Re: svcnxp32.exe, Part 2
From: schmandel (schmandel_at_netzero.com)
Date: 09/23/04
- Next message: Taurarian: "Re: Comp Not Shuting down HELP!"
- Previous message: Terry Pinnell: "Re: SP2 killed WU"
- In reply to: MowGreen [MVP]: "Re: svcnxp32.exe, Part 2"
- Messages sorted by: [ date ] [ thread ]
Date: 23 Sep 2004 03:12:40 -0700
"MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message news:<OCM3kRrnEHA.3684@TK2MSFTNGP10.phx.gbl>...
> Frank,
>
> Values added: 2
> ---------------
> HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
> "WindowsXPserv"
> Type: REG_SZ
> Data: svcnxp32.exe
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> "WindowsXPserv"
> Type: REG_SZ
> Data: svcnxp32.exe
> Files added: 1
> --------------
> WINDOWS\system32\svcnxp32.exe
> Date: 9/7/2004 4:23 AM
> Size: 9,760 bytes
>
> There are a few more posts on this, Frank. One claimed it was from
> the lame " Osama is dead ... " email, the others point to the drag
> and drop vulnerability in IE : http://snipurl.com/96ls
>
> Deleting the above reg keys and svcnxp32.exe appears to remove the
> trojan. Try doing it in Safe Mode.
>
>
> MowGreen [MVP]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
> Frank Wheeler wrote:
>
> > Hi...
> >
> > I asked about this file a week ago, got an answer with a question from
> > "Mow Green," answered that question, and then nothing more.
> >
> > My latest Norton AV updates were installed last night, and immediately a
> > RED WARNING came up that stated that svcnxp32.exe was infected with the
> > W32.IRCbot, and that access to the file was denied.
> >
> > I immediately went to the Windows (XP, SP2) System32 folder and
> > attempted to delete that svcnxp32.exe file, but it would not let me.
> >
> > I opened the Task Manager, found that the svcnxp32.exe process was
> > running, and stopped it.
> >
> > I went to the Symantec site and attempted to follow the instructions for
> > removal of the W32.IRCbot malicious code, but once into the registry,
> > the "winapii %windir%\winapii\winapii.exe" value was not in the
> > "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
> > registry key. A reference to svcnxp32.exe was present, however, and that
> > was deleted.
> >
> > Back to WinExplorer to delete the svcnxp32.exe file, without success.
> >
> > Cannot even shut down that Norton RED WARNING window.
> >
> > I have now gone through my entire registry deleting all references to
> > svcnxp32.exe, including two in a "Rule 460" registry key, but not the
> > entire key/folder.
> >
> > Google does provide some information at this time... from Mow Green, of
> > course... and acting on someone else's suggestion, I did a search of my
> > wife's machine on our home network, and while I couldn't find the
> > svcnxp32.exe file anywhere, I did find two references to it in her
> > registry, both of which were promptly deleted.
> >
> > At the time I answered Mow Green's question last week, there was no
> > "msmacroprotxz.exe" in my System32 folder.
> >
> > On a hunch just now, I searched both my machine and my registry and
> > discovered that there was just such a registry value at:
> > HKEY_USERS\S-1-5-21-2381138938-1749521121-372829268-1007\Software\Microsoft\Search
> > Assistant\ACMru\5603, but that seems to be as a result of my search for
> > same on Google... or am I mis-reading this.
> >
> > This is very frustrating, of course... and I am stumped as to how to
> > proceed. I can't delete the damned executable file, can't shut down the
> > Norton RED WARNING, and have no idea how to proceed or even what sort of
> > risk I am running.
> >
> > HELP!
> >
> > Thank you.
> >
Here's what I did on XP with Service Pack 2.
1. rename svcnxp32.exe to svcnxp32.virus
2. kill the process svcnxp32 in Task Manager
3. find and delete all registry entries referencing the executable.
4. delete the file svcnxp32.virus
My removal was complicated by the presence of svcnv32.exe and a
version of wuauclt.exe as well, all of which cooperated to replace
each other, so it was necessary to rename all 3 files, kill the
processes, and then clean the registry out. I had to replace
wuauclt.exe ( the Windows Update client ) from the Service Pack 2.
Also, in the course of the removal, various .exe files with strange
names appeared in \windows\system32. These were typically set with
system and hidden attributes. One such executable was
zonealarmupdate.exe, and I have never had Zone Alarm installed on
this box ;-) . These executables were attempting to open outbound
TCP sessions as detected by the firewall in Service Pack 2.
What's *really* interesting is that after I went to Microsoft's
Windows Update site, the version of wuauclt.exe that seemed to be
part of the infection reappeared and the registry entries for
svcnxp32.exe and svcnv32.exe reappeared, but not the executables.
The descriptions for these registry entries seemed sort of bogus,
"IPConfig" and "Winsock2".
This left me wondering if the actual source of this virus is
Microsoft itself, playing games with tracking their customers.
I only have one Windows box left in the house, the other 3 are
on Linux. I fully intend to sack Windows completely in the
coming months, it's an aggravating PITA and a relic of a darker,
dimmer time in personal computing.
- Next message: Taurarian: "Re: Comp Not Shuting down HELP!"
- Previous message: Terry Pinnell: "Re: SP2 killed WU"
- In reply to: MowGreen [MVP]: "Re: svcnxp32.exe, Part 2"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
