well, i've just spent the last two days trying to get rid of a virus, a trojan horse type, Zlob. this was one nasty sucker to get rid of. it hijacked my browser, stuck some 'security' software on my system, and drove me just about nuts for two days.

part of this thing is the 'mssearchnet.exe' file, which embeds itself in the registry, your startup (but hidden in the normal startup areas, so that msconfig cant see it) and some other place. part it was in system 32 of windows and there were several accompanying .dll's and files and other hidden startups.

this tended to remind me of the old protection rackets, where someone approaches you and demands you pay them protection money to protect you from 'someone'. of course the someone is the guy demanding the money, but that always seems to be missed by the racketeers. this virus, being a trojan had managed to install some 'security' software that popped up as a result of my system being infected. of course, they infected me, but now if i'll just go to their site, they'll remove it for me. yeah, right. fat chance there, bud.

i ran hijackthis and it couldnt find it. i ran avg antivirus and it didnt find it. i went to trend micro and ran their online scan. they found parts of it and some other junk, but they couldnt remove all of it, though they thought they had. tech support at my isp helped a tiny bit also, but couldnt do it either. ad-aware saw no part of it at all. win patrol knew something was wrong, but also couldnt correct or block it effectively. i called up 'services' on my machine and found some peculiar and suspicious services running, particularly nvctrl.exe. i killed the service. 2 seconds later it's back. kill it again and the same thing happens. cute, so now i know i've got a loader virus. something is reloading this thing. regedit showed me a tiny bit of it. booting to dos mode i did manage to erase the mssearchnet.exe file and that part didnt come back. i ran cwshredder and it found something, but i forget what. i also found a reference in the registry about mssearchnet.exe and erased that key, but there were others there and erasing those just put them back. so, again, a loader. cute.

continuing, i updated winpatrol to the latest version and also got 'task catcher', another program from those same folks. these could see the parts that were in services, but couldnt kill it all off. i checked for the latest version of ad-aware, but mine was already up to date. i actually tried trend micros again but to no avail.

all in all this thing was a stinker. i had continuous popups from win patrol alerting me that something was trying to load into my browser as a helper object. i always said no. they were .tmp files in the system 32 folder. this thing also kept trying to call home with an NT logon (winlogon) but i just kept telling zone alarm no to that one. i also went to microsoft.com and used their little zapper program (i forget what it's called now) and it found nothing. i also downloaded their 'windows defender ver 2 beta' and installed that. it could also see the errant services but couldnt kill them effectively.

i swear, if i could put my hands on the person's neck that wrote this and distributed it, i'd.... well, you get the point.

little by little i did find enough of this to make some headway, but i was getting quite frustrated. i still had this idiot fake' anti-malware' program stuck in my system tray, popping up with an alert every 2 minutes. shortly after that i'd get win patrol telling me something was trying to load into my system. you see what was happening here? the 'security program' was loading the virus and trying to bring in friends from the net.

so, having managed to get rid of some of this thing, i was finally getting frustrated and desparate enough to do one of two things, either try a system restore point or call up my full backup of the c: drive had been updated a week ago (thankfully). so, i decided that i'd try system restore first. if that didnt work, call up the backup and replace the entire c: drive.

i knew roughly when i had contracted this thing, as odd things had started to happen shortly thereafter, so i opted for a system restore checkpoint from before that point in time. i ran the system restore and crossed my fingers. i was expecting the worst, that not only would i still have this thing, but that it would infect the restore point somehow. remarkably, the system restore seems to have worked! that's twice now it's saved my bu..bacon. now, i'm fairly sure some or all of those nasty files are still on my system. but because the registry is restored to an older point, all the links are killed to activate this junk! and that's probably the only reason the system restore worked. and amen to that!

and, since i know the names of some of these files, i can now go through and erase them, since they are no longer 'active', open files that cant be deleted in a normal fashion.

like i said, the system restore wiped the links to this piece of malicious garbage, but it also wiped everything installed after that point that i wanted, like the updated winpatrol and task catcher and windows defender. lol. but that's a small price to pay at this point.

this virus is rated 'low' by most sites, but i think they've underrated it. the potential for damage here is quite large. ANY trojan is potentially lethal to a system, since the trojan is like the trojan horse of old; it can carry nasty attackers inside and call for reinforcements.

so, i'm sorry for scaring anyone i might have, but i'm also not sorry for the same thing in that these things are real and you pretty much need a trojan (condom) on your system to catch a trojan :) surf safe, folks!

craig

Just don't click anything with SpySheriff. Though these suckers keep me in business, I dispise having to do this work. I'm currenting running 70% success rate at removing virus/spyware on customers' machines (meaning I have to make Phoenix's out of the others). Still costs the customers a lot of dough to get their machines cleaned. System restore (for other reasons) have saved my bacon too, but nothing replaces a good backup. Then you can always re-install the OS (though you may have to give Uncle Bill a call to reactive Windows :sad: ). Sorry for you woes Craig, but welcome back to the living. If you have another PC, the best way to remove viruses is to first do an external scan using the other PC. Then place the harddrive back into your main system and boot into Safe Mode with Networking. After you run the virus scans (TrendMicro (http://housecall.trendmicro.com), Etrust (http://www3.ca.com/securityadvisor/virusinfo/scan.aspx), and, believe it or not, Microsoft (http://safety.live.com) have some pretty good web-based scanners; TrendMicro sometimes have problems running in safemode though) from safemode, run Hijaakthis (http://www.spywareinfo.com/~merijn/index.html) to see and remove any suspicious BHO's and startup programs. Then pray for the best when you boot into regular mode. That's pretty much what I do for my customers. Sometimes too, a system repair fixes issues as well, but most of the time it does not unless you removed all traces of the virus first. Usually, I have no choice but to do registry hacks as well. Man, I much prefer doing new builds or hardware repair as opposed to Virus/Spyware removal, but over 80% of what I do involves removing infestations.

