System32 Folder is Inaccessible; Can't Boot Normal Mode

Puffy · Dec 17, 2006

While searching Google for information to solve my PC infection, I came across user Vexta's thread entitled "Cannot access System32 folder." I have the same problem, but perhaps worse. Please help.

I have Windows 2000 Professional [i.e. Windoes 2000 SP4 (WinNT 5.00.2195)] running IE v6.00 SP1 (6.00.2800.1106). On Thursday night, December 14, my system slowed dramatically and some DOS windows popped up running BAT files that I certainly didn't execute myself. I tried hit Ctrl-Alt-Del to run Task Manager, but that button was suddenly grayed out. I could not Close any of the windows that opened on my screen. From that point forward, when I attempt to reboot my PC, it simply goes into a reboot loop--only getting as far as the blue screen that follows the Windows 2000 Professional "splash screen."

In other words, I cannot successfully boot in Normal Mode.

I can boot into Safe Mode, but can't successfully run networking. (I am posting this from my wife's laptop.)

If I run Windows Explorer and attempt to open the WINDOWS/System32 folder, my system crashes. If I run a Full System Scan with Norton Antivirus 2006, my system crashes. I tried running F-Prot /inter, and it froze everytime after scanning a few DLLs.

All of my .DBX files (Microsoft Outlook folders) got an updated modified date.

I read some other threads and tried some of the advice given there. For example, I copied Fixwareout to the PC and ran its Fixit bat file in Safe Mode. Unlike user Vexta, this did NOT permit me to access my System/32 folder. Fixwareout's report.txt file (I am rekeying this, since I cannot actually post anything from my PC):

---- start ----
Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

...
...
Reg Entries that were deleted
...

Random Runs removed from HKLM
...
...

PLEASE NOTE, There will be LEGITIMATE FILES LISTED (etc.)

>> >> >> >> >> Searching by size/names...

>> >> >> >> >>
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

>> >> >> >> >> Misc. files.
C:\WINDOWS\System32\adir.dll

>> >> >> >> >> Checking for older varients civered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""
...
---- end ----

I also copied HiJackThis to my infected PC and ran it in Safe Mode. Again, I am hand-keying this in, so hopefully I'm not introducing any typos. Please note that I deleted ieredir.exe, dsrss.exe, (and several other dodgy looking files that appeared on my desktop), and the C:\WINDOWS\inet20000 folder that appeared during Thursday night's infection. "rock.exe" in HKLM looks suspicious to me. Please also note that I would like to get rid of all the Earthlink stuff (old girlfriend installed that junk years ago):

---- start ----
Logfile of HijackThis v1.99.1
Scan saved at 8:58:43 AM, on 12/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\System32\services.exe
C:\WINDOWS\System32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NOTEPAD.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Earthlink
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O2 - BHO: AcroIEHlprobj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINDOWS\inet20000\1215152430.dll (file missing)
O2 - BHO: ib6.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib15.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\system32\ipv6mons.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Antivirus\NavShExt.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Antivirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700 NT\bin\ktchnsnk.exe" -reg "Software\Hewlet--Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\Earthlink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\Earthlink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGR~1\INSTAN~1\INSTAN~1\IWCTL.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\USBMonit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20000\services.exe
O4 - HKLM\..\Run: [SvcManager] mdmex7.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20000\svchost.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\MSOffice\Office\OSA.EXE
O4 - Global Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\Realdownload.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC2.EXE
O4 - Global Startup: HPAioDevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://C:\counter.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O17 - HKLM\System\CS1\Services\Tcpop\Parameters: gtfc.com,gtservicing.com
O17 - HKLM\System\CS2\Services\Tcpop\Parameters: gtfc.com,gtservicing.com
O17 - HKLM\System\CSS\Services\Tcpop\Parameters: gtfc.com,gtservicing.com
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINDOWS\system32\baagf32.dll (file missing)
O21 - SSODL: LIJKE - {07CE0A0D-AD64-A0A7-9BB6-58AA4D7D07D8} - C:\WINDOWS\system32\jhuiq.dll (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi149112.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Authenticate Service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: Norton Antivirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton Antivirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Coporation - C:\Program Files\Common Files\Symantect Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Antivirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Coporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk Service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantect Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Pgroam Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe (file missing)

---- end ----

Please keep in mind that my infect PC is not able to boot in Normal Mode and cannot boot up in Safe Mode with Networking :^(

Thanks in advance for your help!

