1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Reapall/Zonebac/Adclicker/Dropper I've got lots of problems

Discussion in 'Virus & Other Malware Removal' started by deac83, Oct 28, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. deac83

    deac83 Thread Starter

    Joined:
    Feb 1, 2007
    Messages:
    50
    7 years on high speed broadband never had a problem, put up a Firewall before I ever connected but the following series of events over the last several weeks have gotten me to where I am now.

    System info:
    HP
    XP 2002 SP2
    Pent 4/2.6
    2.6 ghz 1GB ram

    Internet: Verizon FIOS
    Norton Internet Security for firewall and anti-virus

    I believe it all started 4 weeks ago when:

    1. My internet connection started going up and down. Verizon eventually showed up and changed the router from the original d-link to an actiontech.
    2. I was not home when he did this but my wife was and after he put in the new router, the internet was up and running again, but the AOL 9VR software would not connect to the internet (i.e. via broadband connection) and my wife said the Verizon tech said it was a problem with NIS settings. Could not get the AOL software to work again, told my wife to use IE7 to get her mail.
    3. My wife uses IE7 to access her AOL mail during the week.
    4. Suddenly during the week (I travel during the week), she called me and said she could not log on to AOL web-mail or access sites that required a logon.
    5. I tell her to click on the NIS icon in the task bar and she says it's not there. I have her bring up NIS manually. She reports that NAV is reporting an error and the error states the program must be re-loaded to fix it.
    6. On the week-end, I determine the problem is that NIS has a setting changed to block access to secure sites. When I try and change the setting NIS says I do not have admin previldges to change. That's when I notice that there is a 'new' user listed in NIS which is what is logged in for NIS. This setting has the parental controls enabled.
    7. I disconnect the computer from the internet and uninstall NIS. Reload NIS. NIS now appears to be working normally.
    8. This week my wife calls me and says the computer has the message: 16 bit MS-DOS Subsystem, c:\docume~1\owner\locals~1\119232~1.exe, the NTVDM CPU has encountered an illegal instruction. CS:Odf5IP:0132 OP:fe de 2c 43ee
    9. Two days later my wife calls with: HP Product Assist, the feature you are trying to use is on CD-ROM or other removable disk that is not available ...... This message comes up when turning the computer on. Canceling does nothing, and once cancel is hit the computer will only shut off via the power button.
    10. Get home on Friday, see the problem and confirm the HP Product Assist issue. Run the NAV that night. NAV finds the 4 trojans and multiple infected files.
    10a. The Symantec web-site suggest running NAV in Safe mode, which I attempted to do but I get an error saying there is a problem with 'product integrator'.
    10b. Contact Symantec online support via chat. Their solution is to reinstall NIS/NAV saying it wont run in safe mode because it is infected. I tell them it had identified the trojans. They say I should call their tech support and pay them to fix the problem (interesting money making idea).

    10c. The NAV log follows:

    Norton AntiVirus Quarantine Report
    Created: Saturday, October 27, 2007 8:54:12 AM
    ------------------------------------------------------------------------------

    File Name
    Location
    Status Size Virus Name
    User Name Machine Name Domain
    Date Quarantined
    Date Submitted

    ------------------------------------------------------------------------------

    mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox
    Backup of an infected file 27.0 KB Trojan.Zonebac
    Owner HOMEHP WORKGROUP
    Saturday, October 27, 2007 2:40:20 AM
    Not submitted

    ------------------------------------------------------------------------------

    shwicon2k.exe
    c:\Program Files\Multimedia Card Reader
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:19 PM
    Not submitted

    ------------------------------------------------------------------------------

    crap.1191639737.old
    C:\Program Files\WinBudget\bin
    Backup of an infected file 91.2 KB Trojan.Dropper
    SYSTEM HOMEHP WORKGROUP
    Friday, October 12, 2007 10:58:23 PM
    Not submitted

    ------------------------------------------------------------------------------

    RECGUARD.EXE
    c:\WINDOWS\SMINST
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:18 PM
    Not submitted