Forgot to add, that you need to take ownership of you System Volume Information folder so that you can remove viruses stored here too (normally, this folder is locked; Home Edition makes it a little more difficult, but it can be done in Safemode for sure). :)

Hi Craig,

Zlob (Zolob) is a version of Smitfraud, and is relatively easy to remove if approached correctly (needs special tool(s)). Lots of versions, depending on which "Security Program" it foists onto you.

Wish you'd posted a HJT log, could have got you up and running in no time.

It might be a good idea if you posted a HJT log so I can see if there's any residual infection left.

My daughter has this on her computer too! I have run both adware and spyware and got rid of alot of other stuff but these pop ups are still coming...so I will be watching this thread...

I also have a problem where when you start up her computer it says 'NTDLR is missing...press ctrl+alt+del to start'. I have tried changing the boot sequence to no avail...what I did eventually was copy the NTLDR and ntdetect.com files from my computer onto floppy, then change the boot sequence to start at a: and that seems to force her computer to find the correct boot.ini file and boot up correctly. If anyone knows how to stop this from happening as we can't keep booting up like that! :) (I will eventually figure it out but would be eternally grateful for an 'inside track'!)

For removal instructions just google for zlob. There is a lot of info out there about it.

Ofcourse the best solution is to not get infected at all ;) Dont use IE unless absolutely necessary. Firefox and Opera (and Safari for mac) are all much safer browsers, partially because they're not integrated into the OS and partially because as less common browsers they're less likely to be attacked.
I also highly recommond spybot search and destroy with teatimer, spybot S&D has a browser immunisation feature that currently protects against over 8k known bad products.
Teatimer is a nice little app that notifies you any time a program attempts to change your registry - very useful early detection of attempted attacks.

hi Ziaphra,

For problems with most of the Smitfraud variants, try http://malwareremoval.com/plog/index.php?op=ViewArticle&articleId=85&blogId=3

Follow the instructions there, if any problems after that, post a HJT log in the forums at www.malwareremoval.com

I help out at that forum, or at www.spywarewarrior.com

Thanx so much...will do and update. :)

You're welcome.

Which OS are you using with the NTLDR problem ?

It's Windows XP Pro.

Saturday evening I was just getting ready to quit checking out my forums and go to bed, but got a message from WinPatrol -- msoff.exe wanted to add itself to my startup -- was that okay? I hadn't installed any new software or made any changes to old software, so I knew that there was no good reason for the request, but thought it might be okay since it looked like it might be some Microsoft "thing" (ms-something). I told Scotty (WinPatrol's guardian) NOT to allow it while I looked it up on google... results: :eek: :ogre: :mad:

Filename: msoff.exe
Command: C:\Windows\System32\msoff.exe

Description: Added by the Troj/Raker-C Trojan backdoor. This infection will also attempt to steal your online banking information from certain online banks.

And found this - which is either part of the above, or a separate infection.
Trojan.Renver is a Trojan horse that steals confidential information.
C:/documents and settings/all users/Documents/settings/ rvnkey_a, _b, _f, _v.dat

According to Symantec -- When Trojan.Renver is executed, it performs the following actions:

1. Copies itself as the following file: %System%\msoff.exe

2. Creates the following file:
%UserProfile%\Local Settings\Temp\[RANDOM].tmp
3. Adds the value: "Microsoft Office" = "%System%\msoff.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.

4. Creates instances of the following processes and injects it's code into those processes: * svchost.exe * lsass.exe

5. Gathers username and password information from the following file:
wcx_ftp.ini.

6. Gathers email server and username information by querying registry entries:
7. Gathers Protected Storage passwords. :angry:
8. Saves the information in the following files:

* %UserProfile%\All Users\Documents\Settings\desktop.ini
* %UserProfile%\All Users\Documents\Settings\rvnverps
* %UserProfile%\All Users\Documents\Settings\rvnver_a.dat
* %UserProfile%\All Users\Documents\Settings\rvnver_b.dat
* %UserProfile%\All Users\Documents\Settings\rvnver_f.dat
* %UserProfile%\All Users\Documents\Settings\rvnver_v.dat

9. Sends the information to the following domain: winsoftwareupdate.org

I had just switched over to Firefox from IE due to the vulnerability (and no fix offered till April 12), my AVG didn't find it, online scan by Trend Micro didn't find it, but an online scan by PCTools Spyware Doctor found and listed the whereabouts of several files -- but wouldn't eliminate them unless I bought their software. While I was learning where all the bad stuff was hiding, WinPatrol would keep going off asking about "MSoff.exe wanting to be added to my startup", I'd keep eliminating it from the Registry, and it would keep being added back by some part of the trojan still resident on my system. I had turned off system restore until I tracked down all the parts of the trojan that I and Spyware Doctor could find, then ran the Doctor again and ran Spy Sweeper since I use their Window Washer software and decided that I would buy their product over Spyware Doctor since it's rated well. I spent hours, but at last Scotty was no longer barking at "msoff.exe", it was no longer loading into my registry, the .dat and .ini files were gone and hadn't returned, and none of my scans were finding anything -- BUT then some of them had NEVER found anything to begin with!! :mad:

