Reapall/Zonebac/Adclicker/Dropper I've got lots of problems

[deac83]

7 years on high speed broadband never had a problem, put up a Firewall before I ever connected but the following series of events over the last several weeks have gotten me to where I am now.

System info:
HP
XP 2002 SP2
Pent 4/2.6
2.6 ghz 1GB ram

Internet: Verizon FIOS
Norton Internet Security for firewall and anti-virus

I believe it all started 4 weeks ago when:

1. My internet connection started going up and down. Verizon eventually showed up and changed the router from the original d-link to an actiontech.
2. I was not home when he did this but my wife was and after he put in the new router, the internet was up and running again, but the AOL 9VR software would not connect to the internet (i.e. via broadband connection) and my wife said the Verizon tech said it was a problem with NIS settings. Could not get the AOL software to work again, told my wife to use IE7 to get her mail.
3. My wife uses IE7 to access her AOL mail during the week.
4. Suddenly during the week (I travel during the week), she called me and said she could not log on to AOL web-mail or access sites that required a logon.
5. I tell her to click on the NIS icon in the task bar and she says it's not there. I have her bring up NIS manually. She reports that NAV is reporting an error and the error states the program must be re-loaded to fix it.
6. On the week-end, I determine the problem is that NIS has a setting changed to block access to secure sites. When I try and change the setting NIS says I do not have admin previldges to change. That's when I notice that there is a 'new' user listed in NIS which is what is logged in for NIS. This setting has the parental controls enabled.
7. I disconnect the computer from the internet and uninstall NIS. Reload NIS. NIS now appears to be working normally.
8. This week my wife calls me and says the computer has the message: 16 bit MS-DOS Subsystem, c:\docume~1\owner\locals~1\119232~1.exe, the NTVDM CPU has encountered an illegal instruction. CS:Odf5IP:0132 OP:fe de 2c 43ee
9. Two days later my wife calls with: HP Product Assist, the feature you are trying to use is on CD-ROM or other removable disk that is not available ...... This message comes up when turning the computer on. Canceling does nothing, and once cancel is hit the computer will only shut off via the power button.
10. Get home on Friday, see the problem and confirm the HP Product Assist issue. Run the NAV that night. NAV finds the 4 trojans and multiple infected files.
10a. The Symantec web-site suggest running NAV in Safe mode, which I attempted to do but I get an error saying there is a problem with 'product integrator'.
10b. Contact Symantec online support via chat. Their solution is to reinstall NIS/NAV saying it wont run in safe mode because it is infected. I tell them it had identified the trojans. They say I should call their tech support and pay them to fix the problem (interesting money making idea).

10c. The NAV log follows:

Norton AntiVirus Quarantine Report
Created: Saturday, October 27, 2007 8:54:12 AM
------------------------------------------------------------------------------

File Name
Location
Status Size Virus Name
User Name Machine Name Domain
Date Quarantined
Date Submitted

------------------------------------------------------------------------------

mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox
Backup of an infected file 27.0 KB Trojan.Zonebac
Owner HOMEHP WORKGROUP
Saturday, October 27, 2007 2:40:20 AM
Not submitted

------------------------------------------------------------------------------

shwicon2k.exe
c:\Program Files\Multimedia Card Reader
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:19 PM
Not submitted

------------------------------------------------------------------------------

crap.1191639737.old
C:\Program Files\WinBudget\bin
Backup of an infected file 91.2 KB Trojan.Dropper
SYSTEM HOMEHP WORKGROUP
Friday, October 12, 2007 10:58:23 PM
Not submitted

------------------------------------------------------------------------------

RECGUARD.EXE
c:\WINDOWS\SMINST
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:18 PM
Not submitted

------------------------------------------------------------------------------

hphmon05.exe
c:\WINDOWS\system32
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:17 PM
Not submitted

------------------------------------------------------------------------------

qttask.exe
C:\Program Files\QuickTime
Backup of an infected file 27.0 KB Trojan.Zonebac
Owner HOMEHP WORKGROUP
Saturday, October 27, 2007 2:42:58 AM
Not submitted