    ------------------------------------------------------------------------------

    hphmon05.exe
    c:\WINDOWS\system32
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:17 PM
    Not submitted

    ------------------------------------------------------------------------------

    qttask.exe
    C:\Program Files\QuickTime
    Backup of an infected file 27.0 KB Trojan.Zonebac
    Owner HOMEHP WORKGROUP
    Saturday, October 27, 2007 2:42:58 AM
    Not submitted

    ------------------------------------------------------------------------------

    matrix.dll.1193224957.old
    C:\Program Files\WinBudget\bin
    Backup of an infected file 106 KB Trojan.Adclicker
    Owner HOMEHP WORKGROUP
    Saturday, October 27, 2007 2:46:02 AM
    Not submitted

    ------------------------------------------------------------------------------

    MATRIX.DLL
    C:\PROGRAM FILES\WINBUDGET\BIN
    Backup of an infected file 73.0 KB Trojan.Adclicker
    SYSTEM HOMEHP WORKGROUP
    Monday, October 08, 2007 8:06:59 PM
    Not submitted

    ------------------------------------------------------------------------------

    hpqcmon.exe
    c:\Program Files\HP\Digital Imaging\Unload
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:17 PM
    Not submitted

    ------------------------------------------------------------------------------

    Winampa.exe
    c:\Program Files\Winamp
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:20 PM
    Not submitted

    ------------------------------------------------------------------------------

    NeroCheck.exe
    c:\WINDOWS\system32
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:21 PM
    Not submitted

    ------------------------------------------------------------------------------

    InstantAccess.exe
    c:\Program Files\TextBridge Pro 8.0\Bin
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:20 PM
    Not submitted

    ------------------------------------------------------------------------------

    crap.1192450921.old
    C:\Program Files\WinBudget\bin
    Backup of an infected file 174 KB Trojan.Adclicker
    Owner HOMEHP WORKGROUP
    Saturday, October 27, 2007 2:46:01 AM
    Not submitted

    ------------------------------------------------------------------------------

    KBD.EXE
    c:\hp\KBD
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:18 PM
    Not submitted

    ------------------------------------------------------------------------------

    hkcmd.exe
    c:\WINDOWS\system32
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:17 PM
    Not submitted

    ------------------------------------------------------------------------------

    realsched.exe
    C:\Program Files\Common Files\Real\Update_OB
    Backup of an infected file 27.0 KB Trojan.Zonebac
    Owner HOMEHP WORKGROUP
    Saturday, October 27, 2007 2:31:58 AM
    Not submitted

    ------------------------------------------------------------------------------

    l[3].htm
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DMW4QSNM
    Backup of an infected file 3.70 KB Trojan.Reapall
    Owner HOMEHP WORKGROUP
    Saturday, October 27, 2007 2:14:45 AM
    Not submitted

    ------------------------------------------------------------------------------

    HPWuSchd2.exe
    c:\Program Files\HP\HP Software Update
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:21 PM
    Not submitted

    ------------------------------------------------------------------------------

    ps2.exe
    c:\WINDOWS\system32
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:18 PM
    Not submitted

    ------------------------------------------------------------------------------

    hpsysdrv.exe
    C:\windows\system
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Thursday, October 25, 2007 5:04:52 PM
    Not submitted

    ------------------------------------------------------------------------------

    CTSysVol.exe
    c:\Program Files\Creative\SBAudigy2\Surround Mixer
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:19 PM
    Not submitted

    ------------------------------------------------------------------------------

    RegisterDropHandler.exe
    c:\Program Files\TextBridge Pro 8.0\Bin
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:21 PM
    Not submitted

    ------------------------------------------------------------------------------

    CTDVDDet.EXE
    c:\Program Files\Creative\SBAudigy2\DVDAudio
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:19 PM
    Not submitted

    ------------------------------------------------------------------------------

    crap.1192277520.old
    C:\Program Files\WinBudget\bin
    Backup of an infected file 174 KB Trojan.Adclicker
    Owner HOMEHP WORKGROUP
    Saturday, October 27, 2007 2:46:01 AM
    Not submitted

