Variant of systemdoctor 2006?

jkg31485 · 2006/11/03

I've been getting systemdoctor 2006 and winwnitspyware pop-ups and redirects. But when I run HJT I don't find anything out of the ordinary. I also have no systemdoctor directory, haven't found any of the files that seem to be associated with it on my machine (sd2006.exe, unins000, etc.), and can't find anything related to it in the registry. But IE6 still acts like there is an infection. I've run Trend Micro Anti-spyware, Ad-aware, and SpyBot, and have TMAS Venus Spy trap and NAV running. Can anyone help with this?

I'm posting my HJT log below.

Logfile of HijackThis v1.99.1
Scan saved at 11:55:33 PM, on 11/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrh.noaa.gov/total_forec...097&wfo=mtr&dgtl=1&lat=38.2325&lon=-122.63556
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe "
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [HPWQTOOLBOX] "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" "-i "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://192.168.1.112/ConnectComputer/nshelp.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0218a7a2221f8ae2d103/netzip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pwapetaluma.local
O17 - HKLM\Software\..\Telephony: DomainName = pwapetaluma.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pwapetaluma.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pwapetaluma.local
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

TeMerc · 2006/11/03

Hi and welcome to the forum.

In most cases the latest variants of Vundo have included code to circumvent the exposure of itself from HJT. The way we get around this is to rename the hijackthis.exe to something of your wanting, anything, then once that is done, the infection appears and we can then run a tool to remove it.

jkg31485 · 2006/11/03

Nothing suspicious

Thanks. I renamed HJT and ran another scan, but I still don't see anything suspicious. I read the Vundo is transmitted from one infected machine on a network to another. Is it possible that another machine is causing the pop-ups and redirects?

HJT log below.

Logfile of HijackThis v1.99.1
Scan saved at 11:15:15 AM, on 11/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\Okeydoke.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrh.noaa.gov/total_forec...097&wfo=mtr&dgtl=1&lat=38.2325&lon=-122.63556
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe "
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [HPWQTOOLBOX] "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" "-i "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://192.168.1.112/ConnectComputer/nshelp.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0218a7a2221f8ae2d103/netzip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pwapetaluma.local
O17 - HKLM\Software\..\Telephony: DomainName = pwapetaluma.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pwapetaluma.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pwapetaluma.local
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

TeMerc · 2006/11/03

I don't see Vundo either, so search some more.

Download combofix.exe

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

jkg31485 · 2006/11/04

Ran Combofix

OK, I downloaded and ran the Combofix program. The log is below.

John Green - 06-11-04 10:48:53.53 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\John Green\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\{FCB815F4-063E-1033-0709-040404160001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\PPATCH~1

((((((((((((((((((((((((((((((( Files Created from 2006-10-04 to 2006-11-04 ))))))))))))))))))))))))))))))))))