Mr_JAk3 · Dec 17, 2006

Hi Puffy and welcome to Safer Networking Forums

Your computer is heavily infected :sad:

One or more of the identified infections is a backdoor trojan

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Puffy · Dec 17, 2006

Thanks, Mr_JAk3,

What I'd like to do is first save off some files that are of value to me like Quicken data), then try fixing the PC with the OS installation that's currently there. If that fails, then I'll reformat and reinstall.

Regarding saving of files, can I trust my Microsoft Outlook .DBX files anymore? They clearly got timestamped within minutes of my PC's infection. Could the DBX files themselves be infected? I obvisouly don't want to copy those files to another PC (or back onto the same PC, once it's cured) if that will simply propagate the virus.

Another question: I have a second hard-disk installed as my F: drive. Since this is not my boot drive, should I be concerned about there being infected files on that second disk? It's got stuff like family photos and my doctoral research files--no applications or other executables--which I'd like to preserve.

Most of the software on my C: drive I can reinstall, so I'm not too concerned about the contents of that disk (other than my DBX files, that is), if I must reformat my C: drive.

So, what steps can I take to begin trying to fix my PC with the current OS...?
P

Mr_JAk3 · Dec 18, 2006

Hi

Backups should be done before somtehing bad happens. The is always a risk that you move infections from one place to another. Pictures, textfiles and music should be good to go. Don't take eg any exe or dll files.

If you think that outlook files are infected, don't backup those.

The F-drive may be infected too.

So you have another computer that you can use during the cleaning right ?
We need some tool and you need to move those to the infected computer with eg a memory stick or a cd. Also copy the logs that way. You can't write them all.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Puffy · Dec 18, 2006

Thanks again, MR_JAk3.

I'll try these steps tonight, when I'm back home. In the meantime, I have a question about your instrux: After I run the RunThis.BAT fix, am I to let the PC try to boot normally, or do I take it back into Safe Mode?

Thanks,
P

Mr_JAk3 · Dec 18, 2006

Hi

You can try if it runs in normal mode.

Puffy · Dec 19, 2006

Ok, Mr_JAk3...

I downloaded SDFix, copied it over to the infected PC's desktop, extracted it, then ran the RunThis.BAT file. It seemed to run ok, with the exception of one error message (which I saw when I ran other BAT files):

C:\WINDOWS\SETVER.EXECannot load VDM IPX/SPX Support

(I googled this and found lots of hits--it didn't *appear* to be a major problem, but I ain't the PC expert here...)

When the PC attempted to reboot, I skipped the F8 and let it go normal. It went into its now-all-too-familiar reboot loop. I powered off, powered on, and booted back into Safe Mode. Here is the resulting Report.TXT file (sadly, I must re-key this because my 7 year-old PC has a read-only CD drive):

---- start ----

SDFix Version 1.49
************

Mon 12/18/2006 - 19:03:17.84

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

aspi113210
ICF
MsaSvc

File Path:

C:\WINDOWS\System32\aspi149112.exe
C:\WINDOWS\System32\icf.exe
C:\WINDOWS\System32\msasvc.exe

aspi113210 Deleted...
ICF Deleted...
MsaSvc Deleted...

Starting Registry Repairs...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

---- end ----

Here's the subsequent HJT log:

---- start ----
Logfile of HijackThis v1.99.1
Scan saved at 7:14:19 PM, on 12/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\System32\services.exe
C:\WINDOWS\System32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Earthlink
O2 - BHO: AcroIEHlprobj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Antivirus\NavShExt.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Antivirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700 NT\bin\ktchnsnk.exe" -reg "Software\Hewlet--Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\Earthlink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\Earthlink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGR~1\INSTAN~1\INSTAN~1\IWCTL.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\USBMonit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [SDFix] C:\DOCUME~1\ADMIN~1\DESKTOP\SDFIX\SDFIX\RUNTHIS.BAT /second
O4 - Global Startup: Office Startup.lnk = C:\Program Files\MSOffice\Office\OSA.EXE
O4 - Global Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\Realdownload.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC2.EXE
O4 - Global Startup: HPAioDevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://C:\counter.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www-secure.symantec.com/techs...l/LSSupCtl.cab
O17 - HKLM\System\CS1\Services\Tcpop\Parameters: SearvhList = gtfc.com,gtservicing.com
O17 - HKLM\System\CS2\Services\Tcpop\Parameters: SearvhList = gtfc.com,gtservicing.com
O17 - HKLM\System\CSS\Services\Tcpop\Parameters: SearvhList = gtfc.com,gtservicing.com
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINDOWS\system32\baagf32.dll (file missing)
O21 - SSODL: LIJKE - {07CE0A0D-AD64-A0A7-9BB6-58AA4D7D07D8} - C:\WINDOWS\system32\jhuiq.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmina) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Authenticate Service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: Norton Antivirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton Antivirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Coporation - C:\Program Files\Common Files\Symantect Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Antivirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Coporation - C:\Program Files\Cacommon Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk Service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantect Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Pgroam Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe (file missing)

---- end ----

That *$^% SASSER worm is still there! Now what?
P

Puffy · Dec 19, 2006

Additional info...

I can now access my System32 folder without crashing my PC! Wahoo!

Eagerly and gratefully awaiting your next instrux...
P

Mr_JAk3 · Dec 19, 2006

Hi again, we'll continue

Please read these instrucitions through since there are a few tool that you need to download and move to the infected computer.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware and move it to the infected computers desktop.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.

IUse this link to manually update AVG.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [SDFix] C:\DOCUME~1\ADMIN~1\DESKTOP\SDFIX\SDFIX\RUNTHIS.BAT /second
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://C:\counter.cab
O21 - SSODL: CDRecorder026 - {A3BC5E20-0235-1ABF-9CE1-00AA00512026} - C:\WINDOWS\system32\baagf32.dll (file missing)
O21 - SSODL: LIJKE - {07CE0A0D-AD64-A0A7-9BB6-58AA4D7D07D8} - C:\WINDOWS\system32\jhuiq.dll (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe (file missing)
O23 - Service: Microsoft Authenticate Service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe

Open Notepad and copy the following lines into a new document:

@echo off
sc stop ICF
sc delete ICF
sc stop MsaSvc
sc delete MsaSvc

Save the document to your desktop as Remove.bat and filetype: All Files
Go to your desktop and run the file Remove.bat and allow to run it if prompted. A window will open and close.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\System32\nzdd0.dll
C:\counter.cab
C:\WINDOWS\system32\icf.exe
C:\WINDOWS\System32\msasvc.exe
C:\WINDOWS\system32\jhuiq.dl

Use the Windows search

Start
Search
All files and folders
More advanced options

Checkmark these options:

"Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: rock.exe
Search for this and delete if found: dsrss.exe

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

Try if the PC runs in normal mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

Puffy · Dec 19, 2006

Mr_JAk3,

Thank you for the very clear instrux. I will apply them this evening.

Just FYI, I ran a full system scan with Norton Antivirus (in Safe Mode) last night to see whether 1) it would run now that System32 is accessible, and 2) whether it would find any nasties. It ran to completion, checking both my C: and F: drives, but found only one measly adware turd of low risk. Is NAV simply crap, or did the nasties somehow disable it? I know NAV has limited capability in Safe Mode, but shouldn't it be able to find the executables that I myself can see in System32? There are about 20 dodgy looking executables files in my System32 folder which are datestamped within minutes of each other from the night my PC was molested. Some of them--like LSASS.EXE--are clearly unwelcome intruders. Why doesn't NAV see them?