------------------------------------------------------------------------------

matrix.dll.1193224957.old
C:\Program Files\WinBudget\bin
Backup of an infected file 106 KB Trojan.Adclicker
Owner HOMEHP WORKGROUP
Saturday, October 27, 2007 2:46:02 AM
Not submitted

------------------------------------------------------------------------------

MATRIX.DLL
C:\PROGRAM FILES\WINBUDGET\BIN
Backup of an infected file 73.0 KB Trojan.Adclicker
SYSTEM HOMEHP WORKGROUP
Monday, October 08, 2007 8:06:59 PM
Not submitted

------------------------------------------------------------------------------

hpqcmon.exe
c:\Program Files\HP\Digital Imaging\Unload
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:17 PM
Not submitted

------------------------------------------------------------------------------

Winampa.exe
c:\Program Files\Winamp
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:20 PM
Not submitted

------------------------------------------------------------------------------

NeroCheck.exe
c:\WINDOWS\system32
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:21 PM
Not submitted

------------------------------------------------------------------------------

InstantAccess.exe
c:\Program Files\TextBridge Pro 8.0\Bin
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:20 PM
Not submitted

------------------------------------------------------------------------------

crap.1192450921.old
C:\Program Files\WinBudget\bin
Backup of an infected file 174 KB Trojan.Adclicker
Owner HOMEHP WORKGROUP
Saturday, October 27, 2007 2:46:01 AM
Not submitted

------------------------------------------------------------------------------

KBD.EXE
c:\hp\KBD
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:18 PM
Not submitted

------------------------------------------------------------------------------

hkcmd.exe
c:\WINDOWS\system32
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:17 PM
Not submitted

------------------------------------------------------------------------------

realsched.exe
C:\Program Files\Common Files\Real\Update_OB
Backup of an infected file 27.0 KB Trojan.Zonebac
Owner HOMEHP WORKGROUP
Saturday, October 27, 2007 2:31:58 AM
Not submitted

------------------------------------------------------------------------------

l[3].htm
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DMW4QSNM
Backup of an infected file 3.70 KB Trojan.Reapall
Owner HOMEHP WORKGROUP
Saturday, October 27, 2007 2:14:45 AM
Not submitted

------------------------------------------------------------------------------

HPWuSchd2.exe
c:\Program Files\HP\HP Software Update
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:21 PM
Not submitted

------------------------------------------------------------------------------

ps2.exe
c:\WINDOWS\system32
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:18 PM
Not submitted

------------------------------------------------------------------------------

hpsysdrv.exe
C:\windows\system
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Thursday, October 25, 2007 5:04:52 PM
Not submitted

------------------------------------------------------------------------------

CTSysVol.exe
c:\Program Files\Creative\SBAudigy2\Surround Mixer
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:19 PM
Not submitted

------------------------------------------------------------------------------

RegisterDropHandler.exe
c:\Program Files\TextBridge Pro 8.0\Bin
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:21 PM
Not submitted

------------------------------------------------------------------------------

CTDVDDet.EXE
c:\Program Files\Creative\SBAudigy2\DVDAudio
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:19 PM
Not submitted

------------------------------------------------------------------------------

crap.1192277520.old
C:\Program Files\WinBudget\bin
Backup of an infected file 174 KB Trojan.Adclicker
Owner HOMEHP WORKGROUP
Saturday, October 27, 2007 2:46:01 AM
Not submitted

------------------------------------------------------------------------------

backupnotify.exe
c:\Program Files\HP\Digital Imaging\bin
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:22 PM
Not submitted

------------------------------------------------------------------------------

UpdReg.EXE
c:\WINDOWS
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:20 PM
Not submitted

------------------------------------------------------------------------------

matrix.dll.1192450919.old
C:\Program Files\WinBudget\bin
Backup of an infected file 106 KB Trojan.Adclicker
Owner HOMEHP WORKGROUP
Saturday, October 27, 2007 2:46:02 AM
Not submitted

------------------------------------------------------------------------------

11. Ran the HijackThis today and the log follows:

Logfile of HijackThis v1.99.1
Scan saved at 4:18:35 PM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\temp1\xnews\Xnews.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\temp1\downloaded programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bf6x1puv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bf6x1puv.slt\prefs.js)
O2 - BHO: IE - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {871AA60B-D425-4784-AD09-6C2E63342CAD} (vzDLinkRouterUpgrade Class) - http://download.verizon.net/sfp/Cabs/dlink/webinstall/FrmUpDLink.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

If you've read this far, thanks in advance for the help. I'm quite perplexed and as noted I've had 7 years with no identified problems mostly due always having firewalls and anti-virus protection in place.

 

[deac83]

Ran Trend Micro HouseCall last night and it only came up with an undefined Trojan, but none of the above.

No takers on this, too much detail?

 

[Jintan]

Howdy deac83,

One of the few places a "bump" is a bump backwards, as requests are checked in order of oldest, AND those with no replies showing. The log does show some known indications of Zonebac, so let's look & start some repairs.


Download : HostsXpert, and have it ready for use.

Run HostsXpert. Press the "Restore MS Hosts File" button and then press the OK button.

---------------------------

Then temporarily disable all other protective software when running this next step.

Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

---------------------------

Then Go here and download and run FindAWF.

When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here, along with the combofix.txt log please.

 

[deac83]

Noted on the bump.

Out of town until the week-end, will report back when listed tasks are completed. Thanks.

 

[Jintan]

Enjoy your travels. Be sure to minimize the use of this system until we can get it cleaned up.

 

[deac83]

Ok ran all 3.

FYI combo rebooted the system the first time and NIS was off but reset on re-boot, so had to run again.

FindAWF - selected 1 to run, and that's all I ran with the log below.

ComboFix 07-11-01.1 - Owner 2007-11-03 8:36:54.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1193224958.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-03 08:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-28 20:32 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-28 20:28 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2007-10-27 23:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-10-27 23:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-27 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-27 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-27 15:07 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEHP\WINDOWS
2007-10-27 15:07 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEHP\Application Data\Symantec
2007-10-27 15:07 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEHP\Application Data\Sonic
2007-10-27 15:07 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEHP\Application Data\SampleView
2007-10-27 15:07 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEHP\Application Data\interMute
2007-10-15 14:00 <DIR> d-------- C:\Program Files\Common Files\aolback
2007-10-15 13:59 <DIR> d-------- C:\Program Files\AOL Companion
2007-10-15 13:59 <DIR> d-------- C:\Install Winamp
2007-10-15 13:59 <DIR> d-------- C:\Install ICQ
2007-10-15 13:59 <DIR> d-------- C:\Install AOL Communicator
2007-10-15 13:58 153,088 --a------ C:\WINDOWS\system32\jgdwmie.dll
2007-10-15 13:58 24,659 --a------ C:\WINDOWS\system32\aolddial.dll
2007-10-15 13:57 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-10-15 13:57 <DIR> d-------- C:\Program Files\America Online 9.0a
2007-10-15 13:30 <DIR> d-------- C:\WINDOWS\pss
2007-10-13 16:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2
2007-10-09 13:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-06 15:26 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-10-05 19:36 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-10-03 21:51 <DIR> d-------- C:\WINDOWS\system32\bak
2007-10-03 21:51 <DIR> d-------- C:\WINDOWS\system\bak
2007-10-03 21:51 <DIR> d-------- C:\WINDOWS\bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 13:37 --------- d-----w C:\Program Files\GetRight
2007-11-03 01:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-27 07:42 --------- d-----w C:\Program Files\QuickTime
2007-10-15 18:59 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-15 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-15 14:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2007-10-15 14:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-06 20:45 --------- d-----w C:\Program Files\Symantec
2007-10-06 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-06 20:25 4,608 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-04 11:19 --------- d-----w C:\Program Files\Winamp
2007-10-04 11:19 --------- d-----w C:\Program Files\SymNetDrv
2007-10-04 11:19 --------- d-----w C:\Program Files\Multimedia Card Reader
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2005-10-31 01:01 76,568 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-10-25 14:34 557,056 ----a-w C:\Documents and Settings\Owner\chatlnk.exe
2004-02-03 00:36:59 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" []
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 04:56]
"nwiz"="nwiz.exe" [2003-08-19 04:56 C:\WINDOWS\system32\nwiz.exe]
"VTTimer"="VTTimer.exe" []
"LTMSG"="LTMSG.exe" [2003-07-14 19:52 C:\WINDOWS\ltmsg.exe]
"CTHelper"="CTHELPER.EXE" [2003-05-28 21:59 C:\WINDOWS\system32\cthelper.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-06 15:11]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-28 17:37]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"NVIEW"="nview.dll" [2003-08-19 04:56 C:\WINDOWS\system32\nview.dll]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE
"CMSRegOW.exe"="C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1171561510\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)

.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 12:43:21 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 08:40:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-03 8:48:38
.
--- E O F ---





Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sat 11/03/2007
The current time is: 8:52:47.78


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MULTIM~1\BAK

08/14/2003 09:11 PM 139,264 shwicon2k.exe
1 File(s) 139,264 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

03/12/2005 05:55 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

09/28/2007 10:17 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\PROGRA~1\WINAMP\BAK

04/26/2002 12:53 PM 12,288 Winampa.exe
1 File(s) 12,288 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/13/2002 11:42 PM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/25/2007 04:01 AM 182 hpsysdrv.DAT
05/07/1998 06:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 02:56 AM 15,360 ctfmon.exe
04/07/2003 09:07 AM 114,688 hkcmd.exe
05/23/2003 04:55 AM 483,328 hphmon05.exe
07/09/2001 11:50 AM 155,648 NeroCheck.exe
10/16/2002 06:57 PM 81,920 ps2.exe
5 File(s) 850,944 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 06:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

09/13/2004 03:49 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

07/23/2003 06:37 PM 53,248 mmtask.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\TEXTBR~1.0\BIN\BAK

12/10/1998 02:57 PM 37,376 INSTAN~1.EXE
12/10/1998 01:33 PM 23,040 REGIST~1.EXE
2 File(s) 60,416 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/11/2004 12:33 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

09/30/2002 02:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

10/29/2002 10:18 AM 49,152 CTSysVol.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

06/22/2003 11:25 PM 24,576 backupnotify.exe
1 File(s) 24,576 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\UNLOAD\BAK

10/07/2002 09:23 AM 90,112 hpqcmon.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\117156~1\EE\BAK

09/25/2006 07:52 PM 50,736 AOLSoftware.exe
1 File(s) 50,736 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
139264 Aug 14 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
77824 Mar 12 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
111840 Oct 6 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Sep 28 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
12288 Apr 26 2002 "C:\Program Files\Winamp\bak\Winampa.exe"
212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
188 Oct 3 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
182 Oct 25 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\hkcmd.exe"
483328 May 23 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
49152 Sep 13 2004 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
53248 Jul 23 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
53248 Jul 23 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
37376 Dec 10 1998 "C:\Program Files\TextBridge Pro 8.0\Bin\bak\INSTAN~1.EXE"
23040 Jan 27 2000 "C:\zzz\divx_3.11alpha\DivX_311alpha\Register_DivX.exe"
23040 Dec 10 1998 "C:\Program Files\TextBridge Pro 8.0\Bin\bak\REGIST~1.EXE"
180269 Oct 11 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
45056 Sep 30 2002 "C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE"
49152 Oct 29 2002 "C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe"
24576 Jun 22 2003 "C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe"
90112 Oct 7 2002 "C:\Program Files\HP\Digital Imaging\Unload\bak\hpqcmon.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1171561510\ee\AOLSoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1171561510\ee\bak\AOLSoftware.exe"


end of report


Thanks

 

[Jintan]

Shoot - not sure where I missed responding here after your last post. The situation there is a but muddied by Norton removing the infection files, as shown in the beginning of your post, but not sure then how Norton handles what remains, as the startups are then without the legit files (stored in these many "bak" folders). To add to that, some of the startups involved had been disabled through msconfig.

For example, here is the HP file that monitors it's recovery partition:

RECGUARD.EXE


Here is the infected copy Norton removed:

RECGUARD.EXE
c:\WINDOWS\SMINST
Backup of an infected file 27.0 KB Trojan.Zonebac
SYSTEM HOMEHP WORKGROUP
Wednesday, October 24, 2007 2:22:18 PM
Not submitted

Here is the legitimate copy infection moved to a bak folder:

212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"

Here is the startup that would normally show in HijackThis - but once Norton removed the file (although infected) the startup no longer shows.

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

As this occurred to quite a few startups there this caused the storm of mishaps your wife reported on in the beginning. I would like to recommend you do a System Restore to a date prior to when Norton made it's changes, to see if we can recovery the missing startups. The other method would be for me to weed through these, and attempt to rebuild them from other forum threads with similar startups, though no guarantees on the success of that. Then we do a far simpler method of returning the legit files to their right locations. Norton will need to stay disabled though throughout any of the procedures I described. Post back what you think about the situation.

 

[deac83]

Well the bad news is I'm out of town now until Friday, so I won't be able try anything until then.

Here are my thoughts/questions:

- I was going to ask this but a quick web search answered this, Symantec had me turn off System Restore to re-run NAV so the virus would not be in the restore files. So I'm assuming that this is no longer an option. System restore is currently off.

- Not sure if this helps but I believe when I loaded NIS on this system that I may have created system recovery disks, but I've have to dig through my old cds as that was a few years ago.

- I believe the startups that were disabled via msconfig are my doing as there were a few programs that insisted on running at start up such as AOL and Realplayer (which is where the reapall trojan supposedly came from). So unless you see differently, it should only be non-OS type software that I disabled.

- Since you are focused on getting the startup files back, does this mean I've disabled/removed the virus/trojans? And we are just trying to recover from the 'damage' the removal process caused?

- The system appears to run normally except for two items I've noticed. The 'HP Product Assist' trys to load/startup, but I can get rid of that via task manager. The second is the 'sound icon' doesn't load in the task bar. I'm sure there are more items I'm not aware of like the recovery partition monitoring file you referenced, but I don't know what the impact of those missing files may be.

- Finally, I do know, from past experience with HP, that for my machine they (HP) keep the original system CD's and without them I can't reload the OS. Unfortunately I know this from a HDD failure which took HP 2+ months to rectify, which in the end resulted in HP replacing a 3 year old system for free as it was under warranty.

So that's where we stand.

Thanks again, and let me know what my options are given the above situation.

 

[Jintan]

Unfortunate timing with that Symantec suggestion to disable System Restore. My choice of files to mention was fortunate, since it refers to the HP recovery partition, which is a potential means of returning corrupted system-specific data if needed. I will see if I can generate a startup replacement step based on this information to avoid any procedures like that. There is other active infection here, so this Zonebac part is only one part needing addressing.

 

[deac83]

Home the next 3 days.

I guess I've got a bit of a mess on my hands.

Thanks in advance for your help.

 

[Jintan]

Good news is infection doesn't show as rampant there. Let's clean some of that and address the repairs after, but I'll need a fresh HijackThis log to work from.

Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here along with that new HijackThis log please.

 

[deac83]

Here you go. Both hijackthis and silentrunner. Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 12:02:23 PM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\temp1\xnews\Xnews.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\temp1\downloaded programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bf6x1puv.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bf6x1puv.slt\prefs.js)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {871AA60B-D425-4784-AD09-6C2E63342CAD} (vzDLinkRouterUpgrade Class) - http://download.verizon.net/sfp/Cabs/dlink/webinstall/FrmUpDLink.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" [file not found]
"HPHUPD05" = "c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /installquiet /keeploaded /nodetect" ["NVIDIA Corporation"]
"VTTimer" = "VTTimer.exe" [file not found]
"LTMSG" = "LTMSG.exe 7" ["Agere Systems"]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = (no title provided)
-> {HKLM...CLSID} = "bho2gr Class"
\InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {HKLM...CLSID} = "CNisExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{D714A94F-123A-45CC-8F03-040BCAF82AD6}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\SbCIe028.dll" ["SideStep Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{19CC43A1-6925-4B48-B292-830291F393A6}" = "HPNSView"
-> {HKLM...CLSID} = "My Kahuna"
\InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\hpdns_01.dll" [empty string]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{BAB66DEA-6E13-473b-AA5A-B4172418F54B}" = "Firehand Ember Thumbnail Icon Generator"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Firehand Technologies\Ember\fhndicon.dll" ["Firehand Technologies Corporation"]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
-> {HKLM...CLSID} = "America Online"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\My Documents\Firehand Ember Image.bmp"


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"APC UPS Status" -> shortcut to: "C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe" ["American Power Conversion Corporation"]
"GetRight - Tray Icon" -> shortcut to: "C:\Program Files\GetRight\getright.exe" ["Headlight Software, Inc."]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"HP Image Zone Fast Start" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
SpSubLSP.dll ["interMute, Inc."], 01 - 05, 11
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}"
-> {HKLM...CLSID} = "HP View"
\InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}"
-> {HKLM...CLSID} = "HP View"
\InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {HKLM...CLSID} = "Norton Internet Security"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = (no title provided)
-> {HKLM...CLSID} = "HP View"
\InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {HKLM...CLSID} = "Norton Internet Security"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SideStep"
\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\SbCIe028.dll" ["SideStep Inc."]
{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "hp view"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\(Default) = "HP View"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\system32\msjava.dll" [MS]

{3E230861-5C87-11D3-A1C6-00105A1B41B8}\
"ButtonText" = "SideStep"

{5B3FB261-CF72-4C66-B314-8E6FF9980307}\
"ButtonText" = "Verizon Central"
"Exec" = "www.verizon.net" [file not found]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

APC UPS Service, APC UPS Service, "C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe" ["American Power Conversion Corporation"]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTSvcCDA.EXE" ["Creative Technology Ltd"]
ISSvc, ISSVC, ""C:\Program Files\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2007-11-09 12:03:22)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 71 seconds, including 19 seconds for message boxes)

 

[Jintan]

I am researching the startups and will have that info available tomorrow.

 

[deac83]

FYI my NAV scan last night found 'Advatrix' on the computer. According to Norton released 10/25 and another version 11/5.

 

[Jintan]

Did Norton give a location and file name for that item? Although your continuing want to make repairs is expected, changes made without info here leaves this end of the deal a bit shy on best next steps ideas.

Let's return the startup files moved by infection back to their correct locations. This procedure is based on the list you posted in the beginning of legit named items listed by Norton as Zonebac, and info from your FindAWF report. I did a double-check of the list so hope it is a complete replacement of the moved files, but it is a bit of a file logjam assessing this one. Please make sure Norton and other protective software is disabled when doing these steps.



Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com

------------------------------

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Then press 2 (Press 2 then Enter to restore files from bak folders).

A text file will open called: files.txt
Hilight the following text, then click below the line and copy/paste the entire following list of files to be restored (or use Ctrl - V as suggested):

"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
"C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system32\bak\hphmon05.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"c:\Program Files\HP\Digital Imaging\Unload\bak\backupnotify.exe"
"c:\Program Files\Winamp\bak\Winampa.exe"
"c:\WINDOWS\system32\bak\NeroCheck.exe"
"c:\Program Files\TextBridge Pro 8.0\Bin\bak\InstantAccess.exe"
"c:\hp\KBD\bak\KBD.EXE"
"c:\WINDOWS\system32\bak\hkcmd.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"c:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"c:\WINDOWS\system32\bak\ps2.exe"
"C:\windows\system\bak\hpsysdrv.exe"
"c:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe"
"c:\Program Files\TextBridge Pro 8.0\Bin\bak\RegisterDropHandler.exe"
"c:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE"
"c:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe"
"c:\WINDOWS\bak\UpdReg.EXE"

Then close the file and click Yes to save the changes.

It will automatically run a new scan and open a new log - please paste those contents back here.

----------------------------------

Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".


Then post back a new HijackThis log, a new ComboFix log, the new FindAWF log and the Kaspersky log please.