2006-11-01 21:01 2,397 --a------ C:\windows\system32\drivers\symlcbrd.sys

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-04 10:50 -------- d-------- C:\Program Files\Common Files
2006-11-03 11:15 -------- d-------- C:\Program Files\HJT
2006-11-01 21:30 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-01 21:17 -------- d-------- C:\Program Files\Symantec
2006-11-01 21:09 -------- d-------- C:\Program Files\Norton SystemWorks
2006-11-01 20:49 -------- d-------- C:\Program Files\Microsoft Pointing Device
2006-10-31 17:50 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-31 00:22 -------- d-------- C:\Program Files\SymNetDrv
2006-10-31 00:22 -------- d-------- C:\Program Files\QuickTime
2006-10-31 00:22 -------- d-------- C:\Program Files\Messenger
2006-10-31 00:22 -------- d-------- C:\Program Files\iTunes
2006-10-31 00:21 29415 --a------ C:\windows\system32\DSentry.exe
2006-10-30 23:38 -------- d-------- C:\Program Files\UTILN32
2006-10-14 11:11 -------- d-------- C:\Program Files\Trend Micro
2006-09-15 22:52 91904 --a------ C:\windows\system32\S32EVNT1.DLL
2006-09-15 22:52 124016 --a------ C:\windows\system32\drivers\SYMEVENT.SYS
2006-09-11 07:37 5763 --a------ C:\Program Files\xpbreaker.zip
2006-08-16 13:54 4997 --a------ C:\Documents and Settings\John Green\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA "= "\ "C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\" "
"Dell QuickSet "= "C:\\Program Files\\Dell\\QuickSet\\quickset.exe "
"PRONoMgr.exe "= "\ "C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe\" "
"DVDSentry "= "C:\\WINDOWS\\System32\\DSentry.exe "
"AdaptecDirectCD "= "\ "C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\" "
"Symantec NetDriver Monitor "= "\ "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe\" /Consumer "
"SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\" "
"HPWQTOOLBOX "= "\ "C:\\Program Files\\Hewlett-Packard\\HP Deskjet 9800 Series\\Toolbox\\HPWQTBX.exe\" \ "-i\" "
"TkBellExe "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"Synchronization Manager "= "%SystemRoot%\\system32\\mobsync.exe /logon "
"StatusClient 2.6 "= "\ "C:\\Program Files\\Hewlett-Packard\\Toolbox\\StatusClient\\StatusClient.exe\" /auto "
"TomcatStartup 2.5 "= "\ "C:\\Program Files\\Hewlett-Packard\\Toolbox\\hpbpsttp.exe\" "
"HP Software Update "= "C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"POINTER "= "point32.exe "
"ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"AcctMgr "= "C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe /startup "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,c6,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,\
00,00,04,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} "= "Eudora's Shell Extension "
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023} "= "Trend Micro Anti-Spyware Shell Extension "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"CDRAutoRun "=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk "
"backup "= "C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -hx "
"item "= "Kodak EasyShare software "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak software updater.lnk "
"backup "= "C:\\WINDOWS\\pss\\Kodak software updater.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item "= "Kodak software updater "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS "=dword:00000003

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - John Green.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec Drmc.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-04 10:50:27.92
C:\ComboFix.txt ... 06-11-04 10:50

TeMerc · 2006/11/04

Well that found one bit of malware, did the deletion fix your pop ups? Let me know.

I also see one odd folder:
xpbreaker.zip

Do you know what that is? If not, delete it.

One odd bit tho, I see there was only one file created in one whole month, could that be correct? And only a dozen or so over the last 3 months no less.

If you're still getting popups, please run the following search tool.

Download dll Compare from here and save it to your desktop. Create a new folder called 'Dll Compare' and extract the contents of the zip into this new folder.

1. Once installed into the folder, open the folder and double-click the DLLCompare icon.
2. Click on "Run Locate.com" button and allow the scan to complete.
3. After the scan has finished click on "Compare" button to scan for the files that Windows doesn't see. This step will take a few minutes to run.
4. If the box at the bottom of the screen contains any files, these are the ones that are hidden - Click on "Make a Log of what was Found ".
5. When prompted to "View Log File" click on "Yes ".
6. Notepad will open with the log file contents.
7. Copy & paste the contents in your next reply.

jkg31485 · 2006/11/04

I know what xpbreaker is, although I don't need the zip folder anymore. I don't know why the scan would show only 1 file having been created - there have been far more than that. But I'll download dllcompare and run it. The popups and redirects keep on coming - now I'm getting them for disk clean, and these are a little harder to get rid of.

jkg31485 · 2006/11/04

OK, here's the dllcompare log file. And thanks again for all your help.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\msexcl35.dll Thu Sep 9 1999 9:06:38p A.S.. 252,688 246.77 K
C:\WINDOWS\SYSTEM32\msjet35.dll Tue Sep 28 1999 8:42:48p A.S.. 1,050,896 1.00 M
C:\WINDOWS\SYSTEM32\msjint35.dll Thu Jun 10 1999 8:34:04a A.S.. 123,664 120.77 K
C:\WINDOWS\SYSTEM32\msjter35.dll Thu Jun 10 1999 8:34:04a A.S.. 24,848 24.27 K
C:\WINDOWS\SYSTEM32\msltus35.dll Thu Sep 9 1999 9:06:38p A.S.. 168,720 164.77 K
C:\WINDOWS\SYSTEM32\mspdox35.dll Mon Jun 7 1999 5:59:34p A.S.. 250,128 244.27 K
C:\WINDOWS\SYSTEM32\msrd2x35.dll Sun Apr 25 1999 4:00:00p A.S.. 252,176 246.27 K
C:\WINDOWS\SYSTEM32\msrepl35.dll Wed Aug 25 1999 1:57:26p A.S.. 415,504 405.77 K
C:\WINDOWS\SYSTEM32\mstext35.dll Thu Sep 30 1999 6:21:24p A.S.. 166,672 162.77 K
C:\WINDOWS\SYSTEM32\msxbse35.dll Sun Apr 25 1999 4:00:00p A.S.. 287,504 280.77 K
________________________________________________

1,390 items found: 1,390 files (10 H/S), 0 directories.
Total of file sizes: 299,301,164 bytes 285.43 M

Administrator Account = True

AppInit_DLLs value = (not hidden)
--------------------End log---------------------

TeMerc · 2006/11/04

OK, lets try a different Vundo tool.