    ------------------------------------------------------------------------------

    backupnotify.exe
    c:\Program Files\HP\Digital Imaging\bin
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:22 PM
    Not submitted

    ------------------------------------------------------------------------------

    UpdReg.EXE
    c:\WINDOWS
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:20 PM
    Not submitted

    ------------------------------------------------------------------------------

    matrix.dll.1192450919.old
    C:\Program Files\WinBudget\bin
    Backup of an infected file 106 KB Trojan.Adclicker
    Owner HOMEHP WORKGROUP
    Saturday, October 27, 2007 2:46:02 AM
    Not submitted

    ------------------------------------------------------------------------------

    11. Ran the HijackThis today and the log follows:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:18:35 PM, on 10/28/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\LTMSG.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\temp1\xnews\Xnews.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\temp1\downloaded programs\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bf6x1puv.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bf6x1puv.slt\prefs.js)
    O2 - BHO: IE - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
    O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: *.doginhispen.com
    O15 - Trusted Zone: *.whataboutadog.com
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {871AA60B-D425-4784-AD09-6C2E63342CAD} (vzDLinkRouterUpgrade Class) - http://download.verizon.net/sfp/Cabs/dlink/webinstall/FrmUpDLink.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    If you've read this far, thanks in advance for the help. I'm quite perplexed and as noted I've had 7 years with no identified problems mostly due always having firewalls and anti-virus protection in place.
     
  2. deac83

    deac83 Thread Starter

    Joined:
    Feb 1, 2007
    Messages:
    50
    Ran Trend Micro HouseCall last night and it only came up with an undefined Trojan, but none of the above.

    No takers on this, too much detail?
     
  3. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Howdy deac83,

    One of the few places a "bump" is a bump backwards, as requests are checked in order of oldest, AND those with no replies showing. The log does show some known indications of Zonebac, so let's look & start some repairs.


    Download : HostsXpert, and have it ready for use.

    Run HostsXpert. Press the "Restore MS Hosts File" button and then press the OK button.

    ---------------------------

    Then temporarily disable all other protective software when running this next step.

    Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

    When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

    A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    ---------------------------

    Then Go here and download and run FindAWF.

    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here, along with the combofix.txt log please.
     
  4. deac83

    deac83 Thread Starter

    Joined:
    Feb 1, 2007
    Messages:
    50
    Noted on the bump.

    Out of town until the week-end, will report back when listed tasks are completed. Thanks.
     
  5. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Enjoy your travels. Be sure to minimize the use of this system until we can get it cleaned up.
     
  6. deac83

    deac83 Thread Starter

    Joined:
    Feb 1, 2007
    Messages:
    50
    Ok ran all 3.

    FYI combo rebooted the system the first time and NIS was off but reset on re-boot, so had to run again.

    FindAWF - selected 1 to run, and that's all I ran with the log below.

    ComboFix 07-11-01.1 - Owner 2007-11-03 8:36:54.2 - NTFSx86
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    C:\Program Files\WinBudget
    C:\Program Files\WinBudget\bin\crap.1193224958.old
    C:\Program Files\WinBudget\bin\matrix.dat
    C:\Program Files\WinBudget\bin\matrix.dll
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
    .

