Thread: Rogue Reg Tool cleaner with suspect backdoor. Thought I was rid of Symantec...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:41:47 PM, on 9/3/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\\bin\tgcmd.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Reg Tool\Reg Tool.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
    C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServer.exe
    C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: TBSB02751 - {25875464-7327-417C-8264-902D99CF6FD1} - C:\Program Files\Search Enhancer Toolbar\enhancer.dll (file missing)
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Search Enhancer Toolbar - {BFB5F154-9212-46F3-B547-AC6106030A54} - C:\Program Files\Search Enhancer Toolbar\enhancer.dll (file missing)
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\\bin\tgcmd.exe" /server /startmonitor /deaf
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Reg Tool] C:\Program Files\Reg Tool\Reg Tool.exe -boot
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\{A1B74175-2C43-436F-8655-7215C3A30A63}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) -
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
    O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} -
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: RosettaStoneLtdController - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
    O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe

    End of file - 9599 bytes

    Generate an Uninstall List

    * Open HijackThis
    * Click on Open Misc Tools Section
    * Click on Open Uninstall Manager
    * Click on Save list
    * Save it to your Desktop
    * Post it on your next reply.
    Arrow Uninstall list...

    My guess is that my unwanted files may include: Panda ActiveScan 2.0 and LiveUpdate 3.0 (Symantec Corporation). When I start-up the PC I get a pop-up showing a quite possibly inflated # of problems that reg tool feels that I should fix by purchasing their program. I read somewhere that they leave a backdoor open; so, if that is true, I definately want to close that one.

    Also, since installing that (bogus?) program, I've had a problem in that my homepage doesn't load upon first opening the internet on IE. No URI (URL) loads into the web addy bar. It is a little hard to close but will usually go away with a right click to the explorer icon in the left upper corner of my screen. I always follow by clicking yes to file a report with Microsoft Explorer. After I go through that fun little routine I have no problems until the next start-up.

    I have to tell you how much I appreciate your help. My DH never learned to operate a PC and doesn't know how to turn one on or off. So, the computer is entirely up to me. I use it daily for homeschooling and truely appreciate the service that you perform, here. My only computer training comes from what I read on-line. So, your help to me is greatly appreciated.

    Here is the uninstall list:

    Default List was incomplete. Here it goes, again.

    Sorry, I didn't get it all. This should be complete, now:

    Ad-Aware SE Personal
    Adobe Acrobat 5.0
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.3
    Adobe Shockwave Player 11.5
    AOL You've Got Pictures Screensaver
    avast! Antivirus
    Blue CoatŪ K9 Web Protection
    Critical Update for Windows Media Player 11 (KB959772)
    Disney's Toontown Online
    eCalc Calculator
    ERUNT 1.1j
    FamilySearch Indexing
    Google Desktop
    Google Earth
    Google Pack Screensaver
    Google Toolbar for Firefox
    Google Toolbar for Internet Explorer
    Google Toolbar for Internet Explorer
    Google Updater
    HijackThis 2.0.2
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Interactive Math Journey
    InterActual Player
    iPod To Computer Transfer 3.5
    iPod2PC 3.9.2
    J2SE Runtime Environment 5.0 Update 2
    Java(TM) 6 Update 15
    Java(TM) 6 Update 3
    LiveUpdate 3.0 (Symantec Corporation)
    Math 3 & 5
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft Alphabet Playhouse
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Digital Image Starter Edition 2006
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money 2005
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Standard Edition 2003
    Microsoft Reader Railway
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Works
    Mighty Math Number Heroes
    Mobipocket Reader 6.0
    Mozilla Firefox (3.0.1)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    Napster Burn Engine
    Neo Sonic Universe
    OverDrive Media Console
    Panda ActiveScan 2.0
    Penny Penguin's Math Bingo
    Personal Ancestral File 5
    Personalized Learning Center
    Picasa 3
    Qwest QuickCare
    Reader Rabbit's Math Ages 6-9
    Reading Blaster Vocabulary
    Realtek AC'97 Audio
    REALTEK Gigabit and Fast Ethernet NIC Driver
    Reg Tool
    RollerCoaster Tycoon 3 Platinum
    Rosetta Stone Ltd Services
    Samsung Video Codec 1.2.5009 Uninstall
    Search Enhancer Toolbar
    SecondLife (remove only)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    SoftV92 Data Fax Modem with SmartCP
    SpongeBob SquarePants Typing
    Spybot - Search & Destroy
    The ClueFinders 3rd Grade Adventures
    The ClueFinders 4th Grade Adventures
    Typing Instructor for Kids II
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB953356)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB973815)
    VIA/S3G Display Driver
    Viewpoint Media Player
    Windows Backup Utility
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 11
    Windows XP Service Pack 3
    Zoombinis Logical Journey(TM)

    Ok. Let's take a look

    Ad-Aware SE Personal is not supported anymore and should be replaced with the latest version.

    Get update 8.1.6 for Adobe Reader here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

    Do you use Adobe Acrobat 5.0 for other things than just converting files to PDFs?

    Uninstall thru add/remove programs if found:
    J2SE Runtime Environment 5.0 Update 2
    Java(TM) 6 Update 3
    Reg Tool

    Start hjt, do a system scan, check (if found):
    O2 - BHO: TBSB02751 - {25875464-7327-417C-8264-902D99CF6FD1} - C:\Program Files\Search Enhancer Toolbar\enhancer.dll (file missing)
    O3 - Toolbar: Search Enhancer Toolbar - {BFB5F154-9212-46F3-B547-AC6106030A54} - C:\Program Files\Search Enhancer Toolbar\enhancer.dll (file missing)
    O4 - HKCU\..\Run: [Reg Tool] C:\Program Files\Reg Tool\Reg Tool.exe -boot
    O4 - Startup: PowerReg Scheduler.exe

    Close browsers and fix checked.

    Delete following folder if found:
    C:\Program Files\Reg Tool

    Reboot and post a fresh hjt log.
    Default Here's what I've done so far...

    Here's what I've done so far...

    I went to ad Aware's site and decided to neither load their freeware nor buy the product under the hope that my other protections will suffice.

    Upon opening and running 8.1.6 for Adobe Reader I received an error message that read, "This patch could not be opened. Contact the application vendor to verify that this is a valid Windows Installer patch pckage."

    Could it be that I should have saved it instead? I browsed the associated security bulletin. What about installing the most recent update, 9.1.3? I'm guessing that 9.1.3 is for those who have 9 loaded and 8.1.6 is for those who have 8 loaded. Could you clarify?

    Not sure what I use acrobat for. Guess I'll have to try to figure that out. Will follow-up on your other suggestions when I get time.

    Thanks, in advance, for your illumination.

    Could it be that I should have saved it instead? I browsed the associated security bulletin. What about installing the most recent update, 9.1.3? I'm guessing that 9.1.3 is for those who have 9 loaded and 8.1.6 is for those who have 8 loaded. Could you clarify?
    Yep, 9.1.3 is for 9 version and needs to have 9.1 & 9.1.2 installed too. If you want to go with the latest version then uninstall your current 8 version first. Then download 9.1 + updates 9.1.2 & 9.1.3 for it.