Download VirtumundoBegone from here and save it to your desktop

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
When presented with a menu of options use the arrow keys to highlight Safe Mode and press the <Enter> key.

Then double click VirtumundoBeGone.exe you just downloaded and follow the instructions.

Exit when it has finished.

Give me a new HJt log file once completed with above.

jkg31485 · 2006/11/06

Sorry about the delay, I was out of town yesterday.

I'm pasting in the log from Virtumundobegone, as well as another HJT log. I don't see anything different. I'm still getting pop-ups, and sometimes IE6 will start by itself with a pop-up.

[11/06/2006, 13:59:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\John Green\Desktop\VirtumundoBeGone.exe" )
[11/06/2006, 13:59:11] - Detected System Information:
[11/06/2006, 13:59:11] - Windows Version: 5.1.2600, Service Pack 2
[11/06/2006, 13:59:11] - Current Username: John Green (Admin)
[11/06/2006, 13:59:11] - Windows is in SAFE mode with Networking.
[11/06/2006, 13:59:11] - Searching for Browser Helper Objects:
[11/06/2006, 13:59:11] - BHO 1: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[11/06/2006, 13:59:11] - Finished Searching Browser Helper Objects
[11/06/2006, 13:59:11] - Finishing up...
[11/06/2006, 13:59:11] - Nothing found! Exiting...

Logfile of HijackThis v1.99.1
Scan saved at 2:03:56 PM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\Okeydoke.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrh.noaa.gov/total_forec...097&wfo=mtr&dgtl=1&lat=38.2325&lon=-122.63556
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe "
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [HPWQTOOLBOX] "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" "-i "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [StatusClient 2.6] "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe "
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://192.168.1.112/ConnectComputer/nshelp.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0218a7a2221f8ae2d103/netzip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pwapetaluma.local
O17 - HKLM\Software\..\Telephony: DomainName = pwapetaluma.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pwapetaluma.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pwapetaluma.local
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

TeMerc · 2006/11/06

Well this is frustrating to say the least.

Lets try a Panda scan, they have been catching a few variants here and there. These latest variants are indeed becoming more difficult to find.

Panda ActiveScan

Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)

Then press the green 'Check Now' button.

Enter your country and state along with a valid email address.

Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)

Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.

Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

(Also, please remove any cookie, Recyler Folder and System Volume Information Folder references from the log)

jkg31485 · 2006/11/06

Here's the log file from Panda active scan. I'm not sure how to interpret this, but it looks like there are suspicious items in the IE6 cache.

Incident Status Location

Adware:Adware/SystemDoctor Not disinfected c:\program files\quicktime\qttask.exe
Adware:Adware/SystemDoctor Not disinfected c:\program files\itunes\ituneshelper.exe
Adware:Adware/SystemDoctor Not disinfected c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
Adware:Adware/SystemDoctor Not disinfected c:\program files\hewlett-packard\toolbox\statusclient\statusclient.exe
Adware:Adware/SystemDoctor Not disinfected c:\program files\common files\real\update_ob\realsched.exe
Adware:Adware/SystemDoctor Not disinfected c:\program files\hewlett-packard\hp deskjet 9800 series\toolbox\hpwqtbx.exe
Adware:Adware/SystemDoctor Not disinfected c:\program files\java\jre1.5.0_06\bin\jusched.exe
Adware:Adware/SystemDoctor Not disinfected c:\progra~1\symnet~1\sndmon.exe
Adware:Adware/SystemDoctor Not disinfected c:\program files\roxio\easy cd creator 5\directcd\directcd.exe
Adware:Adware/SystemDoctor Not disinfected c:\windows\system32\dsentry.exe
Adware:Adware/SystemDoctor Not disinfected c:\program files\intel\ncs\proset\pronomgr.exe
Adware:Adware/SystemDoctor Not disinfected c:\program files\ati technologies\ati control panel\atiptaxx.exe
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Spyware:spyware/wareout Not disinfected c:\windows\tmp.hta