    2007-11-03 08:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-10-28 20:32 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-10-28 20:28 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
    2007-10-27 23:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
    2007-10-27 23:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-10-27 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-10-27 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2007-10-27 15:07 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEHP\WINDOWS
    2007-10-27 15:07 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEHP\Application Data\Symantec
    2007-10-27 15:07 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEHP\Application Data\Sonic
    2007-10-27 15:07 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEHP\Application Data\SampleView
    2007-10-27 15:07 <DIR> d-------- C:\Documents and Settings\Administrator.HOMEHP\Application Data\interMute
    2007-10-15 14:00 <DIR> d-------- C:\Program Files\Common Files\aolback
    2007-10-15 13:59 <DIR> d-------- C:\Program Files\AOL Companion
    2007-10-15 13:59 <DIR> d-------- C:\Install Winamp
    2007-10-15 13:59 <DIR> d-------- C:\Install ICQ
    2007-10-15 13:59 <DIR> d-------- C:\Install AOL Communicator
    2007-10-15 13:58 153,088 --a------ C:\WINDOWS\system32\jgdwmie.dll
    2007-10-15 13:58 24,659 --a------ C:\WINDOWS\system32\aolddial.dll
    2007-10-15 13:57 <DIR> d-------- C:\Program Files\Common Files\aolshare
    2007-10-15 13:57 <DIR> d-------- C:\Program Files\America Online 9.0a
    2007-10-15 13:30 <DIR> d-------- C:\WINDOWS\pss
    2007-10-13 16:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2
    2007-10-09 13:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
    2007-10-06 15:26 <DIR> d-------- C:\Program Files\Norton Internet Security
    2007-10-05 19:36 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
    2007-10-03 21:51 <DIR> d-------- C:\WINDOWS\system32\bak
    2007-10-03 21:51 <DIR> d-------- C:\WINDOWS\system\bak
    2007-10-03 21:51 <DIR> d-------- C:\WINDOWS\bak

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-03 13:37 --------- d-----w C:\Program Files\GetRight
    2007-11-03 01:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-10-27 07:42 --------- d-----w C:\Program Files\QuickTime
    2007-10-15 18:59 --------- d-----w C:\Program Files\Common Files\AOL
    2007-10-15 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
    2007-10-15 14:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
    2007-10-15 14:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
    2007-10-06 20:45 --------- d-----w C:\Program Files\Symantec
    2007-10-06 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-10-06 20:25 4,608 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
    2007-10-04 11:19 --------- d-----w C:\Program Files\Winamp
    2007-10-04 11:19 --------- d-----w C:\Program Files\SymNetDrv
    2007-10-04 11:19 --------- d-----w C:\Program Files\Multimedia Card Reader
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2005-10-31 01:01 76,568 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
    2005-10-25 14:34 557,056 ----a-w C:\Documents and Settings\Owner\chatlnk.exe
    2004-02-03 00:36:59 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" []
    "HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-19 04:56]
    "nwiz"="nwiz.exe" [2003-08-19 04:56 C:\WINDOWS\system32\nwiz.exe]
    "VTTimer"="VTTimer.exe" []
    "LTMSG"="LTMSG.exe" [2003-07-14 19:52 C:\WINDOWS\ltmsg.exe]
    "CTHelper"="CTHELPER.EXE" [2003-05-28 21:59 C:\WINDOWS\system32\cthelper.exe]
    "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-10-06 15:11]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-28 17:37]
    "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
    "NVIEW"="nview.dll" [2003-08-19 04:56 C:\WINDOWS\system32\nview.dll]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "SetDefaultMidi"=MIDIDEF.EXE
    "CMSRegOW.exe"="C:\Program Files\InstallShield Installation Information\{56F3E1FF-54FE-4384-A153-6CCABA097814}\CMSRegOW.exe" /r

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
    backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
    path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\spamsubtract.lnk
    backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    C:\Program Files\Common Files\AOL\1171561510\ee\AOLSoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "AOL ACS"=2 (0x2)
    "Avg7UpdSvc"=2 (0x2)
    "Avg7Alrt"=2 (0x2)

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-03 12:43:21 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-03 08:40:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-03 8:48:38
    .
    --- E O F ---





    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: Sat 11/03/2007
    The current time is: 8:52:47.78


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\WINDOWS\BAK

    05/11/2000 02:00 AM 90,112 UpdReg.EXE
    1 File(s) 90,112 bytes

    Directory of C:\HP\KBD\BAK

    02/11/2003 10:02 PM 61,440 KBD.EXE
    1 File(s) 61,440 bytes

    Directory of C:\PROGRA~1\MESSEN~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\MULTIM~1\BAK

    08/14/2003 09:11 PM 139,264 shwicon2k.exe
    1 File(s) 139,264 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    03/12/2005 05:55 PM 77,824 qttask.exe
    1 File(s) 77,824 bytes

