Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying To Remove Winsvc.exe Bug


  • Please log in to reply
13 replies to this topic

#1 robams

robams

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 08 August 2006 - 06:52 PM

Hello, I am a new user and not sure if I am posting in the right section. This seems like a great forum and I look forward to contributing. I also need some help and advice.

I want to send a 'hijackthis' log for analysis but the hijackthis programme is not opening on my PC after several approaches.

I am trying to remove a winsvc.exe bug which I know I have. My a/v system is Bullguard and I am running Windows XP. I have not been able to manually remove the bug which is in the windows system 32 pathway. Several scans have highlighted it in my PC but I can't remove it.

I can download hijackthis to my desktop but when I try to open it I either get redirected every time to the win-zip self-extractor box or I get the hijackthis scanning options box for a second before it disappears. I have tried to download many times with no luck. Is it possible that this bug is able to disable hijackthis before it runs? Internet seems to be working normally.

In another development, i can't open the Windows registry editor using Run either. I type in 'regedit' in the normal way. The regsitry screen appears for a second and then diasappears. I fear the bug has entered and disabled some part of the registry. I have bought and run Regsitry patrol but it has made no difference.

Any help or tips would be appreciated. Thanks!
Rob

BC AdBot (Login to Remove)

 


#2 robams

robams
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 08 August 2006 - 07:08 PM

I ought to add that I also can't download Ad-aware or Spybot. It says that these programmes have been dowloaded but I can't locate them anywhere.

The winsvc.exe bug has the code Backdoor RBot 41766210 for those who are interested. It seems to disable all the recommended a/v programmes, or so it seems on my PC.

Has anyone else experience of this?

Thanks
Rob

#3 Elendil

Elendil

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:10:01 PM

Posted 08 August 2006 - 07:49 PM

I'm still working on my tutorial for this anti-malware tool, so here are the instructions on how to use the Multi_AV tool from its author, David Lipman:

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm

I recommend using Trend Micro's scanner for this as it is one of the fastest scanners, yet it is still thorough. If you have any questions on how to use the tool please post again and I'm sure I'll be able to give a correct answer (I'll check again on this thread in ~45 minutes but I g2g now).
Stanford '14
B.S. Candidate | Computer Science

#4 robams

robams
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 09 August 2006 - 09:56 AM

Thanks very much for this reply. I will attempt it today (Wednesday) and let you know how it goes. The main problem is that the bug seems to disable hijackthis when I download it and try to run it. Also does the same for other a/v and antimalware programs.

So I can't even get a good look at the log because I can't get a log!

Thanks again. I am not very technical but I'll try to follow the instructions here.

Rob

#5 Elendil

Elendil

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:10:01 PM

Posted 09 August 2006 - 11:15 AM

The Multi_AV Tool is designed to evade malware such as this from what I understand. For starters, it's not a big-shot well known product like Ad-Aware, Spybot, etc. so the malware authors of such programs don't target this program. Additionally, Ad-Aware, Spybot, and those types of programs are .exe files, while the Multi_AV is in .bat form which is rather unusual to target. Moreover, should the main module of the Multi_AV (StarMenu.bat) be shut down, David has created seperate .bat files for the individual scanners (A .bat for McAfee, one for Kaspersky, etc.). Please do report back your results/questions when they arise! In the mean time, good luck with your cleaning! :thumbsup:
Stanford '14
B.S. Candidate | Computer Science

#6 robams

robams
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 10 August 2006 - 04:29 PM

Hello again.

I can see that this programme looks powerful but I am having trouble executing it.

I can get to the start menu OK and see the options as you describe them. I can however see no way of downloading from the options. When I try to return to the C\:AV-CLS folder windows closes down every time. Can you tell me how I download from the start menu and why is it that windows could be crashing every time?

I also can't get into Safe Mode using f8. I want to see if the hijackthis will work in Safe Mode. Instead of the Windows Advanced Options Menu I am getting 'Please select boot device' menu.

Any tips greatly welcomed. I am at a loss how to proceed.

Rob

#7 robams

robams
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 10 August 2006 - 04:33 PM

Hi

I just tried again and this time as i opened the start menu on the tool I got a virus alert about Trojan. Q Host' - something like that. It looks like this bug is able to diasable every tool I download.

Would it be better if I just delete and try to re-install windows completely from scratch?

Rob

#8 Elendil

Elendil

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:10:01 PM

Posted 10 August 2006 - 06:47 PM

Ok, if safe mode is not working with the F8 method, try using Bootsafe.exe:

http://www.superadblocker.com/bootsafe.html

Also, the Trojan alert thing... are you saying that Bullguard is warning you that a trojan is shutting down the Multi_AV tool? To help you with the Multi_AV tool, here's my few words:

Once Startmenu.bat opens up, press the number that corresponds to the scanner you want to use (I'm recommending Trend Micro's scanner so press 2). The Multi_AV tool will now open it's update windows and download the updates.

Once the Multi_AV tool is done downloading updates for Trend Micro, it will temporarily close and open up the Trend Micro interface. After TM is done scanning, press exit. The Startmenu.bat will now re-appear along with a .txt file hidden behind it.