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\John Green\Desktop\VirtumundoBeGone.exe[²Æ’Ã‡]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\John Green\Local Settings\Temp\nsf5.tmp
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\John Green\Local Settings\Temporary Internet Files\Content.IE5\8LQP4BA5\ErrorSafeNewReleaseInstall[1].cab[UERS_9999_N91S2507NetInstaller.exe]
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\John Green\Local Settings\Temporary Internet Files\Content.IE5\UZCFA983\WinAntiVirusPro2006FreeInstall[1].cab[UWA6P_0001_N91M1807NetInstaller.exe]
Adware:Adware/SystemDoctor Not disinfected C:\Program Files\Dell\QuickSet\quickset.exe
Adware:Adware/SystemDoctor Not disinfected C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
Possible Virus. Not disinfected C:\Program Files\HJT\backups\backup-20060608-005815-230.dll
Virus:Trj/SrchSpy.R Disinfected C:\Program Files\HJT\backups\backup-20061101-182045-672-MSWin.exe
Adware:Adware/SystemDoctor Not disinfected C:\Program Files\SymNetDrv\SNDMon.exe

TeMerc · 2006/11/07

Ok, I have been digging around and this infection may be one which replaces known good files, using the same names with bad ones.

I'd like you to DL AVG\Ewido Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.

Once the setup is complete you will need run ewido and update the definition files.

On the main screen select the icon "Update" then select the "Update now" link.

Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".

Under "Reports "

Select "Automatically generate report after every scan "

Un-Select "Only if threats were found "

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

Reboot, into safe mode, this way:

Turn on the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process.

Launch ewido-anti-spyware by double-clicking the icon on your desktop.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".

ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:

If you have any infections you will prompted, then select "Apply all actions "

Next select the "Reports" icon at the top.

Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.(Please edit out any cookie, Recyler and System Volume Information Folder references)

What I'm looking to determine here is to see if AVG\Ewido finds the same files as 'infected' tho they appear to be legit. If that gets confirmed, then we have another special tool crafted just for its removal.

jkg31485 · 2006/11/09

The AVG/ewido report is below. I didn't see an "Apply all actions" prompt when it was finished running, but my display was not showing the program window properly because the computer was in safe mode. I'm now getting "Malware found" prompts from AVG that give me a number of choices on how to address the problems. If these files are infected versions of critical files, will I need to reinstall all this software, or will AVG remove the infection from the file?

I took out all the system volume information items, and there were several in the restore category, recycler items and cookies.

AVG/ewido log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:50:03 AM 11/9/2006

+ Scan result:

HKLM\SOFTWARE\ShudderLTD -> Adware.PSGuard : No action taken.
HKLM\SOFTWARE\ShudderLTD\PSGuard -> Adware.PSGuard : No action taken.
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard -> Adware.PSGuard : No action taken.
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License -> Adware.PSGuard : No action taken.
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Dell\QuickSet\quickset.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\QuickTime\qttask.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\SymNetDrv\SNDMon.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\iTunes\iTunesHelper.exe -> Downloader.Agent.ayy : No action taken.
C:\windows\system32\DSentry.exe -> Downloader.Agent.ayy : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{daa873d4-958c-453c-81ca-3fe6f3676a87} -> Downloader.Fugif : No action taken.
C:\windows\tmp.hta -> Downloader.Psyme.at : No action taken.
HKU\S-1-5-21-3292246423-985625037-1462717948-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1CA480CD-C0E5-4548-874E-B85B17905B3A} -> Trojan.Zlob.f : No action taken.

::Report end

TeMerc · 2006/11/09

OK, those findings kind of confirmed what I expected. We have a tool for this one. Please do as instructed below.

Please click HERE select Save. Save FindAWF to your desktop.

Double Click FindAWF.exe and let it run, it will create the file awf.txt on your desktop when finished.

Open awf.txt in notepad, select Edit> Select All> Edit> Copy> and Paste the contents.

Please also run the following search tool.

Silent Runners

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, which may take several minutes, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see.

jkg31485 · 2006/11/09

The awf.txt file is below.

Find AWF report by noahdfear ©2006

21504 byte files found
~~~~~~~~~~~~~

21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

25600 byte files found
~~~~~~~~~~~~~

25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

26450 byte files found
~~~~~~~~~~~~~

26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ITUNES\BAK

06/14/2006 03:24 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

08/27/2006 08:45 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

04/29/2005 07:05 AM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/03/2004 11:56 PM 15,360 ctfmon.exe
07/17/2002 07:18 AM 28,672 DSentry.exe
2 File(s) 44,032 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

06/10/2004 06:10 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

07/01/2005 11:11 AM 71,280 ccApp.exe
1 File(s) 71,280 bytes

Directory of C:\PROGRA~1\DELL\QUICKSET\BAK

03/04/2004 05:59 PM 487,424 quickset.exe
1 File(s) 487,424 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HEWLET~1\TOOLBOX\BAK

05/20/2004 08:40 AM 188,416 hpbpsttp.exe
1 File(s) 188,416 bytes

Directory of C:\PROGRA~1\MI948F~1\MOUSE\BAK

04/11/2002 10:47 AM 176,128 point32.exe
1 File(s) 176,128 bytes

Directory of C:\PROGRA~1\NORTON~1\PASSWO~1\BAK

08/18/2004 12:41 PM 586,896 AcctMgr.exe
1 File(s) 586,896 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/31/2006 05:49 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPDESK~1\TOOLBOX\BAK

01/17/2005 04:49 PM 335,872 HPWQTBX.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\HEWLET~1\TOOLBOX\STATUS~1\BAK

02/27/2004 09:29 AM 61,440 StatusClient.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\INTEL\NCS\PROSET\BAK

05/28/2003 02:32 PM 86,016 PRONoMgr.exe
1 File(s) 86,016 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes

12/17/2002 09:28 AM 684,032 DirectCD.exe
1 File(s) 684,032 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

29415 Oct 31 2006 "C:\Program Files\iTunes\iTunesHelper.exe "
278528 Jun 14 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe "
29415 Oct 31 2006 "C:\Program Files\QuickTime\qttask.exe "
282624 Aug 27 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
29415 Nov 9 2006 "C:\Program Files\SymNetDrv\SNDMon.exe "
100056 Apr 29 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe "
15360 Aug 3 2004 "C:\windows\system32\ctfmon.exe "
15360 Aug 3 2004 "C:\windows\system32\bak\ctfmon.exe "
29415 Nov 9 2006 "C:\windows\system32\DSentry.exe "
28672 Jul 17 2002 "C:\windows\system32\bak\DSentry.exe "
29415 Nov 9 2006 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
339968 Jun 10 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe "
71328 Dec 21 2005 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE "
71280 Jul 1 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe "
29415 Nov 9 2006 "C:\Program Files\Dell\QuickSet\quickset.exe "
487424 Mar 4 2004 "C:\Program Files\Dell\QuickSet\bak\quickset.exe "
29415 Oct 31 2006 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
49152 Feb 16 2005 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe "
29415 Oct 31 2006 "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe "
40960 Jul 17 2003 "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe "
188416 May 20 2004 "C:\Program Files\Hewlett-Packard\Toolbox\bak\hpbpsttp.exe "
176128 Apr 11 2002 "C:\Program Files\Microsoft Hardware\Mouse\point32.exe "
176128 Apr 11 2002 "C:\Program Files\Microsoft Hardware\Mouse\bak\point32.exe "
586896 Jul 29 2005 "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe "
586896 Aug 18 2004 "C:\Program Files\Norton SystemWorks\Password Manager\bak\AcctMgr.exe "
29415 Oct 31 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe "
180269 Jan 31 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
29415 Oct 31 2006 "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "
335872 Jan 17 2005 "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\bak\HPWQTBX.exe "
29415 Oct 31 2006 "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe "
61440 Feb 27 2004 "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\bak\StatusClient.exe "
40960 Jul 17 2003 "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe "
29415 Nov 9 2006 "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe "
86016 May 28 2003 "C:\Program Files\Intel\NCS\PROSet\bak\PRONoMgr.exe "
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe "
36975 Aug 26 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe "
29415 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe "
29415 Nov 9 2006 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe "

end of report

Silent runners log file:

"Silent Runners.vbs ", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Dell QuickSet" = "C:\Program Files\Dell\QuickSet\quickset.exe" [null data]
"Symantec NetDriver Monitor" = " "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer" [null data]
"HPWQTOOLBOX" = " "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" "-i" " [null data]
"TkBellExe" = " "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [null data]
"Synchronization Manager" = "%SystemRoot%\system32\mobsync.exe /logon" [MS]
"StatusClient 2.6" = " "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" /auto" [null data]
"TomcatStartup 2.5" = " "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" " [null data]
"HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [null data]
"iTunesHelper" = " "C:\Program Files\iTunes\iTunesHelper.exe" " [null data]
"QuickTime Task" = " "C:\Program Files\QuickTime\qttask.exe" -atboottime" [null data]
"POINTER" = "point32.exe" [MS]
"ccApp" = " "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" " [ "Symantec Corporation"]
"AcctMgr" = "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup" [ "Symantec Corporation"]
"!AVG Anti-Spyware" = " "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" [ "Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax "
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider "
\StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper "
-> {HKLM...CLSID} = "CNavExtBho Class "
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" [ "Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu "
-> {HKLM...CLSID} = "Acrobat Elements Context Menu "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" [ "Adobe Systems Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler "
-> {HKLM...CLSID} = "Microsoft Office Outlook "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler "
-> {HKLM...CLSID} = "Outlook File Icon Extension "
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension "
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension "
\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" [ "Roxio"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
-> {HKLM...CLSID} = "Portable Media Devices Menu "
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension "
-> {HKLM...CLSID} = "Trend Micro Anti-Spyware Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" [ "Trend Micro Incorporated"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes "
-> {HKLM...CLSID} = "iTunes "
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" [ "Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension "
-> {HKLM...CLSID} = "Trend Micro Anti-Spyware Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" [ "Trend Micro Incorporated"]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5 "
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [ "Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = " wdmicpui.dll" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "cskfc.exe" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945} "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "
-> {HKLM...CLSID} = "Acrobat Elements Context Menu "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" [ "Adobe Systems Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
-> {HKLM...CLSID} = "CContextScan Object "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} "
-> {HKLM...CLSID} = "IEContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" [ "Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920} "
-> {HKLM...CLSID} = "CContextScan Object "
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" [ "Anti-Malware Development a.s."]
QuickFinderMenu\(Default) = "{C0E10002-0028-0005-C0E1-C0E1C0E1C0E1} "
-> {HKLM...CLSID} = "QuickFinder Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\WordPerfect Office 12\Programs\PFSE120.DLL" [ "Corel Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} "
-> {HKLM...CLSID} = "IEContextMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" [ "Symantec Corporation"]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoWelcomeScreen" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\John Green\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]

Startup items in "John Green" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" [ "Adobe Systems Inc."]
"Trend Micro Anti-Spyware" -> shortcut to: "C:\Program Files\Trend Micro\Tmas\Tmas.exe -autostart" [ "Trend Micro Incorporated"]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - John Green" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task: "C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca" " [ "Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" [ "Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDetect.exe" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} "
-> {HKLM...CLSID} = "Norton AntiVirus "
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" [ "Symantec Corporation"]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93} "
-> {HKLM...CLSID} = "Adobe PDF "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93} "
-> {HKLM...CLSID} = "Adobe PDF "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} "
-> {HKLM...CLSID} = "Norton AntiVirus "
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" [ "Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus "
-> {HKLM...CLSID} = "Norton AntiVirus "
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" [ "Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research "
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" [ "Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research "

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" [ "ATI Technologies Inc."]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, " "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" " [ "Symantec Corporation"]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" [ "Anti-Malware Development a.s."]
Broadcom ASF IP monitoring service v6.0.3, BAsfIpM, "C:\WINDOWS\System32\basfipm.exe" [ "Broadcom Corp."]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" { "C:\WINDOWS\System32\w3ssl.dll" [MS]}
Machine Debug Manager, MDM, " "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" " [MS]
MSSQL$MICROSOFTBCM, MSSQL$MICROSOFTBCM, "C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -sMICROSOFTBCM" [MS]
Norton AntiVirus Auto Protect Service, navapsvc, " "C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe" " [ "Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE" [ "Symantec Corporation"]
RegSrvc, RegSrvc, "C:\WINDOWS\System32\RegSrvc.exe" [ "Intel Corporation"]