    Directory of C:\PROGRA~1\SYMNET~1\BAK

    09/28/2007 10:17 PM 100,056 SNDMon.exe
    1 File(s) 100,056 bytes

    Directory of C:\PROGRA~1\WINAMP\BAK

    04/26/2002 12:53 PM 12,288 Winampa.exe
    1 File(s) 12,288 bytes

    Directory of C:\WINDOWS\SMINST\BAK

    09/13/2002 11:42 PM 212,992 RECGUARD.EXE
    1 File(s) 212,992 bytes

    Directory of C:\WINDOWS\SYSTEM\BAK

    10/25/2007 04:01 AM 182 hpsysdrv.DAT
    05/07/1998 06:04 PM 52,736 hpsysdrv.exe
    2 File(s) 52,918 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 02:56 AM 15,360 ctfmon.exe
    04/07/2003 09:07 AM 114,688 hkcmd.exe
    05/23/2003 04:55 AM 483,328 hphmon05.exe
    07/09/2001 11:50 AM 155,648 NeroCheck.exe
    10/16/2002 06:57 PM 81,920 ps2.exe
    5 File(s) 850,944 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    01/09/2007 06:32 PM 58,984 ccApp.exe
    1 File(s) 58,984 bytes

    Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

    09/13/2004 03:49 PM 49,152 HPWuSchd2.exe
    1 File(s) 49,152 bytes

    Directory of C:\PROGRA~1\HP\{45B61~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

    07/23/2003 06:37 PM 53,248 mmtask.exe
    1 File(s) 53,248 bytes

    Directory of C:\PROGRA~1\TEXTBR~1.0\BIN\BAK

    12/10/1998 02:57 PM 37,376 INSTAN~1.EXE
    12/10/1998 01:33 PM 23,040 REGIST~1.EXE
    2 File(s) 60,416 bytes

    Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

    10/11/2004 12:33 AM 180,269 realsched.exe
    1 File(s) 180,269 bytes

    Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

    09/30/2002 02:00 AM 45,056 CTDVDDet.EXE
    1 File(s) 45,056 bytes

    Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

    10/29/2002 10:18 AM 49,152 CTSysVol.exe
    1 File(s) 49,152 bytes

    Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

    06/22/2003 11:25 PM 24,576 backupnotify.exe
    1 File(s) 24,576 bytes

    Directory of C:\PROGRA~1\HP\DIGITA~1\UNLOAD\BAK

    10/07/2002 09:23 AM 90,112 hpqcmon.exe
    1 File(s) 90,112 bytes

    Directory of C:\PROGRA~1\COMMON~1\AOL\117156~1\EE\BAK

    09/25/2006 07:52 PM 50,736 AOLSoftware.exe
    1 File(s) 50,736 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
    61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
    139264 Aug 14 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
    77824 Mar 12 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
    111840 Oct 6 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
    100056 Sep 28 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
    12288 Apr 26 2002 "C:\Program Files\Winamp\bak\Winampa.exe"
    212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
    188 Oct 3 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
    182 Oct 25 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
    52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    114688 Apr 7 2003 "C:\WINDOWS\system32\bak\hkcmd.exe"
    114688 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\hkcmd.exe"
    483328 May 23 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
    155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
    81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
    81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
    58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
    58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    49152 Sep 13 2004 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
    53248 Jul 23 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
    53248 Jul 23 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
    37376 Dec 10 1998 "C:\Program Files\TextBridge Pro 8.0\Bin\bak\INSTAN~1.EXE"
    23040 Jan 27 2000 "C:\zzz\divx_3.11alpha\DivX_311alpha\Register_DivX.exe"
    23040 Dec 10 1998 "C:\Program Files\TextBridge Pro 8.0\Bin\bak\REGIST~1.EXE"
    180269 Oct 11 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
    45056 Sep 30 2002 "C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE"
    49152 Oct 29 2002 "C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe"
    24576 Jun 22 2003 "C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe"
    90112 Oct 7 2002 "C:\Program Files\HP\Digital Imaging\Unload\bak\hpqcmon.exe"
    50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1171561510\ee\AOLSoftware.exe"
    50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1171561510\ee\bak\AOLSoftware.exe"


    end of report


    Thanks
     
  7. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Shoot - not sure where I missed responding here after your last post. The situation there is a but muddied by Norton removing the infection files, as shown in the beginning of your post, but not sure then how Norton handles what remains, as the startups are then without the legit files (stored in these many "bak" folders). To add to that, some of the startups involved had been disabled through msconfig.