Thanks again. More tonight...
P

Mr_JAk3 · Dec 19, 2006

Hi

Are you sure that your NAV is up-to-date ?
No Antivirus is 100% efective, you get best results by using multiple scanners.
Please note that there is also a a legitimate system file named LSASS.EXE

:bigthumb:

Puffy · Dec 19, 2006

My bad. I had seen a new file named LSASS that appeared on my desktop during Thursday night's attack on my PC. I deleted that file, then assumed anything named LSASS was bad. I wikied LSASS and am now slightly more knowledgeable about Microsoft's Local Security Authority Subsystem Service.

More later, after tonight's next fix operations...
P

Puffy · Dec 19, 2006

Nav

Per your other point, My NAV defs are a little out of date. For the past few months, the LiveUpdate wizard has been freezing up. This happened with my previous version of NAV, so I upgraded to the current 2006 version. It worked for a while, then starting freezing up again. Symantec Tech Support was not helpful in solving my problem, so I essentially gave up on it. :sad:
P

Puffy · Dec 20, 2006

Mr_JAk3,

I ran your instructions very carefully. The only places where the instructions diverged from what I saw on my screen were perhaps due to differences across Windows versions(?) For example, Under My Computer -> Tools -> Folder Options -> View, I don't see a "Display the contents of system folders" option.

There was one small glitch when I attempted to run AVG for the full scan. When I clicked on the Scanner icon in the header, the app froze, then popped up a dialog box saying that something "bad" happened. I ran the app again and it appeared to work.

Other than that, everything went smoothly per your instrux. However, I still cannot reboot in Normal Mode. The PC crashes and goes into its reboot loop. :sad:

AVG found 176 infected objects, all on my C: drive. I am a bit too tired at this late hour to re-key the entire AVG report log. If you need it, I'll provide it later (perhaps after I purchase a RW drive for me ancient Dell!)

For now, here's the HJT log:

---- start ----
Logfile of HijackThis v1.99.1
Scan saved at 10:52:09 PM, on 12/19/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\System32\services.exe
C:\WINDOWS\System32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Earthlink
O2 - BHO: AcroIEHlprobj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Antivirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Antivirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700 NT\bin\ktchnsnk.exe" -reg "Software\Hewlet--Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\Earthlink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\Earthlink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGR~1\INSTAN~1\INSTAN~1\IWCTL.EXE
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\USBMonit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\FRONTI~1\FRONTI~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [SDFix] C:\DOCUME~1\ADMIN~1\DESKTOP\SDFIX\SDFIX\RUNTHIS.BAT /second
O4 - Global Startup: Office Startup.lnk = C:\Program Files\MSOffice\Office\OSA.EXE
O4 - Global Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\Realdownload.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC2.EXE
O4 - Global Startup: HPAioDevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www-secure.symantec.com/techs...l/LSSupCtl.cab
O17 - HKLM\System\CS1\Services\Tcpop\Parameters: SearvhList = gtfc.com,gtservicing.com
O17 - HKLM\System\CS2\Services\Tcpop\Parameters: SearvhList = gtfc.com,gtservicing.com
O17 - HKLM\System\CSS\Services\Tcpop\Parameters: SearvhList = gtfc.com,gtservicing.com
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
023 - Service: AVG Anti-Spyware Guard - Anti Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti=Spayware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmina) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Antivirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton Antivirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Coporation - C:\Program Files\Common Files\Symantect Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Antivirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Coporation - C:\Program Files\Cacommon Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk Service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantect Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Pgroam Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\FrontierNet\FrontierNet DSL Attendant\app\TangoService.exe
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe (file missing)

---- end ----

Given that I still cannot boot in Normal Mode, is there anything else that can be done to cure my PC? I'm happy to keep trying, as long as you have ideas...

Thanks again,
P

Mr_JAk3 · Dec 20, 2006

Hi

So it still doesn't run in norml mode :sad:

So you were able to move AVG-AntiSpyware to your infected computer ?

Why can't you transfer the AVG log to that same way back to the other computer ? We're going to need some other tools and logs so I think that re-typing ins't an option. Please let me know :bigthumb:

Puffy · Dec 20, 2006

Mr_JAk3,

I don't have a CD-RW drive on my infected PC. It has a CD-ROM drive. I have been using my wife's laptop to download software from the Internet, burning it to CD, switching the CD from her laptop to my infected PC's CD-ROM drive, copying the files from CD to desktop.

