Re: svcnxp32.exe, Part 2
From: MowGreen [MVP] (mowgreen_at_nowandzen.com)
Date: 09/20/04
- Next message: vontech: "RE: Easycleaner - unnessary files"
- Previous message: Jerry: "Problem with XP Installation"
- In reply to: Frank Wheeler: "svcnxp32.exe, Part 2"
- Next in thread: schmandel: "Re: svcnxp32.exe, Part 2"
- Reply: schmandel: "Re: svcnxp32.exe, Part 2"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 19 Sep 2004 18:51:58 -0700
Frank,
Values added: 2
---------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsXPserv"
Type: REG_SZ
Data: svcnxp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WindowsXPserv"
Type: REG_SZ
Data: svcnxp32.exe
Files added: 1
--------------
WINDOWS\system32\svcnxp32.exe
Date: 9/7/2004 4:23 AM
Size: 9,760 bytes
There are a few more posts on this, Frank. One claimed it was from
the lame " Osama is dead ... " email, the others point to the drag
and drop vulnerability in IE : http://snipurl.com/96ls
Deleting the above reg keys and svcnxp32.exe appears to remove the
trojan. Try doing it in Safe Mode.
MowGreen [MVP]
===============
*-343-* FDNY
Never Forgotten
===============
Frank Wheeler wrote:
> Hi...
>
> I asked about this file a week ago, got an answer with a question from
> "Mow Green," answered that question, and then nothing more.
>
> My latest Norton AV updates were installed last night, and immediately a
> RED WARNING came up that stated that svcnxp32.exe was infected with the
> W32.IRCbot, and that access to the file was denied.
>
> I immediately went to the Windows (XP, SP2) System32 folder and
> attempted to delete that svcnxp32.exe file, but it would not let me.
>
> I opened the Task Manager, found that the svcnxp32.exe process was
> running, and stopped it.
>
> I went to the Symantec site and attempted to follow the instructions for
> removal of the W32.IRCbot malicious code, but once into the registry,
> the "winapii %windir%\winapii\winapii.exe" value was not in the
> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
> registry key. A reference to svcnxp32.exe was present, however, and that
> was deleted.
>
> Back to WinExplorer to delete the svcnxp32.exe file, without success.
>
> Cannot even shut down that Norton RED WARNING window.
>
> I have now gone through my entire registry deleting all references to
> svcnxp32.exe, including two in a "Rule 460" registry key, but not the
> entire key/folder.
>
> Google does provide some information at this time... from Mow Green, of
> course... and acting on someone else's suggestion, I did a search of my
> wife's machine on our home network, and while I couldn't find the
> svcnxp32.exe file anywhere, I did find two references to it in her
> registry, both of which were promptly deleted.
>
> At the time I answered Mow Green's question last week, there was no
> "msmacroprotxz.exe" in my System32 folder.
>
> On a hunch just now, I searched both my machine and my registry and
> discovered that there was just such a registry value at:
> HKEY_USERS\S-1-5-21-2381138938-1749521121-372829268-1007\Software\Microsoft\Search
> Assistant\ACMru\5603, but that seems to be as a result of my search for
> same on Google... or am I mis-reading this.
>
> This is very frustrating, of course... and I am stumped as to how to
> proceed. I can't delete the damned executable file, can't shut down the
> Norton RED WARNING, and have no idea how to proceed or even what sort of
> risk I am running.
>
> HELP!
>
> Thank you.
>
- Next message: vontech: "RE: Easycleaner - unnessary files"
- Previous message: Jerry: "Problem with XP Installation"
- In reply to: Frank Wheeler: "svcnxp32.exe, Part 2"
- Next in thread: schmandel: "Re: svcnxp32.exe, Part 2"
- Reply: schmandel: "Re: svcnxp32.exe, Part 2"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