    For example, here is the HP file that monitors it's recovery partition:

    RECGUARD.EXE


    Here is the infected copy Norton removed:

    RECGUARD.EXE
    c:\WINDOWS\SMINST
    Backup of an infected file 27.0 KB Trojan.Zonebac
    SYSTEM HOMEHP WORKGROUP
    Wednesday, October 24, 2007 2:22:18 PM
    Not submitted

    Here is the legitimate copy infection moved to a bak folder:

    212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"

    Here is the startup that would normally show in HijackThis - but once Norton removed the file (although infected) the startup no longer shows.

    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

    As this occurred to quite a few startups there this caused the storm of mishaps your wife reported on in the beginning. I would like to recommend you do a System Restore to a date prior to when Norton made it's changes, to see if we can recovery the missing startups. The other method would be for me to weed through these, and attempt to rebuild them from other forum threads with similar startups, though no guarantees on the success of that. Then we do a far simpler method of returning the legit files to their right locations. Norton will need to stay disabled though throughout any of the procedures I described. Post back what you think about the situation.
     
  8. deac83

    deac83 Thread Starter

    Joined:
    Feb 1, 2007
    Messages:
    50
    Well the bad news is I'm out of town now until Friday, so I won't be able try anything until then.

    Here are my thoughts/questions:

    - I was going to ask this but a quick web search answered this, Symantec had me turn off System Restore to re-run NAV so the virus would not be in the restore files. So I'm assuming that this is no longer an option. System restore is currently off.

    - Not sure if this helps but I believe when I loaded NIS on this system that I may have created system recovery disks, but I've have to dig through my old cds as that was a few years ago.

    - I believe the startups that were disabled via msconfig are my doing as there were a few programs that insisted on running at start up such as AOL and Realplayer (which is where the reapall trojan supposedly came from). So unless you see differently, it should only be non-OS type software that I disabled.

    - Since you are focused on getting the startup files back, does this mean I've disabled/removed the virus/trojans? And we are just trying to recover from the 'damage' the removal process caused?

    - The system appears to run normally except for two items I've noticed. The 'HP Product Assist' trys to load/startup, but I can get rid of that via task manager. The second is the 'sound icon' doesn't load in the task bar. I'm sure there are more items I'm not aware of like the recovery partition monitoring file you referenced, but I don't know what the impact of those missing files may be.

    - Finally, I do know, from past experience with HP, that for my machine they (HP) keep the original system CD's and without them I can't reload the OS. Unfortunately I know this from a HDD failure which took HP 2+ months to rectify, which in the end resulted in HP replacing a 3 year old system for free as it was under warranty.

    So that's where we stand.

    Thanks again, and let me know what my options are given the above situation.
     
  9. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Unfortunate timing with that Symantec suggestion to disable System Restore. My choice of files to mention was fortunate, since it refers to the HP recovery partition, which is a potential means of returning corrupted system-specific data if needed. I will see if I can generate a startup replacement step based on this information to avoid any procedures like that. There is other active infection here, so this Zonebac part is only one part needing addressing.
     
  10. deac83

    deac83 Thread Starter

    Joined:
    Feb 1, 2007
    Messages:
    50
    Home the next 3 days.

    I guess I've got a bit of a mess on my hands. :)

    Thanks in advance for your help.
     
  11. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Good news is infection doesn't show as rampant there. Let's clean some of that and address the repairs after, but I'll need a fresh HijackThis log to work from.

    Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here along with that new HijackThis log please.
     
  12. deac83

    deac83 Thread Starter

    Joined:
    Feb 1, 2007
    Messages:
    50
    Here you go. Both hijackthis and silentrunner. Thanks again.