I use safe practices -- have avoided emails with phishing links/trojans/viruses, but somewhere on the web that was deemed safe by my security controls -- something attacked me from behind -- IF Scotty the WinPatrol watchdog hadn't barked in time, I could have lost a lot. My info may have been gathered by the trojan even though I found it -- I've changed passwords again to hopefully add some protection in case they got my bank account number, etc.
I don't like to hate people, but I am NOT happy with people who have nothing better to do than sneak around trying to steal from me. :mad:

gary,

trust me, i thought about coming here and posting, but pride or sheer stubbornness at wanting to 'handle my own problems' i guess kept me from doing so. i like to think i can handle my own system. i cant, really; not all the time, but i always like to try first. but trust me, i did think about you in particular :)

here is a log of hjt as it currently stands. i made this immediately after running the restore point:

Logfile of HijackThis v1.97.7
Scan saved at 12:11:04 AM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe * ati card
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe *inCD cd burning
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe * ati card
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe *could be norton ghost or old norton anti virus
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe * also ghost or anti virus
C:\WINDOWS\system32\spoolsv.exe
P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\GEARSec.exe * i forget at the moment, but i know this is ok.
H:\Program Files\Norton Ghost\Agent\VProSvc.exe
H:\Program Files\TraySoft\PhoneTray\PhoneTray.exe * phone answering machine on the computer.
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\Program Files\VMware\VMware Player\vmware-authd.exe * virtual machine i installed
C:\Program Files\Common Files\VMware\VMware Virtual Image
Editing\vmount2.exe * also virtual machine
C:\WINDOWS\system32\vmnat.exe *virtual machine
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe *virtual machine
C:\WINDOWS\system32\BRMFRSMG.EXE *brother printer
C:\Program Files\BroadJump\Client Foundation\CFD.exe * broadband
C:\WINDOWS\System32\hphmon05.exe *hewlett packard printer
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\MXOALDR.EXE * external harddrive ...usb type.
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
H:\Program Files\Norton Ghost\Agent\GhostTray.exe
P:\Program Files\Abyss Web Server\abyssws.exe * abyss web server
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
P:\Program Files\Abyss Web Server\abyssws.exe *abyss
C:\WINDOWS\System32\HPZipm12.exe
J:\hijackthis\HijackThis.exe

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.retouchpro.com/"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src");
*** normally, the former would have been mozilla, but during the validation process on microsoft, i tried to use netscape because mozilla wasnt working for this. and i.e. was so screwed up at the time i didnt want to ever try with that.
(C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINDOWS\Speech\Dragon\web_ie.dll * voice activated speech/typing/computer control.
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - F:\FlashGet\VERSIO~2\FlashGet\jccatch.dll * fast downloader
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "H:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKCU\..\Run: [AbyssWebServer] P:\Program Files\Abyss Web Server\abyssws.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1\NEOTRA~1\NTXcontext.htm *the trial version of neo trace
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: MoneySide (HKLM) *really not needed.
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136317380093
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F84C87-59F2-4E53-A3FB-87340C392D64}: NameServer = 205.152.37.23,205.152.132.23

most all of this i understand. the ones i'm a bit unsure of are the smss, lsass in the running processes and the last line with the name server. if i kill that last one, i'll lose my internet connection, though.

craig

edit: hmmm, i better edit that a bit to show what some things are.

Both the lsass and smss are ok...I know this from having to 'hijack this' my own computer some time ago. :)

hehe, you guys have to understand here, that i didnt know it was a trojan to begin with. so, looking up 'zlob' was not an option. not at first, anyways. it wasnt till quite a ways into this process that i even found out it was zlob. what i first got was a 'NT logon' request by zone alarm and then this 'security' popup that i knew i hadnt installed; at least not on purpose. i then noticed a new icon on my desktop, the 'security' one.

this all occurred right before my weekly backup routine...the same day and when i first saw it i was about to leave for work. i was also getting a win patrol request. i ran hijack this and found nothing really odd to begin with. i tried to kill the new 'security' thing in my systray, but couldnt.

when i got home from work, with the computer running while i was away, i found more 'alerts' from win patrol stacked up and a popup ad on my desktop for some casino or something. that's when i got mad and knew for sure i was infected. i ran adaware and it came up blank. i deleted that 'name server' item in hijack this and promptly lost my internet lookup. i called my isp to see if there was an outage, thinking that that name server thing was a hijack and not needed.... lol. wasnt thinking straight at that point. they tried to help and i did some lookups on 'mssearchnet.exe' and told me it was definitely a trojan on the bad lists. after that things sort of get blurry. i ran a whole lot of checks and fixes and probably not in the right order. in all fairness to trend micro, i had already wiped out part of this thing, so their detection might have been dependent on those things i wiped and subsequently their detection couldnt see it to remove it. they did find about 24 other things, however, including about 20 java viruses which i hadnt even suspected were there and might have been there for a long time.

so, in my obstinate, prideful, pissed-off mood, i was probably hindering the helps that would have handled this. lol. go figure. :)

at any rate, it seems to be gone, or at least inactive/dormant. like i say, the restore point seemed to have killed any existing links to make the thing active and removed the registry entries that were keeping it alive.

i've, if nothing else, learned a bit more about where some of these things get hidden and what they use to run hidden startup stuff. i've also learned to alter my surfing practices a bit and to add more protection.

nancyj,
i like that teatimer idea. great idea. i have an api monitor program but never use it because it tends to be a system hog, but the teatimer sounds like just the right item. it's those things that get into the hidden start locations that kill you.

