Folks,
I've been lurking here for about a week now researching a problem that's now about a month old on my primary system. Computer is driven by an Athlon 2200, 756mb RAM and mirrored 80gb drives. Lots of other goodies not worth mentioning. The operating system is Windows XP Pro.
This problem began sometime between Christmas and New Years Day and exhibited itself first in Windows Explorer. When I would click on My Computer the hourglass would start spinning and the file view of WE would show a folder with a flashlight sweeping back-and-forth across the folder. I also began to notice a few other problems that heightened my concerns:
1. I couldn't scan from any of my scanning apps.
2. DeLorme's Street Atlas no longer could find it's data CD.
3. I couldn't burn CDs with either Nero or Roxio's EZ CD Creator.
4. Can't launch Adobe Acrobat files from My Documents. Get the mouse cursor with the hourglass for a few seconds and then the normal mouse cursor. Nothing shows up in the Applications list
of Windows Task Manager.
There were others, but the above probably already have you screaming things at me.
Early in January I ran AdAware and found what I considered to be the usual suspects which I cleaned up. Mid-month, after I became increasingly concerned that this might be a bot (I know - DUH!!!), I ran SpyBot Clean & Destroy. One likely candidate emerged - NowBox. Took care of that and started researching more deeply as the syptoms still exist.
I found this forum late last week and found several threads that looked hauntinly similiar to my trials. Took the advice provided in one thread and acquired a copy of X-Cleaner from X-Block. X-Cleaner unearthed Net4Now and I zapped that devil. I also spent some time watching activity on the Active Ports list portion of the X-Cleaner app. I've not seen anything that has raised any concerns.
Sunday evening I had a call from a credit card provider saying that my card number was being used fraudulently. We killed the card and I've now got a new one, but this convinced me that I HAVE or HAD a bot that was forwarding keystokes on to someone out there in bad guy land.
I'm attaching a copy of my current startup list as I've seen that requested in all threads of this nature.
Anyone out there have any ideas how I might further try to nail this down? AND ALSO how, if you think I'm bot free, I might get back to a normal state on this system?
Your guidance and advice is appreciated in advance.
*************************************************
StartupList report, 1/31/2003, 9:23:19 AM
StartupList version: 1.51
Started from : C:\Documents and Settings\{username}\Local Settings\Temp\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\PopUp Killer\popupkiller.EXE
F:\program files\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
F:\Program Files\TotalRecorder\TotRecSched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Program Files\Promise\FastTrak\RAIDeUtility.exe
G:\My Documents\Palm\HOTSYNC.EXE
F:\Program Files\MSI\Common\Bin\WinCinemaMgr.exe
F:\Program Files\QUICKENW\bagent.exe
C:\WINDOWS\system32\crypserv.exe
F:\Program Files\TurboNote\tbnote.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
f:\program files\Promise\FastTrak\FtrakSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
F:\Program Files\Atomica\Atomica Client\Atomica.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Simply Transparent\SimplyTransparent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ZoneLabs\MINILOG.EXE
C:\PROGRA~1\COMMON~1\ATOMIC~1\agtserv.exe
F:\PROGRA~1\MICROS~1\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\{username}\Local Settings\Temp\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\{username}\Start Menu\Programs\Startup]
Atomica.lnk = F:\Program Files\Atomica\Atomica Client\Atomica.exe
Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
Simply Transparent.lnk = ?
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Billminder.lnk = F:\Program Files\QUICKENW\billmind.exe
FastCheck Monitoring Utility.lnk = F:\Program Files\Promise\FastTrak\RAIDeUtility.exe
HotSync Manager.lnk = G:\My Documents\Palm\HOTSYNC.EXE
InterVideo WinCinema Manager.lnk = F:\Program Files\MSI\Common\Bin\WinCinemaMgr.exe
Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
Quicken Scheduled Updates.lnk = F:\Program Files\QUICKENW\bagent.exe
Quicken Startup.lnk = F:\Program Files\QUICKENW\QWDLLS.EXE
TurboNote.lnk = F:\Program Files\TurboNote\tbnote.exe
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
OneTouch Monitor = C:\PROGRA~1\VISION~1\ONETOU~2.EXE
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
SoundMan = SOUNDMAN.EXE
PopUpKiller = F:\Program Files\PopUp Killer\popupkiller.EXE
PaperPort PTD = f:\program files\PaperPort\pptd40nt.exe
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
POINTER = point32.exe
TotalRecorderScheduler = F:\Program Files\TotalRecorder\TotRecSched.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Natural Language Navigation - C:\WINDOWS\System\BHO001.DLL (disabled by BHODemon) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Automatic Full Backup.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
Weekly Incremental Backup.job
--------------------------------------------------
Enumerating Download Program Files:
[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\System32\opuc.dll
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab
[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
[MrSIDI Control]
InProcServer32 = f:\PROGRA~1\LIZARD~1\MRSIDV~1\MrSIDI.ocx
CODEBASE = http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37442.7338773148
[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]
[{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}]
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
[SDKInstall Class]
InProcServer32 = C:\WINDOWS\sdkinst.dll
CODEBASE = http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
--------------------------------------------------
End of report, 7,437 bytes
Report generated in 0.360 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
I've been lurking here for about a week now researching a problem that's now about a month old on my primary system. Computer is driven by an Athlon 2200, 756mb RAM and mirrored 80gb drives. Lots of other goodies not worth mentioning. The operating system is Windows XP Pro.
This problem began sometime between Christmas and New Years Day and exhibited itself first in Windows Explorer. When I would click on My Computer the hourglass would start spinning and the file view of WE would show a folder with a flashlight sweeping back-and-forth across the folder. I also began to notice a few other problems that heightened my concerns:
1. I couldn't scan from any of my scanning apps.
2. DeLorme's Street Atlas no longer could find it's data CD.
3. I couldn't burn CDs with either Nero or Roxio's EZ CD Creator.
4. Can't launch Adobe Acrobat files from My Documents. Get the mouse cursor with the hourglass for a few seconds and then the normal mouse cursor. Nothing shows up in the Applications list
of Windows Task Manager.
There were others, but the above probably already have you screaming things at me.
Early in January I ran AdAware and found what I considered to be the usual suspects which I cleaned up. Mid-month, after I became increasingly concerned that this might be a bot (I know - DUH!!!), I ran SpyBot Clean & Destroy. One likely candidate emerged - NowBox. Took care of that and started researching more deeply as the syptoms still exist.
I found this forum late last week and found several threads that looked hauntinly similiar to my trials. Took the advice provided in one thread and acquired a copy of X-Cleaner from X-Block. X-Cleaner unearthed Net4Now and I zapped that devil. I also spent some time watching activity on the Active Ports list portion of the X-Cleaner app. I've not seen anything that has raised any concerns.
Sunday evening I had a call from a credit card provider saying that my card number was being used fraudulently. We killed the card and I've now got a new one, but this convinced me that I HAVE or HAD a bot that was forwarding keystokes on to someone out there in bad guy land.
I'm attaching a copy of my current startup list as I've seen that requested in all threads of this nature.
Anyone out there have any ideas how I might further try to nail this down? AND ALSO how, if you think I'm bot free, I might get back to a normal state on this system?
Your guidance and advice is appreciated in advance.
*************************************************
StartupList report, 1/31/2003, 9:23:19 AM
StartupList version: 1.51
Started from : C:\Documents and Settings\{username}\Local Settings\Temp\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\PopUp Killer\popupkiller.EXE
F:\program files\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
F:\Program Files\TotalRecorder\TotRecSched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Program Files\Promise\FastTrak\RAIDeUtility.exe
G:\My Documents\Palm\HOTSYNC.EXE
F:\Program Files\MSI\Common\Bin\WinCinemaMgr.exe
F:\Program Files\QUICKENW\bagent.exe
C:\WINDOWS\system32\crypserv.exe
F:\Program Files\TurboNote\tbnote.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
f:\program files\Promise\FastTrak\FtrakSvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
F:\Program Files\Atomica\Atomica Client\Atomica.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Simply Transparent\SimplyTransparent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ZoneLabs\MINILOG.EXE
C:\PROGRA~1\COMMON~1\ATOMIC~1\agtserv.exe
F:\PROGRA~1\MICROS~1\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\{username}\Local Settings\Temp\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\{username}\Start Menu\Programs\Startup]
Atomica.lnk = F:\Program Files\Atomica\Atomica Client\Atomica.exe
Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
Simply Transparent.lnk = ?
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Billminder.lnk = F:\Program Files\QUICKENW\billmind.exe
FastCheck Monitoring Utility.lnk = F:\Program Files\Promise\FastTrak\RAIDeUtility.exe
HotSync Manager.lnk = G:\My Documents\Palm\HOTSYNC.EXE
InterVideo WinCinema Manager.lnk = F:\Program Files\MSI\Common\Bin\WinCinemaMgr.exe
Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
Quicken Scheduled Updates.lnk = F:\Program Files\QUICKENW\bagent.exe
Quicken Startup.lnk = F:\Program Files\QUICKENW\QWDLLS.EXE
TurboNote.lnk = F:\Program Files\TurboNote\tbnote.exe
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
OneTouch Monitor = C:\PROGRA~1\VISION~1\ONETOU~2.EXE
AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
SoundMan = SOUNDMAN.EXE
PopUpKiller = F:\Program Files\PopUp Killer\popupkiller.EXE
PaperPort PTD = f:\program files\PaperPort\pptd40nt.exe
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
POINTER = point32.exe
TotalRecorderScheduler = F:\Program Files\TotalRecorder\TotRecSched.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Natural Language Navigation - C:\WINDOWS\System\BHO001.DLL (disabled by BHODemon) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Automatic Full Backup.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
Weekly Incremental Backup.job
--------------------------------------------------
Enumerating Download Program Files:
[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\System32\opuc.dll
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab
[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
[MrSIDI Control]
InProcServer32 = f:\PROGRA~1\LIZARD~1\MRSIDV~1\MrSIDI.ocx
CODEBASE = http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37442.7338773148
[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
[{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]
[{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}]
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
[SDKInstall Class]
InProcServer32 = C:\WINDOWS\sdkinst.dll
CODEBASE = http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
--------------------------------------------------
End of report, 7,437 bytes
Report generated in 0.360 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
empty temp and downloaded program files,re-cyc bin.