    Logfile of HijackThis v1.99.1
    Scan saved at 12:02:23 PM, on 11/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\LTMSG.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\temp1\xnews\Xnews.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\temp1\downloaded programs\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=1.0&bm=ho_home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bf6x1puv.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\bf6x1puv.slt\prefs.js)
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
    O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: *.doginhispen.com
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {871AA60B-D425-4784-AD09-6C2E63342CAD} (vzDLinkRouterUpgrade Class) - http://download.verizon.net/sfp/Cabs/dlink/webinstall/FrmUpDLink.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



    "Silent Runners.vbs", revision 52, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "hpsysdrv" = "c:\windows\system\hpsysdrv.exe" [file not found]
    "HPHUPD05" = "c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [file not found]
    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
    "nwiz" = "nwiz.exe /installquiet /keeploaded /nodetect" ["NVIDIA Corporation"]
    "VTTimer" = "VTTimer.exe" [file not found]
    "LTMSG" = "LTMSG.exe 7" ["Agere Systems"]
    "CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
    "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
    "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
    "MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "bho2gr Class"
    \InProcServer32\(Default) = "C:\Program Files\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll" ["Safer Networking Limited"]
    {9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
    -> {HKLM...CLSID} = "CNisExtBho Class"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
    {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
    -> {HKLM...CLSID} = "CNavExtBho Class"
    \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
    {D714A94F-123A-45CC-8F03-040BCAF82AD6}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\SbCIe028.dll" ["SideStep Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{19CC43A1-6925-4B48-B292-830291F393A6}" = "HPNSView"
    -> {HKLM...CLSID} = "My Kahuna"
    \InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\hpdns_01.dll" [empty string]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
    "{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
    -> {HKLM...CLSID} = "SampleView"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
    -> {HKLM...CLSID} = "Desktop Explorer"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
    -> {HKLM...CLSID} = "Outlook File Icon Extension"
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{BAB66DEA-6E13-473b-AA5A-B4172418F54B}" = "Firehand Ember Thumbnail Icon Generator"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Firehand Technologies\Ember\fhndicon.dll" ["Firehand Technologies Corporation"]
    "{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
    -> {HKLM...CLSID} = "America Online"
    \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
    -> {HKLM...CLSID} = "AVG7 Find Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
    Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
    -> {HKLM...CLSID} = "IEContextMenu Class"
    \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
    Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
    -> {HKLM...CLSID} = "IEContextMenu Class"
    \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


    Group Policies {policy setting}:
    --------------------------------

    Note: detected settings may not have any effect.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Devices: Allow undock without having to log on}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Owner\My Documents\Firehand Ember Image.bmp"


    Startup items in "Owner" & "All Users" startup folders:
    -------------------------------------------------------

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "APC UPS Status" -> shortcut to: "C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe" ["American Power Conversion Corporation"]
    "GetRight - Tray Icon" -> shortcut to: "C:\Program Files\GetRight\getright.exe" ["Headlight Software, Inc."]
    "HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
    "HP Image Zone Fast Start" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]
    "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


    Enabled Scheduled Tasks:
    ------------------------

    "Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    SpSubLSP.dll ["interMute, Inc."], 01 - 05, 11
    %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 25
    %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
    "{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}"
    -> {HKLM...CLSID} = "HP View"
    \InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
    -> {HKLM...CLSID} = "Norton AntiVirus"
    \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}"
    -> {HKLM...CLSID} = "HP View"
    \InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
    -> {HKLM...CLSID} = "Norton AntiVirus"
    \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
    "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
    -> {HKLM...CLSID} = "Norton Internet Security"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = (no title provided)
    -> {HKLM...CLSID} = "HP View"
    \InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]
    "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
    -> {HKLM...CLSID} = "Norton Internet Security"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
    -> {HKLM...CLSID} = "Norton AntiVirus"
    \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
    {83B28A74-640D-48F4-9F51-E80EED7CC7E0}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SideStep"
    \InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\SbCIe028.dll" ["SideStep Inc."]
    {8F4902B6-6C04-4ADE-8052-AA58578A21BD}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "hp view"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

    HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\(Default) = "HP View"
    Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
    InProcServer32\(Default) = "C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll" ["Hewlett-Packard Company"]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
    -> {HKLM...CLSID} = "Web Browser Applet Control"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\msjava.dll" [MS]

    {3E230861-5C87-11D3-A1C6-00105A1B41B8}\
    "ButtonText" = "SideStep"

    {5B3FB261-CF72-4C66-B314-8E6FF9980307}\
    "ButtonText" = "Verizon Central"
    "Exec" = "www.verizon.net" [file not found]

    {E2E2DD38-D088-4134-82B7-F2BA38496583}\
    "MenuText" = "@xpsp3res.dll,-20001"
    "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    APC UPS Service, APC UPS Service, "C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe" ["American Power Conversion Corporation"]
    Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
    C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"]
    Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTSvcCDA.EXE" ["Creative Technology Ltd"]
    ISSvc, ISSVC, ""C:\Program Files\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"]
    Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
    NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
    Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
    Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
    Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
    Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
    Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
    Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
    WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
    WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
    Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


    ---------- (launch time: 2007-11-09 12:03:22)
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    ---------- (total run time: 71 seconds, including 19 seconds for message boxes)
     
  13. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    I am researching the startups and will have that info available tomorrow.
     
  14. deac83

    deac83 Thread Starter

    Joined:
    Feb 1, 2007
    Messages:
    50
    FYI my NAV scan last night found 'Advatrix' on the computer. According to Norton released 10/25 and another version 11/5.
     
  15. Jintan

    Jintan

    Joined:
    Oct 3, 2007
    Messages:
    1,164
    Did Norton give a location and file name for that item? Although your continuing want to make repairs is expected, changes made without info here leaves this end of the deal a bit shy on best next steps ideas.

    Let's return the startup files moved by infection back to their correct locations. This procedure is based on the list you posted in the beginning of legit named items listed by Norton as Zonebac, and info from your FindAWF report. I did a double-check of the list so hope it is a complete replacement of the moved files, but it is a bit of a file logjam assessing this one. Please make sure Norton and other protective software is disabled when doing these steps.



    Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

    O15 - Trusted Zone: *.doginhispen.com
    O15 - Trusted Zone: *.whataboutadog.com


    ------------------------------

    Double-click the FindAWF icon once again

    If a Security Alert shows, allow the program to run.
    As instructed, press any key to continue.
    Then press 2 (Press 2 then Enter to restore files from bak folders).

    A text file will open called: files.txt
    Hilight the following text, then click below the line and copy/paste the entire following list of files to be restored (or use Ctrl - V as suggested):

    Code:
    "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
    "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe"
    "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
    "C:\WINDOWS\system32\bak\hphmon05.exe"
    "C:\Program Files\QuickTime\bak\qttask.exe"
    "c:\Program Files\HP\Digital Imaging\Unload\bak\backupnotify.exe"
    "c:\Program Files\Winamp\bak\Winampa.exe"
    "c:\WINDOWS\system32\bak\NeroCheck.exe"
    "c:\Program Files\TextBridge Pro 8.0\Bin\bak\InstantAccess.exe"
    "c:\hp\KBD\bak\KBD.EXE"
    "c:\WINDOWS\system32\bak\hkcmd.exe"
    "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
    "c:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
    "c:\WINDOWS\system32\bak\ps2.exe"
    "C:\windows\system\bak\hpsysdrv.exe"
    "c:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe"
    "c:\Program Files\TextBridge Pro 8.0\Bin\bak\RegisterDropHandler.exe"
    "c:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE"
    "c:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe"
    "c:\WINDOWS\bak\UpdReg.EXE"
    Then close the file and click Yes to save the changes.

    It will automatically run a new scan and open a new log - please paste those contents back here.

    ----------------------------------

    Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

    To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.

    To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".


    Then post back a new HijackThis log, a new ComboFix log, the new FindAWF log and the Kaspersky log please.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/644937

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice