] regsvr.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] svmhost.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] svmhost.exe
O4 - Global Startup: Scroll-In-Mouse V2.0.lnk = C:\Program Files\A.C\Scroll-In-Mouse V2.0\Scroll.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://en.bellnet.ca
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

First thing to do is move hijackthis.exe to a folder of it's own. A subfolder under a desktop is not a good place.

After that if you run a scan and put a check in the box by each occurance of regsvr.exe it should remove the registry entries so that after a reboot, your AV scanner should be able to deal with the file.

Also take a look at http://www.sophos.com/virusinfo/analyses/trojwebmoneyg.html for more details about things the most likely virus, Troj/WebMoney-G, might have done to the system so you can do some additional checking.

svmhost.exe - not sure about this one. Can't find an English mention of it and the google translations aren't running for me right now so the French language article that looks the most promising isn't something I can read that well. It is not a file I find on my XP SP2 system and certainly isn't a standard piece of XP so you might want to remove the HJT listings for it as well. There are certainly more showing than I'd be comfortable with.

Hopefully one of the real security experts will be able to give you more ideas but I think the above are safe and needed.

 

In addition to checking for the files and registry entries noted on the Advanced tab of the Sophos link Newt provided, I recommend the following procedures.

Scan again with HijackThis and place a check next to the following entries. Close all other windows and click fix.

O4 - HKLM\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\Run: [DHCP Server] regsvr.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Update] svmhost.exe
O4 - HKLM\..\RunServices: [DHCP Server] regsvr.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Update] svmhost.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] svmhost.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Update] svmhost.exe


Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.


Download The Killbox from here: http://tools.zerosrealm.com/killbox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\regsvr.exe

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot ". On the next screen, click on the File menu and choose "Add File ". The filename and path should show up in the window. Leave that window open and paste the following in the path to delete box.

C:\WINDOWS\System32\svmhost.exe

Again, on the File menu of the other window, choose "Add File ". If that's successful, choose the Action menu and select "Process and Reboot ". Click cancel on the next popup.


Click start, then run, type services.msc and press enter. Locate the service DHCP Server, right click and choose properties. Stop the service then set to disabled. Apply and OK out. Locate and do the same for Microsoft Windows Update service. Close services window.


Click start, then run, type regedit and press enter.

Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Windows Update
and delete the Microsoft Windows Update key if present.

Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP Server and delete the DHCP Server key if present.

Now navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Microsoft Windows Update
and delete the Microsoft Windows Update key if present.

Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHCP Server and delete the DHCP Server key if present. Close regedit.

Reboot.

Turn system restore back on and post a new HJT log.

 

Thank you for your help. I believe things are in working order now, the firewall is not reporting any outgoing oddities now, online scans have reported all clean.

Logfile of HijackThis v1.98.2
Scan saved at 10:38:32 AM, on 11/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\A.C\Scroll-In-Mouse V2.0\Scroll.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.bellnet.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bell Business ISP
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - Global Startup: Scroll-In-Mouse V2.0.lnk = C:\Program Files\A.C\Scroll-In-Mouse V2.0\Scroll.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://en.bellnet.ca
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

Looks good. Glad you got it cleaned up. Thanks for posting back.