also, folks shld know that a lot of current viruses dont just load a virus, they also load a reloader. the reloader will restart the virus if you manage to kill it. these are often in the form of hidden .dll's (library files). so, you have to also find and kill the .dll.

and cj,
yes, mine was doing almost the exact same things. i couldnt live without Scotty! and now that i've killed the links/registry, i need to go back again and reinstall the new good old scotty. i'm still on version 5.x.x now that i used the restore point. and i need to re-install task catcher too.... and windows defender. lol. wiped out the good with the bad. kill em all and sort it out later :)

craig

oh, and here's another idea for anyone that wants TRULY impervious protection while surfing.... vmware! this is a 100% foolproof method of NEVER getting infected...NEVER! (yeah, never say never and i'm sure it could be cracked, but ok).

vmware stands for virtual machine software. you may have seen me make mention of it in my hijackthis log posted above. vmware is a virtual machine within windows. it basically runs as a module inside of windows, but isnt windows. it is its own operating system operating as a sort of shell within windows.

for those that remember the days when you loaded the o/s from a floppy disk into the machine at startup, this is somewhat the same thing. when you start vmware it creates a new o/s within your o/s. in fact, it can create any o/s you want, if you have that module. so, you could run windows within windows, linux within windows, mac within windows (when they finish that module. it's not quite ready yet) and so on. it comes with browsers and modules and is currently free.

the way this works is, you run the vmware, run their browser within vmware and surf to your heart's content. you could pick up 50 trojans, worms, etc, etc and it wouldnt matter. once you kill the vmware module, EVERY PART OF I DISAPPEARS FOR GOOD! when you start a new vmware module it's like loading the o/s from a floppy again. it's completely new. so, you can 'never' get infected.

the way it was explained to me was, it creates a virtual harddrive when you load the vmware. this harddrive has an o/s on it. when you exit the module, the drive is wiped...gone....poof! so, no infection can remain.

you might wonder why you would need such a thing as vmware. i mean, it seems a bit much for anti-virus protection. and, it will slow your machine down a bit. you wont be playing any multiplayer shooters with it, trust me on that one :) but, it's not so slow that you cant surf in a fairly normal manner.

this technology came about from a need within updating and restoring systems. if a company is running 50 computers all using vmware and they all crashed, got infected or just plain quit for some reason, restoring these computers is a breeze. it's also highly transportable. make a copy of your vmware module at the corporate office and you can simply ship out copies to your remote locations and they simply pop them into their systems and they're running.

i dont really know a lot abotu it. my brother in law uses it and i found it interesting and downloaded and installed a version for surfing. and that's another thing. with these modules you can customize them for certain things. there is a windows module, a linux module, a basic surfing module and so on. so, if you had 20 employees on computers and didnt want them to be able to access the internet, you simply put modules on their machines that cant surf. simple.

it has more uses, i'm sure, and i've only installed it and used it once, so like i say, i really know little about it, but i do recall talking to my brother in law and that he recommended it as THE safest way to surf the web.

a google shld turn up what you need if you want to give it a shot. there is an official site and it shld turn up near the top of a google search.

oh, and one last thought on this... it might also make the perfect web server for your web pages. you make your base module, store a copy and always have that backup if something goes crazy on your server.

craig

Hi Craig,

You are using an outdated version of HijackThis.

Please download the latest version from Here (<http://www.merijn.org/files/hijackthis.zip>) to a location on your computer where you can find it.

We recommend you create a New Folder C:\Hijack This

Before your first scan, we need to check the configuration.

Click on the Config button in the bottom right hand corner.
Now confirm the following are checked.

Make backups before fixing items.
Confirm fixing & ignoring of items (safe mode).
Include list of running processes in logfiles.

The other items should be unchecked.
Click the Back button to return to the Scan page.

Now run a scan, and send me a new log please.


Sorry about the "canned" speech, it's the easiest way to give you the info.

Your version of HJT does not scan all the areas that the newer version does, therefore vital info is missing.

Don't add any comments to the new log, as it causes problems for some of my semi-automated log checking. (I have a program that checks lines on your log against a database of "Good" lines that I've compiled, and marks them on your log). For the rest, I have access to a large database of valid and invalid processes, and rarely find any that I can't get info on. (I'll ask you about any I can't find).

gary,

thanks.

new log:

Logfile of HijackThis v1.99.1
Scan saved at 5:11:30 PM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\GEARSec.exe
H:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
H:\Program Files\Norton Ghost\Agent\GhostTray.exe
P:\Program Files\Abyss Web Server\abyssws.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
P:\Program Files\Abyss Web Server\abyssws.exe
H:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\System32\HPZipm12.exe
F:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Internet Explorer\iexplore.exe
J:\HijackThis-1-99-1\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.retouchpro.com/"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "H:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKCU\..\Run: [AbyssWebServer] P:\Program Files\Abyss Web Server\abyssws.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - F:\NEOTRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136317380093
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F84C87-59F2-4E53-A3FB-87340C392D64}: NameServer = 205.152.37.23,205.152.132.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Unknown owner - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - H:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - I:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

craig

Just as an item of info Craig, with regard to VM.

Microsoft researchers have put forward a proof of concept proposal, where a VM system is used as a "Rootkit" to hide malicious activity.

Essentially the attacker downloads a VM onto your computer, and your OS will then unbeknown to you, run inside this VM.

Because of this, any AV scans will not show anything wrong with your system, (as they will be scanning your OS, and not the VM) and yet the attacker will have full access to the contents of your computer.

They haven't explained how this would be introduced to your box, but the concept is frightening.

gary,

yes, that is frightening. however, my VERY little understanding of vmware says this is very unlikely, if not nearly impossible. of course the key word there is 'nearly'. and i honestly dont know. the 'hooks' between the vm module and your 'real' o/s are pretty slim, the way i understand it currently, so i dont know. i would think the vm module would have a hard time reading or interfacing with your true o/s. but, it's software, so i suppose it's possible.

the whole 'rootkit' thing is pretty scary by all by itself.

craig

OK Craig,

Gone through your HJT log, and it looks clear.

I assume Bell South are your ISP. (if not let me know).

Noticed you have both AVG and Norton/Symantec on your box, if you're running both it could cause conflicts. Best to disable the real time scanners on one of them, and use it as an on-demand scanner only.

Also found Zone Alarm in your Running processes, but I don't find the services to suggest you're using it as your firewall (I presume you're using Norton/Symantec). Is this a remnant from an old install, if so might be worth removing it. (Just remove the Zone Alarms folder in Program Files).

If you wish to check whether your other Restore Points have been infected, try running Kaspersky's online scan, this is a very thorough scan, and will show up any infected files (including those in System Restore). It's a scan only, and doesn't clear any infections.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:

Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases


Click OK.
Now under select a target to scan select My Computer.
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.


Sorry, another "canned" speech.

If your RPs are infected, you need to clean them out. (sorry, yet another "canned")

Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to clean the restore points.

Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot.

Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

NOTE: only do this ONCE, NOTon a regular basis

gary,

thanks!

yes, bellsouth. and that actually makes me feel better. that tells me you looked up that name server and it was correct.

no, dont have norton antivirus any more. so, those are leftovers. do have ghost.

zone alarm firewall = all systems active. so, not sure what you want there.

re the other restore points, this one i just restored to only goes back to shortly before i knew i was infected. also, it was a 'checkpoint' and not the original set RetouchPRO. so, if things came up clean, i'm not going to worry about it and will keep it. but thanks for that.

now, one thing i do have a question on that has never really been answered is, on the restore points, are these like iso's? i mean, i was told once that these arent really iso's in the true sense of it being a complete image file. and, i was also under the impression that restoring wouldnt destroy EVERYTHING after the RetouchPRO, but it seems to have done so. all those programs i downloaded to fix this mess are now gone from my hdd's. no trace at all. in fact, i was under the impression that by using the checkpoint that it was like an updated version of your last rp and that it would only wipe things back to the checkpoint and not the original rp, but this doesnt seem to be so. there are other things missin from my files, like all the filtermeister filters i got or made a while back. thankfully, on those, i had copied them the software forum and could simply copy them back, but other things are missing as well that would have been installed before the checkpoint but after the rp.

ok, i think i just answered my own questions. it would seem to be the checkpoint doesnt really do much of anything. but it just links back to the original RetouchPRO and the orignal is what gets used in the restore. that kinda sucks. what's the point of the checkpoint if it doesnt update anything?

oh wait, i just found some of things i thought were missing. ok, now i'm confusing myself. what does the checkpoint do? and what, if anything, is the difference from restoring to the original RetouchPRO versus the checkpoint?

craig

OK,

1st things first.

If you're not using Norton anymore, it's best to get rid of all of it, as it sometimes causes conflicts with other systems. The uninstaller that comes with the program does not always remove everything (as can be seen from the plethora of Norton/Symantec entries in your HJT log.

DO NOT REMOVE THESE USING HJT.

Norton makes an Uninstall Tool which will successfully remove it from your system. HERE (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=)
(Check which version of Ghost you're using, as it also removes one of the earlier (2003) versions, you'd have to re-install it).

Zone Alarm usually has a service (023 Entry in HJT) running.

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Don't see it in your log. (May be worth doing an Uninstall then Re-install of Zone Alarm).

As for Windows XP restore points, there seem to be a whole lot of inconsistencies that I can't explain. (Only M$ know, and their description doesn't clarify matters much).

When you restore to an earlier restore point, you will usually lose programs that have been installed since that point was created (not all programs seem to be lost, seems to be some complication there that I don't understand), your registry will be set back to the settings as per that time. Usually any updates to programs will be lost (again sometimes not so). Personal files and folders do not seem to be affected in any way.

Not helping clarify things I know, truth is I don't fully know. This may explain.

Link to tutorial on Sysem Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html)

gary,

re norton av, i agree. and thanks for the link to their uninstaller. and trust me, i'm well aware of poor uninstalls :(

and regarding zone alarm, look at the running processes section of the log:
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
and re restore points, i'm afraid that's about the only answer i've ever gotten from anyone... As for Windows XP restore points, there seem to be a whole lot of inconsistencies that I can't explain. lol. so you're not alone. i will say this. it did wipe out he virus (amen!), and it did cause me to lose some files that were added after the checkpoint date. i was wrong about some of them though. the ones before the checkpoint do seem to still be in place. it did remove my avg anti-virus updates from avg. i havent checked yet, but i'm also fairly sure that any zone alarm allows or disallows will now be gone as well. i also know it saved my butt, not only this time, but when i was having that trouble getting service pack ii to install. i used restore points for that as well to get rid of the errant versions and attempts i was getting.

i can also say that so far, i can find NO trace of the virus or its components. mssearchnet.exe, nvctrl.exe and all things related to that 'security' thing seem to be gone....with one exception that i just caught earlier tonight and that was a .txt file on my desktop that said 'security guide'. not completely sure if that was part of the other stuff, but when i checked the properties, it did seem like it. so, that one's a bit of a mystery re the restore points.

