Solved

VIRUS ????

Posted on 2004-04-02
29
46,575 Views
Last Modified: 2011-09-20
Hello everyone...

I have a Windows XP system that I am working on that I am pretty sure has a virus...

These are the symptoms

Cannot access the control panel
Clicking on internet explorer does nothing
Cannot access My network Places
In command prompt I am getting an IP address, gateway etc... I can release and renew but still no connection to the internet through Internet Explorer.

Also can ping 127.0.0.1 which is successful...

Tried to run windows messenger to establish a remote assitance connection... it asks to launch the web browser to register... the browser never launches all I get is a script error message.
Tried to reinstall Internet Explorer - no result
Tried to install Road Runner Medic - no result
Email will not work.
Checked under registry in H-Key-Local_Machine - software-microsoft-windows-current version - run .... one of the items listed is 17669.exe
When booting an error message occurs stating DLL intialization failed 17669.exe

I looked in the log files for app errors their are a lot of WCI ERRORS.... I do not know what this is but the description says "Cleaning up corrupt Content Index Metadata C:\system volume information"

Their is are also application errors stating MCShield6.0 is the faulting application in Kernel32.DLL

which MCShield is a component of Mcafee anti virus...

I also tried sfc /scannow which just disappeared.

I cannot access my computer

I can access system properties

I can access file and folders through the run command.

Application and control panel type windows will either not appear at all or just pop off the screen for no reason.

I am thinking it may be this virus but I am not sure
http://securityresponse.symantec.com/avcenter/venc/data/w32.nofer.a@mm.html

Since I am unable to connect to any sort of internet or network connection I cannot run any online virus scanners.

I am wondering if anyone knows of any virus that may behave this way and/or of any anti virus software that can be downloaded and used for free.
0
Comment
Question by:briancassin
  • 8
  • 4
  • 4
  • +7
29 Comments
 
LVL 21

Author Comment

by:briancassin
ID: 10746717
I guess I should reword that I am wondering if anyone has run into this problem before.
0
 
LVL 6

Expert Comment

by:jthow
ID: 10747132
You seem to have a network connection.  If that is the case, make sure you have up-to-date anti virus definitions on another box attached to the n/w and then run a virus check on the problem system from there.  You may need to enable sharing on the root of the drive of the affected system and map the drive on the other system in order to be able to do that.  I'm not sure the online scanners will scan a n/w drive, but you should be able to scan from another system on your local n/w.

Good Luck.

JohnT
0
 
LVL 10

Assisted Solution

by:timothyfryer
timothyfryer earned 100 total points
ID: 10747139
AVG Free Edition is a good free virus program.  You can get it at http://www.grisoft.com/us/us_dwnl_free.php

I haven't seen this before but if you can access files and folders through the run window then I would open the run window and type msconfig.exe.  If it opens, click on the startup tab and unclick the box next to all of the mcafee entries, if not all of them all together.   Then reboot and see what happens.  If your kernel32.dll file is corrupt, you can fetch a fresh one from your xp install disk by using the expand button under the general tab of msconfig.  
Post your guestions and I'll try to help.
0
 
LVL 6

Expert Comment

by:jthow
ID: 10747229
AVG free version won't work in a networked environment.

JohnT
0
 
LVL 21

Assisted Solution

by:gemarti
gemarti earned 100 total points
ID: 10747539


Download Ad-Aware so that you can install it on the trouble system
Reboot the system and Press F8 to access the system menu.
Select Safe Mode
Logon to the system with username=password
Run Ad-Aware to cleanup any spyware and adware on your system
Reboot the system and log back on as you would normally do.
Run an online virus scan
+++++++++++++++++++++++++++++++++++++++++++++++++
Spyware/Adware removal tools:

I usually use SpyBot-S&D and Ad-aware. CWShredder is also useful You need to run at least two of these applications to clean up your system. Make sure you get the up-to-date reference files.
------------------------------

SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml

Ad-aware : http://www.webattack.com/download/dladaware.shtml

CWShredder: http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

++++++++++++++++++++++++++++++++++++++++++++++++++++++
Online Virus Scanning

http://us.mcafee.com/root/mfs/default.asp?cid=9059
http://security.symantec.com/
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.pcpitstop.com/antivirus/default.asp

0
 
LVL 41

Accepted Solution

by:
stevenlewis earned 200 total points
ID: 10747711
the first thing I would do is find 17669.exe , right click and choose properties, then check the version info, to see if you can tell who wrote the program, and what it does. Then if suspicious, export the entry in the reg, and then delete it, and
 reboot (you can also rename the file to 17669.old)
then check your network, if still having problems try the winsock fix
http://members.shaw.ca/techcd/WinsockXPFix.exe
and if that fails, try rebuilding your tcp stack
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299357
How to Reset Internet Protocol (TCP/IP) in Windows XP

View products that this article applies to.

This article was previously published under Q299357

For a Microsoft Windows Server 2003 version of this article, see 317518.

SUMMARY

When viewing the list of components for a network interface, you may notice that the Uninstall button is disabled when Internet Protocol (TCP/IP) is selected. In Windows XP, the TCP/IP stack is considered a core component of the operating system; therefore, it is not possible to uninstall TCP/IP in Windows XP.

In extreme cases, reinstalling the Internet Protocol stack may be the most appropriate solution. With the NetShell utility, you can now reset the TCP/IP stack back to a pristine state, to the same state as when the operating system was installed.

MORE INFORMATION

The NetShell utility (netsh) is a command-line scripting interface for the configuring and monitoring of Windows XP networking. This tool provides an interactive network shell interface to the user.

In Windows XP, a reset command is available in the IP context of the NetShell utility. When this command is executed, it rewrites pertinent registry keys that are used by the Internet Protocol (TCP/IP) stack to achieve the same result as the removal and the reinstallation of the protocol.

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

SYSTEM\CurrentControlSet\Services\DHCP\Parameters\

                        

Command Usage

netsh int ip reset [log_file_name]

To successfully execute the command, you must specify a log file name where actions taken by netsh will be recorded. For example, typing either of the examples that are listed in the "Command Samples" section later in this article at a command prompt would reset the TCP/IP stack on a system and record the actions that were taken in the log file, Resetlog.txt. The first sample creates the log file in the current directory, while the second sample demonstrates the use of a path where the log will be created. In either case, where the specified log file already exists, the new log will be appended to the end of the existing file.

Command Samples

netsh int ip reset resetlog.txt

netsh int ip reset c:\resetlog.txt

Sample Log File for NETSH INT IP RESET

The following is a sample of the log file that is generated by netsh when an IP reset command is issued. The actual log file may vary depending on the configuration of the system on which the command is issued. In some cases, there may be no actions logged in the file, which typically is the case when the TCP/IP registry keys have not been altered from their original configuration.

reset   SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation

            old REG_MULTI_SZ =

                SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain

                SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain



added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{2DDD011E-B1B6-4886-87AC-B4E72693D10C}\NetbiosOptions

added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{BAA9D128-54BB-43F6-8922-313D537BE03E}\NetbiosOptions

reset   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\NameServerList

            old REG_MULTI_SZ =

                10.1.1.2



deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DDD011E-B1B6-4886-87AC-B4E72693D10C}\AddressType

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DDD011E-B1B6-4886-87AC-B4E72693D10C}\DefaultGatewayMetric

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DDD011E-B1B6-4886-87AC-B4E72693D10C}\DisableDynamicUpdate

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DDD011E-B1B6-4886-87AC-B4E72693D10C}\DontAddDefaultGateway

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DDD011E-B1B6-4886-87AC-B4E72693D10C}\EnableDhcp

            old REG_DWORD = 0



added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DDD011E-B1B6-4886-87AC-B4E72693D10C}\NameServer

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DDD011E-B1B6-4886-87AC-B4E72693D10C}\RawIpAllowedProtocols

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DDD011E-B1B6-4886-87AC-B4E72693D10C}\TcpAllowedPorts

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DDD011E-B1B6-4886-87AC-B4E72693D10C}\UdpAllowedPorts

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B3675C3-6EB9-4936-B991-04DA31024C4E}\DisableDynamicUpdate

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B3675C3-6EB9-4936-B991-04DA31024C4E}\EnableDhcp

            old REG_DWORD = 0



reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B3675C3-6EB9-4936-B991-04DA31024C4E}\IpAddress

            old REG_MULTI_SZ =

                12.12.12.12



deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B3675C3-6EB9-4936-B991-04DA31024C4E}\IpAutoconfigurationAddress

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B3675C3-6EB9-4936-B991-04DA31024C4E}\IpAutoconfigurationMask

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B3675C3-6EB9-4936-B991-04DA31024C4E}\IpAutoconfigurationSeed

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B3675C3-6EB9-4936-B991-04DA31024C4E}\RawIpAllowedProtocols

            old REG_MULTI_SZ =

                0



reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B3675C3-6EB9-4936-B991-04DA31024C4E}\SubnetMask

            old REG_MULTI_SZ =

                255.255.255.0



reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B3675C3-6EB9-4936-B991-04DA31024C4E}\TcpAllowedPorts

            old REG_MULTI_SZ =

                0



reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5B3675C3-6EB9-4936-B991-04DA31024C4E}\UdpAllowedPorts

            old REG_MULTI_SZ =

                0



added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BAA9D128-54BB-43F6-8922-313D537BE03E}\AddressType

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BAA9D128-54BB-43F6-8922-313D537BE03E}\DefaultGatewayMetric

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BAA9D128-54BB-43F6-8922-313D537BE03E}\DisableDynamicUpdate

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BAA9D128-54BB-43F6-8922-313D537BE03E}\DontAddDefaultGateway

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BAA9D128-54BB-43F6-8922-313D537BE03E}\EnableDhcp

            old REG_DWORD = 0



added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BAA9D128-54BB-43F6-8922-313D537BE03E}\NameServer

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BAA9D128-54BB-43F6-8922-313D537BE03E}\RawIpAllowedProtocols

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BAA9D128-54BB-43F6-8922-313D537BE03E}\TcpAllowedPorts

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BAA9D128-54BB-43F6-8922-313D537BE03E}\UdpAllowedPorts

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\DefaultGateway

            old REG_MULTI_SZ =

                10.1.1.2

               



reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\DefaultGatewayMetric

            old REG_MULTI_SZ =

                0

               



added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\DisableDynamicUpdate

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\EnableDhcp

            old REG_DWORD = 0



reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\IpAddress

            old REG_MULTI_SZ =

                10.1.1.1

               



deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\IpAutoconfigurationAddress

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\IpAutoconfigurationMask

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\IpAutoconfigurationSeed

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\NameServer

            old REG_SZ = 10.1.1.2,10.1.1.3



reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\RawIpAllowedProtocols

            old REG_MULTI_SZ =

                0



reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\SubnetMask

            old REG_MULTI_SZ =

                255.255.255.0

               



reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\TcpAllowedPorts

            old REG_MULTI_SZ =

                0



reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD2859BA-B26A-4E2B-A3FE-3D246F90A81A}\UdpAllowedPorts

            old REG_MULTI_SZ =

                0



deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableIcmpRedirect

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution

<completed>

method 2
Had to point the Install to the "nettcpip.inf" in the windows/inf directory. That allows TCP/IP to install over the top of the TCP/IP required for operation of Windows XP.





0
 
LVL 21

Author Comment

by:briancassin
ID: 10750938
OK this is what was discovered...

IN task manager CPU utilization was 100% even after adjusting windows for best performance.