Because my infected PC has a read-only CD drive, I can't go back the other way (i.e., burn a CD, switch it into my wife's laptop, cut-n-paste log to spybot.info).

Call me an idiot

but it just occurred to me--I should be able to use a memory stick to copy logs from my infected PC to the laptop without danger of also transporting malware, right? I've got a memory stick lying around somewhere. Or would it be more advisable to buy an external CD burner?

Another question: If I had been successful in booting up in Normal Mode last night, would I have been able to safely use networking? Or would my machine likely get nailed again, as soon as it got on the net? If I can get back on the net (either in Safe Mode or Normal Mode), it would sure simplify this process--but I don't want to complicate matters by allowing more nasties onto my box. Please advise. (BTW, I removed my wireless PCI card days ago, just to be safe.)

Thanks, as always, for all your help!
P

Mr_JAk3 · Dec 20, 2006

Hi

Ok if you have a memorystick I recommend that you use it. Just move the logs from the infected computer. It is impossible to rewrite all the huge logs.

Does your computer have a firewall (Norton ?)

Please post the AVG log to here (move it with the memorystick) and I'll have a look.

:bigthumb:

Puffy · Dec 20, 2006

Thanks, Mr_JAk3. I'll post that AVG log tonight...

I don't recall whether I have a software firewall on my PC (as part of Norton). I am reasonably certain that I have a firewall in my router. I'll check both tonight...

[BTW, do you know where might I get information about defending against Joe Jobs? My domain name has been getting used heavily by a spammer(s) and I don't want it to become blacklisted as a spam site.]

Thanks,
P

Puffy · Dec 20, 2006

AVG Log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:38:24 PM 12/19/2006

+ Scan result:

C:\WINDOWS\Bbstore\DSS\DSSAGENT.EXE -> Adware.Background : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BDEPLAYER.BDEPlayerCtrl -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BDEPLAYER.BDEPlayerCtrl.1 -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BDEPLAYER.BDEPlayerCtrl\CLSID -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BDEPLAYER.BDEPlayerCtrl\CurVer -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BDESmartInstaller25.BDESmartInstaller25 -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BDESmartInstaller25.BDESmartInstaller25.1 -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BDESmartInstaller25.BDESmartInstaller25\CurVer -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Comet -> Adware.CometCursor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_503700.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_506000.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_507500.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_523000.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_530400.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_535100.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_550600.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_550601.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_550602.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_550603.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_550700.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_550701.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_550702.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_550703.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_550800.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_560800.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_565100.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_580300.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_585400.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_610000.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_621600.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_626800.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_672900.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_676000.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_737700.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_741200.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_744000.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_744100.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_761900.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_762200.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_773200.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_790200.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_792900.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_795000.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_795400.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_795500.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_798600.HTM -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_798700.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\AdCache\B_799600.GIF -> Adware.Cydoor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DownloadWare -> Adware.Downloadware : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DownloadWare\Prefs -> Adware.Downloadware : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
HKU\S-1-5-21-507921405-1078145449-1202660629-500\Software\TimeSink, Inc. -> Adware.TimeSink : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012089.dll -> Backdoor.Agent.fo : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012068.exe -> Downloader.Agent.bdb : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\z2806.exe -> Downloader.CWS.j : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012082.exe -> Downloader.Delf.aeu : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011834.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011858.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012070.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\FOUND.004\FILE0000.CHK -> Downloader.Small.awa : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011822.exe -> Downloader.Small.awa : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012065.exe -> Downloader.Small.awa : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011833.exe -> Downloader.Small.cib : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011835.exe -> Downloader.Small.cib : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011857.exe -> Downloader.Small.cib : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011881.exe -> Downloader.Small.cib : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\dlim.exe -> Downloader.Small.crc : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\gkfm.exe -> Downloader.Small.crc : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011821.exe -> Downloader.Small.crc : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012064.exe -> Downloader.Small.crc : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012309.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011892.EXE -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011895.EXE -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011896.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012083.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012085.EXE -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\glli.exe -> Downloader.Small.dex : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\mkli.exe -> Downloader.Small.dex : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012071.exe -> Downloader.Small.dex : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012086.exe -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012092.EXE -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012307.EXE -> Downloader.Small.ecm : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011953.exe -> Downloader.Tiny.bm : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\z2181685657847.exe -> Downloader.Vidlo.ao : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\z2181685672028.exe -> Downloader.Vidlo.ao : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012308.exe -> Dropper.Agent.azs : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011914.exe -> Dropper.Agent.ol : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\blie.exe -> Dropper.Delf.rc : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\dlnc.exe -> Dropper.Delf.rc : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011832.exe -> Dropper.Delf.va : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012069.exe -> Dropper.Delf.va : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\z2524.exe -> Dropper.Small.atd : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\3536.tmp -> Dropper.Small.aus : Cleaned with backup (quarantined).
C:\Program Files\Encompass\EncDial.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011935.DLL -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011938.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011969.DLL -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011974.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012001.DLL -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012009.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012033.DLL -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012041.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012097.DLL -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012098.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012130.DLL -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012131.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012152.DLL -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012153.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012177.DLL -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012183.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012211.DLL -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012219.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012240.DLL -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012248.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012287.DLL -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012297.exe -> Hijacker.Agent.hz : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\3504.tmp -> Hijacker.Costrat.l : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\352E.tmp -> Hijacker.Costrat.l : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011845.sys -> Hijacker.Costrat.l : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\z2333.exe -> Hijacker.Costrat.t : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\install.exe -> Hijacker.Costrat.z : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\buxqzccm.exe -> Hijacker.Small.cc : Cleaned with backup (quarantined).
C:\Program Files\Norton AntiVirus\Savrt\0613NAV~.TMP -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011950.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011984.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012016.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012050.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012112.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012145.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012167.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012192.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012255.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012261.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012262.exe -> Logger.Agent.pr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ipv6mons.dll -> Logger.BZub.gq : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\350B.tmp -> Logger.Small.ak : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\350F.tmp -> Logger.Small.ak : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\353A.tmp -> Logger.Small.ak : Cleaned with backup (quarantined).
C:\FOUND.005\FILE0000.CHK -> Logger.Small.ak : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ib15.dll -> Logger.VB.mz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011854.exe -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012076.exe -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012077.exe -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012078.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012079.dll -> Not-A-Virus.Hoax.Win32.Renos.fk : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\KpdMHplhh -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\NmaHJmnfg -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\Odthe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\QiqLNjchf -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012306.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012081.dll -> Proxy.Agent.df : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012087.exe -> Proxy.Dlena.at : Cleaned with backup (quarantined).
C:\Program Files\Norton AntiVirus\Savrt\0158NAV~.TMP -> Trojan.Agent.ws : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012260.exe -> Trojan.Agent.ws : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012258.exe -> Trojan.Conycspa.i : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011920.EXE -> Trojan.Delf.xh : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011926.exe -> Trojan.Delf.xh : Cleaned with backup (quarantined).
C:\WINDOWS\smss.exe -> Trojan.Delf.xh : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\apihelp.chm -> Trojan.Dialer.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011831.exe -> Trojan.Dialer.hz : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sysfind.exe -> Trojan.Dialer.hz : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011894.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mdmex7.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.bs : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012062.dll -> Trojan.Small.ev : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00012063.EXE -> Trojan.Small.ev : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011838.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011851.exe -> Worm.Banwarum.f : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011884.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).
C:\RECYCLED\NPROTECT\00011886.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\adir.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\cndi.exe -> Worm.Banwarum.j : Cleaned with backup (quarantined).
C:\Documents and Settings\pbroenen\Local Settings\Temp\knfk.exe -> Worm.Banwarum.j : Cleaned with backup (quarantined).

::Report end

Puffy · Dec 21, 2006

Firewall

Mr_JAk3,

My D-Link DI-624 router has a firewall. My HJT logs indicate that Norton is running a "Firewall Monitor":

O23 - Service: Norton Antivirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton Antivirus\IWP\NPFMntor.exe

What next?
P

System32 Folder is Inaccessible; Can't Boot Normal Mode

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

New member