so, all in all, i'm fairly happy again. i will be updating some things and moving some other things. i'd been getting a bit complacent with all this, not being infected (that i knew of) for quite a while now. frankly, i think we're being too easy on these virus creators. we've mostly all been on the defensive. i'd like to see a little offensive. i did see, when i got windows defender, that microsoft is teaming up with some folks regarding viruses and that they want individuals to join their club also. i think this is a pretty good idea. i can see a new wave of 'security partners' coming in the future that are likely going to be more aggressive on all this. microsoft and others have always been slow to get the message about what's going on, but hackers, crackers, script kiddies and others might want to get clean now. when the big boys like microsoft really set their sights on something they can bring an awful lot of clout to the table.

and just as a side note, can you imagine ole bill getting this same virus or sasser or blaster on his home machine? how embarrassing would that be? ;)

craig

overlooked the other Zone Lab running processes, (expected to see them as services, so didn't look for them there) partly due to the fact that my auto check had marked them as valid entries. I was concentrating on looking for rogue entries at that point.

I'm still curious as to why C:\WINDOWS\system32\ZoneLabs\vsmon.exe is not showing as a running service (don't like discrepancies). It's probably been disabled by the infection (they often disable firewalls to make access to your computer easier).

Click Start > Run and type services.msc scan down, and you should find a service called TrueVector Internet Monitor double click on it to open properties, and check it's set to Auto check also that its "Service Status" is Started, then click OK.

Any problems with this let me know.

gary,

again, thanks.

on this: Click Start > Run and type services.msc scan down, and you should find a service called TrueVector Internet Monitor double click on it to open properties, and check it's set to Auto check also that its "Service Status" is Started, then click OK. everything seems copesetic. it's there, on automatic and running. dont know why it wouldnt show on hjt. i think some things are a little odd after the restore.

also, i ran another scan and log last night because i wanted to get mozilla back as my default browser. i also hadnt run i.e. since the restore either. so, the log has changed just a bit because of these:

Logfile of HijackThis v1.99.1
Scan saved at 1:12:11 PM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\GEARSec.exe
H:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
F:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
H:\Program Files\Norton Ghost\Agent\GhostTray.exe
P:\Program Files\Abyss Web Server\abyssws.exe
P:\Program Files\Abyss Web Server\abyssws.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
H:\Program Files\TraySoft\PhoneTray\PhoneTray.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\System32\HPZipm12.exe
F:\Program Files\mozilla.org\Mozilla\mozilla.exe
J:\HijackThis-1-99-1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.retouchpro.com/"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Me\Application Data\Mozilla\Profiles\default\cxpbc44u.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "H:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKCU\..\Run: [AbyssWebServer] P:\Program Files\Abyss Web Server\abyssws.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &NeoTrace It! - F:\NEOTRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - F:\NEOTRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136317380093
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F84C87-59F2-4E53-A3FB-87340C392D64}: NameServer = 205.152.37.23,205.152.132.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - P:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Unknown owner - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton Ghost - Symantec Corporation - H:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - I:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

for instance, not sure how that 'aol' thing got in there. i also dont need the 'Directway' thing in there any more. that's from my old satellite internet, which i no longer use. but, all in all, it still looks pretty clean to me.

craig

If you want to get rid of the AOL in your IE Trusted Zone, just run a scan with HJT, check it, then click on Fix Checked to remove it.

The O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Unknown owner - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe (file missing) is a little more involved. You can't just check it in HJT to remove it.

1st we have to stop the service, and then remove it, finally remove the file.

Sorry, time for another "canned" speech (I've got loads).


We need to stop a service...

Click Start button then select Run.
Type services.msc then hit OK.
Scroll down and find the service called.

DIRECWAY Webcast

Right-click on Service and choose Properties.
On the General tab under Service Status click the Stop button to stop the service.
Beside Startup Type in the dropdown menu select Disabled.
Click Apply then OK. Exit the Services utility.




Let's delete that service

Start HijackThis.
Click Config button.
Click Misc Tools button.
click Delete an NT Service button
Copy and Paste the text in the box below in the Delete an NT Service window.

DPC_SRV_WEBCAST

Click OK.
Close HijackThis.


Now delete this folder.
C:\PROGRAM FILES\DIRECWAY

Rest of the log looks clean. (obviously these aren't malicious entries, just unwanted ones).

As a point of information, although HJT says the Direcway file is missing, HJT is unreliable in this regard with all but the 02 & 03 entries.

gary,

thanks. i'll work on those tomorrow.

today, at least this evening, i've been working on updating my security. got and re-installed the newer win patrol. got and installed again, task catcher. got and installed spybot s&d with teatimer. ran spybot and it found over 30 items. cute. mostly, these were dead items and non-working fragments of old spyware or other malicious junk. nontheless, i removed most of them. i didnt remove 2. one is 'cyberview', which is software that i'm pretty sure came with my negative scanner. it's a twain/usb device and the software to go with it. not sure why spybot saw that as a threat... but i'll check into it more tomorrow.

also downloaded, but didnt install, some items from the spybot site that looked kind of interesting. his regalyzer, filealyzer and i think one other. havent installed those and they're not strictly speaking, security items, but looked kind of interesting. (i'm a download junkie).

anyways, the system seems to be running ok. i shld probably do a registry cleaning also after all this. i think i have 'regclean' somewhere. if you know of a better one or have any comments on that one, i'd love to hear it.

again, thanks! and i'll try to be more security conscious in the future.

craig

Hi Craig,

This is what I usually suggest to secure a computer. (Based on a user who uses IE as their browser).

