1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

A good one for you to chew on....

Discussion in 'Virus & Other Malware Removal' started by hatman, Jan 31, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. hatman

    hatman Thread Starter

    Joined:
    Jan 30, 2003
    Messages:
    1
    Folks,

    I've been lurking here for about a week now researching a problem that's now about a month old on my primary system. Computer is driven by an Athlon 2200, 756mb RAM and mirrored 80gb drives. Lots of other goodies not worth mentioning. The operating system is Windows XP Pro.

    This problem began sometime between Christmas and New Years Day and exhibited itself first in Windows Explorer. When I would click on My Computer the hourglass would start spinning and the file view of WE would show a folder with a flashlight sweeping back-and-forth across the folder. I also began to notice a few other problems that heightened my concerns:

    1. I couldn't scan from any of my scanning apps.

    2. DeLorme's Street Atlas no longer could find it's data CD.

    3. I couldn't burn CDs with either Nero or Roxio's EZ CD Creator.

    4. Can't launch Adobe Acrobat files from My Documents. Get the mouse cursor with the hourglass for a few seconds and then the normal mouse cursor. Nothing shows up in the Applications list
    of Windows Task Manager.

    There were others, but the above probably already have you screaming things at me.

    Early in January I ran AdAware and found what I considered to be the usual suspects which I cleaned up. Mid-month, after I became increasingly concerned that this might be a bot (I know - DUH!!!), I ran SpyBot Clean & Destroy. One likely candidate emerged - NowBox. Took care of that and started researching more deeply as the syptoms still exist.

    I found this forum late last week and found several threads that looked hauntinly similiar to my trials. Took the advice provided in one thread and acquired a copy of X-Cleaner from X-Block. X-Cleaner unearthed Net4Now and I zapped that devil. I also spent some time watching activity on the Active Ports list portion of the X-Cleaner app. I've not seen anything that has raised any concerns.

    Sunday evening I had a call from a credit card provider saying that my card number was being used fraudulently. We killed the card and I've now got a new one, but this convinced me that I HAVE or HAD a bot that was forwarding keystokes on to someone out there in bad guy land.

    I'm attaching a copy of my current startup list as I've seen that requested in all threads of this nature.

    Anyone out there have any ideas how I might further try to nail this down? AND ALSO how, if you think I'm bot free, I might get back to a normal state on this system?

    Your guidance and advice is appreciated in advance.

    *************************************************


    StartupList report, 1/31/2003, 9:23:19 AM
    StartupList version: 1.51
    Started from : C:\Documents and Settings\{username}\Local Settings\Temp\StartupList.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\SOUNDMAN.EXE
    F:\Program Files\PopUp Killer\popupkiller.EXE
    F:\program files\PaperPort\pptd40nt.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    F:\Program Files\TotalRecorder\TotRecSched.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    F:\Program Files\Promise\FastTrak\RAIDeUtility.exe
    G:\My Documents\Palm\HOTSYNC.EXE
    F:\Program Files\MSI\Common\Bin\WinCinemaMgr.exe
    F:\Program Files\QUICKENW\bagent.exe
    C:\WINDOWS\system32\crypserv.exe
    F:\Program Files\TurboNote\tbnote.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    f:\program files\Promise\FastTrak\FtrakSvc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    F:\Program Files\Atomica\Atomica Client\Atomica.exe
    C:\WINDOWS\FSScrCtl.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    F:\Program Files\Simply Transparent\SimplyTransparent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\ZoneLabs\MINILOG.EXE
    C:\PROGRA~1\COMMON~1\ATOMIC~1\agtserv.exe
    F:\PROGRA~1\MICROS~1\Office\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\{username}\Local Settings\Temp\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\{username}\Start Menu\Programs\Startup]
    Atomica.lnk = F:\Program Files\Atomica\Atomica Client\Atomica.exe
    Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
    Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    Simply Transparent.lnk = ?

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    Billminder.lnk = F:\Program Files\QUICKENW\billmind.exe
    FastCheck Monitoring Utility.lnk = F:\Program Files\Promise\FastTrak\RAIDeUtility.exe
    HotSync Manager.lnk = G:\My Documents\Palm\HOTSYNC.EXE
    InterVideo WinCinema Manager.lnk = F:\Program Files\MSI\Common\Bin\WinCinemaMgr.exe
    Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
    Quicken Scheduled Updates.lnk = F:\Program Files\QUICKENW\bagent.exe
    Quicken Startup.lnk = F:\Program Files\QUICKENW\QWDLLS.EXE
    TurboNote.lnk = F:\Program Files\TurboNote\tbnote.exe
    ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    OneTouch Monitor = C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    SoundMan = SOUNDMAN.EXE
    PopUpKiller = F:\Program Files\PopUp Killer\popupkiller.EXE
    PaperPort PTD = f:\program files\PaperPort\pptd40nt.exe
    LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    POINTER = point32.exe
    TotalRecorderScheduler = F:\Program Files\TotalRecorder\TotRecSched.exe
    NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    Natural Language Navigation - C:\WINDOWS\System\BHO001.DLL (disabled by BHODemon) - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Automatic Full Backup.job
    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job
    Weekly Incremental Backup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [OPUCatalog Class]
    InProcServer32 = C:\WINDOWS\System32\opuc.dll
    CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

    [MrSIDI Control]
    InProcServer32 = f:\PROGRA~1\LIZARD~1\MRSIDV~1\MrSIDI.ocx
    CODEBASE = http://images.myfamily.net/isfiles/downloads/MrSIDI.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37442.7338773148

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}]

    [{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}]

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL
    CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

    [SDKInstall Class]
    InProcServer32 = C:\WINDOWS\sdkinst.dll
    CODEBASE = http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab

    --------------------------------------------------
    End of report, 7,437 bytes
    Report generated in 0.360 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    hi hatman,welcome to T.S.G.

    your startuplist dosent show anything that would cause these problems.no spyware or nasties as far as i can see,although you do seem to have quite a few running processes that could be trimmed back.
    take a look here:http://www.answersthatwork.com/Tasklist_pages/tasklist.htm


    windows is struggling to locate files,as if you have a lot of fragmentation.....have you de-fragged lately?i ask because a friend of mone lately had a similar problem......a guy told her XP didnt need to be defragged :rolleyes: empty temp and downloaded program files,re-cyc bin.
    it might be that simple,although i assume youve already thought of this.
    let us know if this helps at all;)
     
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    one thing more...........i know there are endless conflicts with adaptec/roxio burning software.
    if the thoughts in my 1st post dont work you could try un-installing adaptec.;)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/116249

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice