[bhayden21]

I have the Silent Runners on my desktop now, but when I try to run it, I get a warning from Norton:
Alert: Malicious Script Detected. Your computer is halted and needs to do something about this script. Choices are: stop, allow this action once, allow entire script once, quarantine or authorize.

What should I do?

[Advertisements]

Sorry......disregard last message. I just saw your note. Silent Runners is running now. THanks...

[bhayden21]

Sorry......disregard last message. I just saw your note. Silent Runners is running now. THanks...

[bhayden21]

Here's the Silent Runners log -

I can't get the zip file to work...whenever I click on the rkfiles.bat it brings up a command window that says "The system cannot find the file specified." Then this window goes away.



"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]
"Advanced Uninstaller PRO Installation Monitor" = ""C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2005 version 7\monitor.exe"" ["Innovative Solutions [url="http://www.innovative-sol.com/""]http://www.innovative-sol.com/"[/url]]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"JOGSERV2.EXE" = "C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe" ["Sony Corporation"]
"Pop3trap.exe" = ""C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"" ["Trend Micro Inc."]
"WebTrapNT.exe" = ""C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"" ["Trend Micro Inc."]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"HKSERV.EXE" = "C:\Program Files\Sony\HotKey Utility\HKserv.exe" ["Sony Corporation"]
"Mouse Suite 98 Daemon" = "ICO.EXE" ["Primax Electronics Ltd."]
"Lexmark X5100 Series" = ""C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"" ["Lexmark International, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\windows\googletoolbar2.dll" ["Google Inc."]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\PC-cillin 2000\Tmdshell.dll" ["Trend Micro Inc."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\PC-cillin 2000\VBProp.dll" ["Trend Micro Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssflwbox.scr" [MS]


Startup items in "Jo Bett Moore" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader.exe" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"PowerPanel" -> shortcut to: "C:\Program Files\PowerPanel\Program\PcfMgr.exe /launch" ["Phoenix Technologies Ltd."]
"Real-time Monitor" -> shortcut to: "C:\WINDOWS\Installer\{A839294B-70A9-11D5-9F5A-0050DAD742CD}\_106B5A0.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Registration reminder 1" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /r /n:1" [MS]
"Registration reminder 2" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /r /n:2" [MS]
"Registration reminder 3" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /r /n:3" [MS]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\windows\googletoolbar2.dll" ["Google Inc."]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\windows\googletoolbar2.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.sony.com/vaiopeople

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
SLPMONX, SLPMONX, "C:\WINDOWS\System32\slpservice.exe" ["ProdEx Technologies"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Trend NT Realtime Service, Tmntsrv, ""C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe"" ["Trend Micro Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 141 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 28 seconds.
---------- (total run time: 300 seconds)

[Trevuren]

Did you extract BOTH files into a Folder that you created on your desktop?

Trevuren

[bhayden21]

I see both files - strings.exe and the rkfiles.bat. Which one do I extract first? Do I do both?

[bhayden21]

Never mind...just figured it out....rkfiles is running now.

[bhayden21]

Here's the rkfiles log.... Thanks, Beth

C:\Documents and Settings\Jo Bett Moore\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\XpBlock.dll: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\mshtml.dll: Pec2@tc

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

[Trevuren]

Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip

• Unzip it to your desktop.

* Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen
• You will need to update ewido to the latest definition files.
• On the left hand side of the main screen click update
• Click on Start
• The update will start and a progress bar will show the updates being installed
• After the updates are installed exit Ewido.

* CleanUp!

• Install it.

* Killbox by Option^Explicit

• Save it to your desktop.

**********Copy the following files to Notepad. This is the Notepad text that will be used later in Step #4 ************:

C:\WINDOWS\system32\XpBlock.dll
C:\WINDOWS\RMAgentOutput.dll

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.

• Click on scanner
• Click Complete System Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop
• Exit Ewido

3.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.


4.) Run Killbox.exe.

* Select "Delete on Reboot".

* Open the notepad you saved earlier. Press CTRL + A to select all file paths in the notepad, then press CTRL + C which will copy all of them to the clipboard.

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.

After computer has restarted continue with the rest of the instructions:

5.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

6.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

Regards,

Trevuren

[bhayden21]

Here are the logs - that Norton pop-up is still there. Will that ever go away?!?!


