Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi,
Can anyone give to all of us a kind of generic recipe (i.e. main checks and actions) to remove trojan SVCPACK.exe (fakesvc.C.2) ?
As I have this trojan now on my system and want to remove it, I make a tentative draft. Please correct me and fine-tune it order to have a kind of generic recipe that will serve to other victims and avoid a bunch of - almost - redundant posts about SVCPACK.exe
Please, do not try this recipe until it has been checked/corrected/validated/approved by several peers ! This is a first draft (with 6 steps)!
Thanks for your feed-back,
Chris
RECIPE : REMOVING SVCPACK.exe (fakesvc.C.2)0/6. If SVCPACK detected and not removable by an antivirus, proceed as follows
1/6. Get HijackThis v 1.97 at http://mjc1.com/mirror/hjt/ and install it.
2/6. Generate SCAN and save the log file. SVCPACH.exe should appear at win.ini, runnin processes, and services level.
The log file should look like this ...
Logfile of HijackThis v1.97.3
Scan saved at 13:14:01, on 2/11/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\SA3DSRV.exe
C:\WINDOWS\SYSTEM\MDM.exe
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.exe
C:\WINDOWS\SYSTEM\SVCPACK.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.exe
C:\COMPAQ\INTERNET\CISRVR.exe
C:\CPQS\BWTOOLS\SCCENTER.exe
C:\WINDOWS\SYSTEM\INTERNAT.exe
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.exe
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.exe
C:\WINDOWS\TPPALDR.exe
C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.exe
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.exe
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.exe
C:\PROGRAM FILES\SPEEDTOUCH\DR SPEEDTOUCH\DRST.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
D:\AAAA\HIJACKTHIS.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0813&s=search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.138/cgi/dial/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://xwebsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0813&s=search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0813&s=search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&s=search&query=%s&i=enu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.skynet.be:8080
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.the-exit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://xwebsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F1 - win.ini: run=C:\WINDOWS\svcpack.exe
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\SYSTEM\DREPLACE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.exe -k
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRA~1\AVPERS~1\AVGCTRL.exe /min
O4 - HKLM\..\Run: [msci] C:\WINDOWS\TEMP\20031111923_MCINFO.exe /insfin
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.exe
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe /RUNSERVICES
O4 - HKLM\..\RunServices: [SVC Service] C:\WINDOWS\SYSTEM\svcpack.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: Microsoft Office.lnk = ?
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Tools_95\IOWATCH.exe
O4 - Startup: Iomega Startup Opties.lnk = C:\Program Files\Tools_95\IMGSTART.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Block This Page (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4298/mcfscan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} (AxOOdlz Class) - http://www.stop-sign.com/pub/download/scandl_cnry.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.108.0.127,10.0.16.423/6. Reboot in safe mode. Remove manually C:\WINDOWS\SYSTEM\SVCPACK.exe file with Explorer.
4/6. Launch HijackThis again (i.e. still in safe mode) and check the boxes of all SVCPACK related rules and click "Fix checked" button.
Be sure of the rules you are checking as you might legitimate system rules !
5/6. Reboot normally and check (e.g. with HijackThis) if your system is clean.
6/6. May be the cleaning has to be repeated if some related SVCPACK.exe rules were left unchecked.
Be sure to always make a back-up of your registry before doing anything, so you can restore it if you made some errors when checking rules.
Do a Ctrl-Alt Delete, and end process on the Svcpack.exe
Now find that C:\WINDOWS\System32\svcpack.exe file, and delete it.Next, run the following regfile:
Copy the text between the lines to Notepad, and save as Remove.reg (make sure you save as type 'all files' )
Doubleclick Remove.reg, and answer yes when asked to add its contents to the Registry.---------------------
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlugin]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SVC Service"= ----------------------
Next, you need to download and run this vbs file in order to restore the default Windows2000/XP WinLogon/UserInit registry value data, which has probably been hacked by this hijacker:
http://www.mjc1.com/files/mo/userinit.zip
Next, use Hijack This to fix the following item:
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dllReboot.
0 
Ooopppsss..Also fix these entries with HijackThis before rebooting:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.138/cgi/dial/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:///
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://xwebsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:///
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.the-exit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://xwebsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F1 - win.ini: run=C:\WINDOWS\svcpack.exeThere is also this suspicious entry:
O4 - HKLM\..\Run: [msci] C:\WINDOWS\TEMP\20031111923_MCINFO.exe /insfin
Could you email me a zipped copy of C:\WINDOWS\TEMP\20031111923_MCINFO.exe to analyze? Click my name for the email addy.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