To close the Mutli_AV tool without Windows restarting, type in q. By typing in q, the Multi_AV tool will close successfully (without restarting your computer) and the TM's scan log (in .txt form) will appear. Copy and paste the contents of that log in a new post and I will check it to see if it worked or not.

If your malware infection is managing to shut down the Multi_AV tool, you need to boot into safe mode to use it; however, as you probably were going to ask "How can I update it then?". The good thing about the Multi_AV tool is that you can transfer updates from one computer to another. So, if you have another computer (or have can get access to a clean computer with a decent internet connection) install the Multi_AV tool on that computer. You will need a USB (Flash or jump drive) or a disk to transfer the updates.

After installing the Multi_AV on that clean computer, run Startmenu.bat and update Trend Micro. When the updates are done and the Trend Micro windows pops up, press the exit button and wait for Startmenu.bat to reappear. Close it by typing in q. Now, insert your USB or disk into the computer. Go to Local C:\AV-CLS\ (the Multi_AV folder) and copy the folder called Trend to the USB (or burn it to a disk).

Once the folder has been transfered onto your disk/USB, insert the disk/USB into your computer and copy and paste the Trend folder into C:\AV-CLS (Your Multi_AV Folder). The Trend Micro module has now been updated and you can use the power of the latest definitions to rid you system of malware!
Stanford '14
B.S. Candidate | Computer Science

#9 Elendil

Elendil

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:10:01 PM

Posted 10 August 2006 - 06:48 PM

Also, DO NOT reformat your computer yet (unless you want to). I have two final backup plans incase the Multi_AV tool fails on us.
Stanford '14
B.S. Candidate | Computer Science

#10 robams

robams
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 10 August 2006 - 07:22 PM

Thanks very much for this reply. It's gone 2am here so I will leave it til tomorrow and have a go using bootsafe.

What happened is that the virus alert message came up when I tried to open the AV Start Menu. When I tried to close the menu - to get back to have a look at the folder - the whole computer crashed.

Incidentally, I was advised by Bullguard to use spyhunter to see if this would allow me to run hijackthis but their scan picked up nothing at all even though a Trojan virus alert appeared when I executed spyhunter.

More tomorrow.
Rob

#11 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:09:01 PM

Posted 10 August 2006 - 11:09 PM

Hijack This needs to be installed on your root drive - not on the desktop or in any temp file.

Use safe mode with networking and disable all startup items except for your firewall and av program. You can either use msconfig if you know how or you can use Startup Inspector which is easier to use as it identifies all the startup menu items and doesn't alter your startup mode as msconfig does.

Startup Inspector (manages startup menu helps you identify aps in the startup menu so you can disable unnecessary programs from running in the background when they are not needed)

And

Startup Monitor (a small freeware ap available on the same page to notify you and require your permission for any program to add itself to your startup menu)

http://www.windowsstartup.com/download.php

#12 Elendil

Elendil

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The US
  • Local time:10:01 PM

Posted 11 August 2006 - 06:54 AM

Did you follow my instructions how to close it? It is very important that you type in the command letters as opposed to the common clicking the X in the corner of the window. As you noticed, attempting to close it without the command letters causes a reboot and I will talk to David to see if he can do something about it. In the mean time, you should inspect your startup like Enthusiast has said.

In addition to the tools Enthusiast has recommended, you can also try using CCleaner. This tool will clear your temp folders of any malware residing there and has a startup controller as well. Open CCleaner - Tools - Startup. The CCleaner Website
Stanford '14
B.S. Candidate | Computer Science

#13 robams

robams
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 17 August 2006 - 04:22 PM

Sorry for the delay in getting back to you. I am still grappling with this virus.

I have managed to donwload the updates for Trend Micro as you suggested but when I do so the Trend Micro interface does not appear, even though the scan is running. I can see the TM folder in the AV-CLS tool but no interface appears. Then, a few minutes into the scan, the computer crashes and reboots. So I can't get to the end of the scan to get a log. This has happened repeatedly.

I would welcome your further suggestions. Bullguard have suggested that I use something called FixBlast but after several days of trying have not been able to download this tool to have a go - the site link they gave me appears to be down. Do you know this tool and is it worth pursuing?

My computer is working fine but while online every few days or so I get a a-v message from Bullguard telling me that 'someone is scanning my ports'. I'm not sure what this means but it does not sound good. Any advice on that?

Rob

#14 robams

robams
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 17 August 2006 - 05:02 PM

UPDATE.....

I did finally get Trend Micro to run without the computer rebooting and this time could see the interface. The scan found no viruses or infected files, even though when I activated TM I got a message from Bullguard citing the now-familiar Backdoor. R Bot.

I should also add that every time I open the AV tool you recommended I get a Trojan host message from Bullguard.

If Trend Micro has picked up nothing and yet I still obviously have malware can you suggest another scan? Is there anything else in the menu on the AV-CLS that is worth trying? I had so many reboot problems starting Trend Micro.

Thanks for your help, it is much appreciated.

Rob




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users