~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:08:51 PM, 9/1/2005
+ Report-Checksum: 6CD52282

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
[456] C:\WINDOWS\system32\OLEEXT.dll -> Trojan.Agent.ff : Cleaned with backup
[696] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.dll -> TrojanSpy.Small.ak : Cleaned with backup
C:\Program Files\Common Files\pdenrcee\paptdearrq\qnoutsuss.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\pdenrcee\tbmtftsc\mposttob.exe -> Adware.Gator : Cleaned with backup
C:\WINDOWS\system32\LogFiles\DA6221200.so -> TrojanDownloader.Small.baz : Cleaned with backup
C:\WINDOWS\system32\oleext.dll -> Trojan.Agent.ff : Cleaned with backup


::Report End

[bhayden21]

Trend Micro log:

Virus Scan 0 virus cleaned, 1 virus deleted


Results:
We have detected 1 infected file(s) with 1 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 1 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\Program Files\Windows Media Player\wmplayer.exe.tmp TROJ_DLOADER.AAS Deletion successful




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 0 spyware program removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 0 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 0 spyware(s) passed, 0 spyware(s) no action available
- 0 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken




Microsoft Vulnerability Check 23 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 23 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.


HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:58:59 PM, on 9/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\System32\Pelmiced.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\slpservice.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\slpmonx.exe
C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2005 version 7\monitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2005 version 7\monitor.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124051752885
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124051725205
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SLPMONX - ProdEx Technologies - C:\WINDOWS\System32\slpservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

[bhayden21]

One last thing that I'm not sure if you need to see or not...this is the list of vunerabilities identified by the Trend Micro house call.