Personally I use Firefox with the No Script and Site Advisor plugins. (You still need to secure IE).

(Suggestions, yet another "canned" speech (does this boy have no end of these)).

Updating Windows and Internet Explorer

IMPORTANT: You need to update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you're running Microsoft Office, or any portion thereof, go to Microsoft's Office Update site and make sure you have at least all the critical updates installed. (Free at Microsoft Office Update).

Make your Internet Explorer more secure

From within Internet Explorer click on Tools > Options > Security > Internet > Custom Level.
Make sure these options are set as follows:

Download signed ActiveX controls to Prompt
Download unsigned ActiveX controls to Disable
Initialize and script ActiveX controls not marked as safe to Disable
Installation of desktop items to Prompt
Launching programs and files in an IFRAME to Prompt
Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Press the Apply button and then the OK to exit the Internet Properties page.

The following are free programs that are designed to keep your computer clean. A brief description is included with each item, click on name to go to download site.


Adaware SE Personal (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)

Spybot S & D (http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but)
Spybot is a scanner like Adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and protection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here (http://www.bleepingcomputer.com/forums/index.php?showtutorial=43)

SpywareBlaster (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

IE Spyad (http://www.spywarewarrior.com/uiuc/resource.htm)
It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers.

Hosts file: (http://www.mvps.org/winhelp2002/hosts.htm)

Every version of windows has a hosts file as part of them.
In a very basic sense, they are used to locate webpages.
We can customize a hosts file so that it blocks certain webpages.
However, it can slow down certain computers.
This is why using a hosts file is optional!!
Make sure you read the instructions on how to install the hosts file, here (http://www.mvps.org/winhelp2002/hosts2.htm).

If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:


Click the start button (at the lower left hand corner of your screen)
Click run In the dialog box, type services.msc
hit enter, then locate dns client
Highlight it, then double-click it.
On the dropdown box, change the setting from automatic to manual.
Click ok




Use an Anti Virus Software - It's very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future. See this link for a LISTing of some, on line & their stand-alone anti virus programs:
Computer Safety On line - LIST of free Anti virus programs (http://www.freebyte.com/antivirus/#scanners)

Use a Firewall - I cannot stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one.

Site Advisor (http://www.siteadvisor.com/) This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. (It also colour tags items in your Google Searches)

If you like programs that analyse your system, try Process Explorer by Mark Russinovich, available at http://www.sysinternals.com/Utilities/ProcessExplorer.html
Displays all running processes on your computer and a whole lot more. (Warning: seriously Geeky).

Very informative and powerful tool, can be used to remove all sorts of nasties if used properly. Will also muck up your system totally if used incorrectly, (no backups so don't use for removing Malware unless you REALLY know what you're doing).

RegCleaner is as good as any (I use it), just remember that using any automated cleaner on your registry carries an element of risk. Make a backup of your registry before cleaning, and keep it for a while after you've cleaned just in cas you have any unforeseen problems.

If you don't know how to make a Registry backup let me know and I'll be happy to post instructions.

gary,

sage advice, indeed.

mostly i use mozilla. oddly, when i'm going to go to what i think may be a bit of a suspicious site, i use i.e. i know that sounds backwards, but frankly, i'd rather infect i.e. than mozilla, if it's going to happen. i guess that's because i rely on mozilla more than i.e. and try to keep mozilla safe. yes, i know, i need i.e. for windows updates, so, yes, it is a bit screwy :)

and normally, i have the i.e. settings you recommend already set that way, or very close to it. so, i'm not really sure how i got that trojan...probably downloaded something i shldnt have or actively viewed something i shldnt have. i do recall allowing some activex things on sites i thought i could trust, so maybe it was there. not sure.

and yes, i'm overdue for a windows update. so, that's on my list too.

craig

By using No Script with Firefox, you greatly reduce the chances of getting an infection. This bans Javascript by default. Sites are given Javascript priviledges on a site by site basis under your control (a site you determine "safe" can be given it "permanently").

As you're already aware Firefox does not support Active X or WinScript, so the combo of Firefox and No Script gives a very secure browser. (No browser is totally secure).

Been a couple of big security updates on Outlook Express and IE recently, as well as the usual hole plugs in XP, so important you update ASAP.

Have fun, and keep safe.

Photoshop. You can update Windows using Firefox. Either set Security Centre to update Windows on Auto. OR if you prefer a little more control (I do) set it to notify you when new updates occur. When an update occurs, it will throw up a yellow shield icon in your taskbar. Simply click on the shield to get details on the update, select what you want, then allow it to update. No need to go to Windows Update site, and therefore no need to use IE.

Glad to see you are up and running again Craig.

I installed Hoster and the Host files recommended by Gary (Thanks Gary) But when I run Spybot I get ‘Windows Redirected Hosts’ Showing like it is a problem?

Why does Spybot want to ‘repair’ these? Surely Spybot should see these as safe?

This only happens on one of my PC’s (Running ME)

Just wondered if anyone else gets this?

I use ERUNT to backup my registry. It’s great, and much better that using XP’s.


Ken.

When you install Spybot, it creates a copy of your registry which it uses as a benchmark. Any alterations to this "template" have to be "allowed" by you.

So it sees the addition of a hosts file as a large alteration to your registry that hasn't been "allowed".

