win2000 sp 4 svhost32.exe infected with Win32:AbusableSystemUtility

win2000 sp 4 svhost32.exe infected with Win32:AbusableSystemUtility how can get rid of it ?
mail me at pfhcsys@xnet.ro

You could post a Hijackthis log: http://mjc1.com/mirror/hjt/

Logfile of HijackThis v1.97.7
Scan saved at 01:16:35, on 1/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Winamp\winamp.exe
D:\KIT\MIRC\MIRC32.EXE
C:\Program Files\NetPeeker\NPGUI.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\KIT\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://127.0.0.1/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [Generic Host Process for Win32 Services] ntspvc.exe
O4 - HKLM..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM..\RunServices: [Generic Host Process for Win32 Services] ntspvc.exe
O4 - Startup: Active SMART.lnk = C:\Program Files\Active SMART\ActiveSMART.exe
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{E14008A4-1D92-4709-ACB9-8A5AEE53A30D}: NameServer = 192.168.0.1 192.168.0.15

You should fix these settings:

O4 - HKLM..\Run: [Generic Host Process for Win32 Services] ntspvc.exe
O4 - HKLM..\RunServices: [Generic Host Process for Win32 Services] ntspvc.exe

and delete this file after restart: ntspvc.exe

Hi, the AbusableSystemUtility is a UPXed version of the Sysinternals utility “psexec”. The original utility isn’t packed with the UPX. At least 2 trojan horses use (abuse) the the UPX packed version. The program itself isn’t malicious, but its presence is suspicious, a trojan horse might be on your computer.

10x a lot…