Thank you so much! Beth

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 23 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Critical This vulnerability enables a remote attacker to run scripts in the Local Computer zone. This is done via a script that is embedded in a cookie that would be saved to the users system.;This vulnerability enables a remote attacker to invoke an executable on the users system via an HTML web page that includes an object tag. MS02-015
Critical This vulnerability allows an attacker to cause a denial of service attack to a target server machine. This is caused by a buffer overflow in SMB protocol in Microsoft Windows NT, Windows 2000, and Windows XP. MS02-045
Highly Critical This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NTDLL.DLL on Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP. MS03-007
Highly Critical This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer. MS03-014
Critical This vulnerability enables a remote attacker to execute arbitrary code through a specially crafted MIDI file. This is caused by multiple buffer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL). MS03-030
Highly Critical These vulnerabilities, which are due to Internet Explorer not properly determining an object type returned from a Web server in a popup window or during XML data binding, respectively, could allow an attacker to run arbitrary code on a user's system. MS03-040
Critical This vulnerability allows a remote attacker to execute arbitrary code without user approval. This is caused by the authenticode capability in Microsoft Windows NT through Server 2003 not prompting the user to download and install ActiveX controls when system is low on memory. MS03-041
Critical This vulnerability allows a remote attacker to execute arbitrary code on the affected system. This is caused of a buffer overflow in the Messenger Service for Windows NT through Server 2003. MS03-043
Important This vulnerability is due to a buffer overrun in the ListBox and ComboBox controls found in User32.dll. Any program that implements the ListBox control or the ComboBox control could allow arbitrary code to be executed at the same privilege level. This vulnerability cannot be exploited remotely. MS03-045
Critical This vulnerability could allow an attacker to access information from other Web sites, access files on a user's system, and run arbitrary code on a user's system, wherein this is executed under the security context of the currently logged on user.;This vulnerability could allow an attacker to save a file on the users system. This is due to dynamic HTML events related to the drag-and-drop of Internet Explorer.;This vulnerability, which is due to the incorrect parsing of URLs which contain special characters, could allow an attacker to trick a user by presenting one URL in the address bar, wherein it actually contains the content of another web site of the attackers choice. MS04-004
Critical The MHTML URL Processing Vulnerability allows remote attackers to bypass domain restrictions and execute arbitrary code via script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers.This could allow an attacker to take complete control of an affected system. MS04-013
Critical This vulnerability exists in the Help and Support Center (HCP) and is due to the way it handles HCP URL validation. This vulnerability could allow an attacker to remotely execute arbitrary code with Local System privileges. MS04-015
Moderate This is a denial of service (DoS) vulnerability. It affects applications that implement the IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay. Applications that use this API are typically network-based multiplayer games.;An attacker who successfully exploits this vulnerability could cause the DirectX application to fail while a user is playing a game. The affected user would then have to restart the application. MS04-016
Moderate A denial of service (DoS) vulnerability exists in Outlook Express that could cause the said program to fail. The malformed email should be removed before restarting Outlook Express in order to regain its normal operation. MS04-018
Critical This vulnerability lies in an unchecked buffer within the Task Scheduler component. When exploited, it allows the attacker to execute arbitrary code on the affected machine with the same privileges as the currently logged on user. MS04-022
Critical An attacker who successfully exploits this vulnerability could gain the same privileges as that of the currently logged on user. If the user is logged in with administrative privileges, the attacker could take complete control of the system. User accounts with fewer privileges are at less risk than users with administrative privileges. MS04-023
Critical The Navigation Method Cross-Domain Vulnerability is a remote execution vulnerability that exists in Internet Explorer because of the way that it handles navigation methods. An attacker could exploit this vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visits a malicious Web site.;The Malformed BMP File Buffer Overrun Vulnerability exists in the processing of BMP image file formats that could allow remote code execution on an affected system.;The Malformed GIF File Double Free Vulnerability is a buffer overrun vulnerability that exists in the processing of GIF image file formats that could allow remote code execution on an affected system. MS04-025
Critical This vulnerability lies in the way the affected components process JPEG image files. An unchecked buffer within this process is the cause of the vulnerability.;This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute arbitrary code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes. MS04-028
Important An unchecked buffer exists in the NetDDE services that could allow remote code execution. An attacker who is able to successfully exploit this vulnerability is capable of gaining complete control over an affected system. However, the NetDDe services are not automatically executed, and so would then have to be manually started for an attacker to exploit this vulnerability. This vulnerability also allows attackers to perform a local elevation of privilege, or a remote denial of service (DoS) attack. MS04-031
Critical This cumulative release from Microsoft covers four newly discovered vulnerabilities: Windows Management Vulnerability, Virtual DOS Machine Vulnerability, Graphics Rendering Engine Vulnerability, and Windows Kernel Vulnerability. MS04-032
Critical This is another privately reported vulnerability about Windows Compressed Folders. There is vulnerability on the way that Windows processes Compressed (Zipped) Folders that could lead to remote code execution. Windows can not properly handle the extraction of the ZIP folder with a very long file name. Opening a specially crafted compressed file, a stack-based overflow occurs, enabling the remote user to execute arbitrary code. MS04-034
Critical This security bulletin focuses on the following vulnerabilities: Shell Vulnerability (CAN-2004-0214), and Program Group Converter Vulnerability (CAN-2004-0572). Shell vulnerability exists on the way Windows Shell launches applications that could enable remote malicious user or malware to execute arbitrary code. Windows Shell function does not properly check the length of the message before copying to the allocated buffer. Program Group Converter is an application used to convert Program Manager Group files that were produced in Windows 3.1, Windows 3.11, Windows for Workgroups 3.1, and Windows for Workgroups 3.11 so that they can still be used by later operating systems. The vulnerability lies in an unchecked buffer within the Group Converter Utility. MS04-037
Critical This is a remote code execution vulnerability that exists in the Internet Explorer. It allows remote code execution on an affected system. An attacker could exploit this vulnerability by constructing a malicious Web Page. The said routine could allow remote code execution if a user visited a malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, significant user interaction is required to exploit this vulnerability.

[Trevuren]

Please run Norton again and take down EXACTLY what trojan/virus it finds. That would hopefully include the entire path.

The other scans call everything clean, now.

Regards,

Trevuren

[bhayden21]

Hi Trevuren,

Just finished running Norton and this is what it told me:
Item is wininet.dll
virus name: W32.desktophijack
status: delete failed

My system seems to be running fine, though. I won't be able to access this computer next week, but will be back online on 9/11. Let me know if I should do anything else, and I will post again next week.

Thanks so much for all the help so far! Beth

[Trevuren]

Please do a complete scan of your system for ALL instances of wininet.dll and post the results back into this thread.

Regards,

Trevuren

[bhayden21]

Hi Trevuren, I'm back! How do I do a scan of the wininet.dll files? Do I do this with Norton, or Hijack this? Thanks, Beth