SAVScan, SAVScan, " "C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe" " [ "Symantec Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\WINDOWS\System32\S24EvMon.exe" [ "Intel Corporation "]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE" [ "Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" [ "Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, " "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" " [ "Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, " "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" " [ "Symantec Corporation"]
SymWMI Service, SymWSC, "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" [ "Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\System32\AdobePDF.dll" [ "Adobe Systems Incorporated."]
Canon BJ Language Monitor iP4200\Driver = "CNMLM78.DLL" [ "CANON INC."]
HP Master Monitor\Driver = "HPBMMON.DLL" [ "Hewlett-Packard"]
HP Standard TCP/IP Port\Driver = "hptcpmon.dll" [ "Hewlett Packard"]
LapNet LPR Port\Driver = "XPLNMon.dll" [ "EnTrac Technologies, Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PCL Language Monitor\Driver = "hpz3l044.dll" [ "Hewlett-Packard Company"]

----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 59 seconds, including 23 seconds for message boxes)

TeMerc · 2006/11/10

I'm doing a bit more research on this fix so I'm familiar with it, thanks for being patient.

jkg31485 · 2006/11/10

No problem. It seems like a pretty difficult one. One other thing that happened is that my registry editing tools have been disabled. This happened about the time I installed AVG. I'm not sure whether this installation caused it, or if it's related to the malware. I got a message that the administrator disabled them, but I only have one account on this machine. I was able to run a script to enable registry editing tools again.

TeMerc · 2006/11/12

OK I had the creator of the tool come and have a peek at this thread. This infection is relatively new, as is the fix. He would like you to send hin the infected files for his evaluation, they are new sizes and he wants to run them thru an analysis.

Can you please zip them up and send them to him by email, before we get to deleting them. He can be emailed via the link below:
http://www.windowsbbs.com/member.php?u=8850

Now, onto more instructions.

Please launch Notepad (Start > Run, type in: notepad)
Copy/paste all the red text below to it:

@echo off
del /q "C:\Program Files\iTunes\iTunesHelper.exe "
del /q "C:\Program Files\QuickTime\qttask.exe "
del /q "C:\Program Files\SymNetDrv\SNDMon.exe "
del /q "C:\windows\system32\DSentry.exe "
del /q "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
del /q "C:\Program Files\Dell\QuickSet\quickset.exe "
del /q "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
del /q "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe "
del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe "
del /q "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "
del /q "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe "
del /q "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe "
del /q "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
del /q "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
copy "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes "
copy "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime "
copy "C:\Program Files\SymNetDrv\bak\SNDMon.exe" "C:\Program Files\SymNetDrv "
copy "C:\windows\system32\bak\DSentry.exe" "C:\windows\system32 "
copy "C:\Program Files\ATI Technologies\bak\ATI Control Panel\atiptaxx.exe" "C:\Program Files\ATI Technologies\ATI Control Panel "
copy "C:\Program Files\Dell\QuickSet\bak\quickset.exe" "C:\Program Files\Dell\QuickSet "
copy "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe" "C:\Program Files\Hewlett-Packard\HP Software Update "
copy "C:\Program Files\Hewlett-Packard\Toolbox\bak\hpbpsttp.exe" "C:\Program Files\Hewlett-Packard\Toolbox "
copy "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB "
copy "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\bak\HPWQTBX.exe" "C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox "
copy "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\bak\StatusClient.exe" "C:\Program Files\Hewlett-Packard\Toolbox\StatusClient "
copy "C:\Program Files\Intel\NCS\PROSet\bak\PRONoMgr.exe" "C:\Program Files\Intel\NCS\PROSet "
copy "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_06\bin "
copy "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe" "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD "
cls
exit

In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: bakfile.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

Reboot into safe mode, and be sure none of the listed files are running as a process, if so, use task manager to 'End task'

Next, on the Desktop, double click on bakfile.bat

Reboot back to normal mode and run the AWF tool again and paste the results back here.

noahdfear · 2006/11/12

Hi jkg31485,

If you would, before you run the fix TeMerc posted, either place some of the following files in a zipped file and upload them, or just upload some of them individually, at the link below (you don't have to register).

C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SymNetDrv\SNDMon.exe
C:\windows\system32\DSentry.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

http://www.thespykiller.co.uk/forum/index.php?action=forum

Please leave a link to this topic and note the files are for me.
Thank you.

Log in or Sign up

Variant of systemdoctor 2006?

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

noahdfear Inactive

Share This Page

Log in or Sign up

Variant of systemdoctor 2006?

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

jkg31485 Inactive Thread Starter

TeMerc Inactive Alumni

noahdfear Inactive

Share This Page

Useful Searches