deleting hidden files

A

alchemist

Disciple
My IE got infected with some strange file.. its changed the default page to C:\WINDOWS\system32\shdocpl.dll this isnt the normal dll file that comes when the page doesnt exist, but some crapass spyware version of it.
I opened it in notepad and rewrote it only to find that i couldn't save it because it was a hidden, read only file.
How do i remove these tags?
Even i click on view even hidden files it doesnt show up.
I also went to DOS and tried -h c:\WINDOWS\system32\shdocpl.dll which will normally change the hidden attribute to off. Even that didn't work.

How can i delete or unhide or un-readonly this file?

thanks,
 
It is a BHO,

deleting just the file will not help since the registry values have to be removed too.

i suggest you use "microsoft antispyware" -> Tools -> Advanced tools ->"Browser Hijack Settings Restore"

or post the "HijackThis" log file here so that we can suggest which entries to delete.
 
//below is hijack this log file

Logfile of HijackThis v1.99.1
Scan saved at 11:42:53 AM, on 4/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\System32\InstallHardware.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\system32\svcnut.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpl.dll/security.htm#subID=MPV;401
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpl.dll/asst.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {860CE847-8298-4114-B142-14043C2942B1} - C:\WINDOWS\drexinit.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
O4 - HKLM\..\Run: [InstallHardware] C:\WINDOWS\System32\InstallHardware.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut.exe home
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Startup: Nudi 3.0.lnk = C:\Program Files\Nudi 3.0\Nudi.exe
O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {B5E490A5-6081-4318-A27F-667C606426B5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B5E490A5-6081-4318-A27F-667C606426B5} - (no file) (HKCU)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://203.200.55.50/iNotes6.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5571-b301h/rnl/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA20A56-CE33-4C5D-B710-63B8B98709B6}: NameServer = 202.54.12.162 202.9.145.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
 
(have to go out hence answering in short)
These 3 entries definitely need to be fixed.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpl.dll/security.htm#subID=MPV;401

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpl.dll/asst.htm



O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut.exe home



most probably this svcnut.exe is the culprit.



for removal instructions use google. (u will have to disable this first from the task manager first before attempting its removal else it will return i guess.)
 
what should i be googling for?
sorry im lost

btw.. is this related to the same bug
 

Attachments

  • might.JPG
    might.JPG
    73.5 KB · Views: 154
right.. i took out svcnut. (shift+del) following google instructions.but the crap is still there.
how do i remove the other entries?
should i run hijack this to see if svcnut is still there somehow?
 
Start pc in safe mode (press F8 key while booting)

in hijackthis select the entries you want fixed or deleted and then press fixit button.
 
alchemist said:
where do i dl it from?
Click to expand...

You can download it from here mate,note that you need to have a genuine check before you can download it,by that i mean you have to have an original copy of Windows.
Try it,if it doesnt help just post here and we will help you further.

Code: 
http://www.microsoft.com/athome/security/spyware/software/default.mspx
 
i ran microsoft antispyware" -> Tools -> Advanced tools ->"Browser Hijack Settings Restore"
as well.. it says all done. but opens up the same page again
 
IceFusion said:
doing all this...dude just dload microsoft antispyware and restore all ur browser settings back...:)
Click to expand...
@ice , i had already suggested that. see the 2nd post in this thread.
@ alchemist,

Kindly post what you have done till now w.r.t to removing the svcnut.exe
Give a complete and comprehensive steps you took to remove it. if you give short, 2 sentence replies you should expect 2 words solutions. please remember this.
 
Last edited by a moderator:
alchemist said:
i ran microsoft antispyware" -> Tools -> Advanced tools ->"Browser Hijack Settings Restore"

as well.. it says all done. but opens up the same page again
Click to expand...
Did you try to "end task" svcnut.exe first in the task manager.

then delete the file svcnut.exe.

reboot in safe mode
then fix those entries in hijackthis
reboot

run microsoft spyware , and restore the settings.

???
 
sorry.
after you told me to google svcnut.exe i came across advice that said end the process and then delete. it didn't work. also, those popups that started coming. ive posted a scrn shot a few posts before.
then, on urs and icefusion's advice i dled and ran antipyware. it deleted a few more registry items etc. but it still persisted.
i then followed the steps to correct ie hijack which said that it had succesfully worked but on running ie, same problem.
as this file is hidden, is it possible that all these apps are not scanning it?
deejay, now ill follow the suggestion of urs to reboot in safe mode and delete the items you posted in red.

will return with the news
 
SUCCESS!!
deejay, i did what you told me to without restarting though. and ie now starts with about:blank.
now i'll just reboot and see if the fix is permanent.. thanks all of you guys.. thanks a lot
 
alchemist said:
what should i be googling for?

sorry im lost

btw.. is this related to the same bug
Click to expand...

Alchemist, that's (pic attached) messenger service (do not confuse with windows messenger) poping up. It's a spam message. It simply means u hve not installed sp2, messenger service by default is running (or enabled by some spyware), u hve no firewall and the above service is used to deliver spam messages.

pls disable the messenger service as followed

1. type "services.msc", without quotes in the "start menu"--> run box, hit enter.

2. Now, look for a service named "messenger" with description as follows "Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start."

3. Double click on it and stop the service by hitting the stop b utton.

4. then, from "startup type" chose "manual" (or disable) and hit "apply', "ok".

That's it. that type of messages will stop popping up.

This is a common microsoft vulnerability exploited by spammers.

Now, we continue with ur other problems, but it is highly suggested that after clearing all problems, pls install a good firewall too or atleast enable the default xp firewall.

PS: Do u hve a antivirus, as it too seems highly unlikely. U seem to hve a new pc or a fresh install of xp, which is not upto date. Pls do not browse web w/o a firewall, antivirus and anyone anti-spyware application (like microsoft anti-spyware or spybot with realtime monitoring).
 
Back
Top