Uninstall Spybot, then re-install it. As you already have your hosts file in place, Spybot should "accept" it.

Note: Each time you update your Hosts file, Spybot should prompt you to allow the alterations, you must allow them, or forever and a day you will be told they are malicious, note you only get one shot at allowing them.

If you don't want to go through uninstalling and re-installing, try the following.

Open a new Notepad file (must be Notepad NOT wordpad). Make sure Format > Wordwrap is not checked.

Copy and paste the text in the box into it.
@echo off

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO winme

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

echo Unsupported Version
goto last

:NT
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\Snapshots\*.*
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyblack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcBlack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\logs\resident.log
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\UpdateDL.sbe
exit

:win
deltree /y %WINDIR%\applic~1\spybot~1\snapshots\*.*
del %WINDIR%\applic~1\spybot~1\logs\resident.log
del %WINDIR%\applic~1\spybot~1\excludes\ProcBlack.sbe
del %WINDIR%\applic~1\spybot~1\excludes\ProcWhite.sbe
del %WINDIR%\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del %WINDIR%\applic~1\spybot~1\excludes\RegKeyBlack.sbe
del %WINDIR%\applic~1\spybot~1\excludes\UpdateDL.sbe
exit

:winme
del /y %WINDIR%\alluse~1\applic~1\spybot~1\snapshots\*.*
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\UpdateDL.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\RegKeyblack.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\ProcWhite.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\ProcBlack.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\logs\resident.log
exit

:last
echo Press any key to terminate,..
pause
exit



Save as ResetTeaTimer.bat save as file type "All Files" NOT txt. Somewhere where you can find it.

Double click on ResetTeaTimer.bat to run the programme and reset Spybot's Tea Timer. Should cure the problem. If not Uninstall and re-install as previously stated.

Thanks Gary, Craig, C.J., Nancy, Ikroll and others for the great information that you shared. I’m in awe at your technical knowledge and the help that you have provided.

Until I spent some time on this thread, I would have told you that I practiced very safe computing – but now I’m not so sure.

I’ve virtually spent all day today reading and rereading the posts, looking at various security sites and sites that provided tools to minimize the threat. Now, I’m really confused!

What I’d like to ask of you folks – who have great knowledge of the types of tools necessary to minimize the surfing risk – is to help the rest of us (probably the majority of us) to understand…
a- the types of tools available for each of the different risks and,
b- some suggestions for the tools (brands) that are most effective

(Yes I know that there will be many opinions about individual products – but when you are experienced in dealing with this stuff, opinions/impressions are very important)

I read somewhere that there are over 150 different brands of antivirus software available – and probably a like number of spyware detection tools as well – and it’s clear from the experiences in this thread none of them were the end-all and be-all.

In my instance I use the following:

Firewall – ZoneAlarm Pro - (to alert me to programs/processes trying to get into my computer or trying to send something out from my computer)

Virus Protection – Norton SystemWorks

General System Checkup – Norton One Button Checkup (finds and repairs Registry inconsistencies, bad shortcuts, identifies cleanup items, etc

Registry Analysis - Norton One Button Checkup and Registry Mechanic (I’m very paranoid about the Registry and the garbage that can accumulate there – and the risk of destructive programs that can be placed there without my knowing)

Spyware & Adware – Microsoft Antispyware, Ad-Adware, Spybot Search & Destroy (one program simply doesn’t identify all of this kind of Krap)

StartUp programs – Startup Control Panel (by Mike Lin) (Every program in the world wants to startup when the pc is turned on. This program identifies the request {to change the Registry} and allows me to decide. However, this program is a couple of years old and I wonder if it catches all the newer sophisticated start up situations) I also use msconfig

Cookie Control – Cookie Pal v 1.7 – allows me to easily see and delete cookies I know I don’t want (like ad oriented stuff) – Handles IE6, Netscape and Opera. Hasn’t been upgraded for a few years, but seems to give me the visibility I want.

? My basic question here is whether I’m covering all my bases with the robustness needed as these malicious intrusions get more sophisticated?

? Am I using the “best” tool to see all proposed Registry changes before they are allowed?

? Does “Startuplist” from Merijn.org identify more startup processes/programs than an older program?

? Will WinPatrol Plus provide additional protection for startup programs and/or unwanted Registry entries?

I know that multiple spyware removers seem to add to my protection – but does the “overlapping” functionality of stuff like Norton, Registry Mechanic, Winpatrol Plus, etc. cause more problems than they solve?

I do know that my browser – internet explorer – doesn’t have the tightest security options (yet) and I will have to bite that bullet to use the “Trusted zone” more – or change to another browser.

=================

For those that are interested, the following link give a lot of information about making IE less vulnerable.

http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm#summ


Lots of questions here and probably even more that I’m not smart enough to even ask about – but I hope you can help me improve some – and maybe my list of protections can provide others a starting point.

Thanks and Regards

Bob Mc

Thank You Gary.

I will try that when I go back to work after Easter.
I added the Host file to two PC’s last November (After your suggestions)
I added Spybot to both PC’s this week (I normally just use Adaware)

It’s just one PC running WinME that complained about these six entries out of over 1800.

Ken.

Hi Bob Mc,

If you read my earlier post to Craig, that should give you a list of things to do and install which will give you a pretty secure level of protection.

As an addition, I'll say this.

There are a great many "bogus" malware scanners available, some are even malicious in intent, so be careful what you install to your machine.

For a list of "Rogue" programmes, see http://www.spywarewarrior.com/rogue_anti-spyware.htm#products