SVCHOST.EXE (which their was 4 of these listed one local one network and two others that were not specified. When I checked this it was using 99% CPU utilization .. Could not access Internet Explorer, My Computer, My Network Places none of them would open it would go to an hour glass then it the screen would remove all the icons and basically go to a blank desktop then the screen would flash all the icons would come back but yet the computer was still running extremely slow..

Checked the registry under the key H_Key_Local_Machine - Software - Microsoft - Windows - Current Version - Run their was an entry saying 17669.exe this entry had no further information.

I did a search for the 17669.exe in windows it was located in C:\Windows directory and also C:\windows\Prefetch in prefetch everything has a .pf extension which seems weird this is a dell computer not sure if this is part of dells preload or backup setup but it does not seem right.

The 17669.exe file also had -13ABA5DD.PF after it in the c:\windows\prefetch directory no publisher information or anything in any of the property pages. on either one of them the one in c:\windows or c:\windows\prefetch...

Ran Adaware 6.0 and it found 192 objects this is the log

ArchiveData(auto-quarantine- 03-04-2004 23-51-16.bckp)
======================================================

ZIPCLIXTOOLBAR
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZipClix
obj[7]=RegValue : SOFTWARE\Microsoft\Internet Explorer\Toolbar
obj[12]=RegKey : SOFTWARE\Zipclix
obj[15]=RegKey : ZipclixObj.ZipclixObj
obj[16]=RegKey : ZipclixObj.ZipclixObj.1
obj[17]=RegKey : Typelib\{BBCD25C8-A31E-4DFB-B204-B54BBA477B23}
obj[21]=RegKey : Interface\{EC34A4B3-809A-4A71-88D4-55B5183D6041}
obj[32]=RegKey : CLSID\{319A68DB-06D0-46DA-9F93-A810D5A70836}
obj[36]=Folder : c:\program files\Zipclix
obj[48]=File : c:\program files\zipclix\zipclix.ini
obj[49]=File : c:\program files\zipclix\zipclix.exe
obj[50]=File : c:\program files\zipclix\zipclix.dll
obj[51]=File : c:\program files\zipclix\unwise.exe
obj[52]=File : c:\program files\zipclix\install.log

CLARIA
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[1]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PrecisionTime
obj[2]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Date Manager
obj[3]=RegValue : SOFTWARE\Microsoft\Windows\CurrentVersion\Run
obj[9]=RegKey : SOFTWARE\Gator.com
obj[10]=RegKey : Software\CLASSES\GetAndRun.DFRun
obj[11]=RegKey : Software\CLASSES\GetAndRun.DFRun.1
obj[13]=RegKey : Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\GAIN
obj[27]=RegKey : getandrun.dfrun
obj[28]=RegKey : getandrun.dfrun.1
obj[33]=RegKey : CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}
obj[38]=Folder : c:\program files\PrecisionTime
obj[40]=Folder : c:\program files\Gator.com
obj[41]=Folder : c:\program files\Date Manager
obj[43]=Folder : c:\program files\common files\GMT
obj[44]=Folder : c:\program files\common files\CMEII
obj[45]=File : c:\windows\gatorplugin.log
obj[46]=File : c:\windows\gatorpdpsetup.log
obj[47]=File : c:\windows\gatorpatch.log
obj[53]=File : c:\program files\precisiontime\unwise.exe
obj[54]=File : c:\program files\precisiontime\precisiontimewebsite.url
obj[55]=File : c:\program files\precisiontime\precisiontime.lcl
obj[56]=File : c:\program files\precisiontime\precisiontime.ini
obj[57]=File : c:\program files\precisiontime\precisiontime.exe.manifest
obj[58]=File : c:\program files\precisiontime\install.log
obj[63]=File : c:\program files\gator.com\gator
obj[64]=File : c:\program files\date manager\unwise.exe
obj[65]=File : c:\program files\date manager\install.log
obj[66]=File : c:\program files\date manager\datemanager.exe.manifest
obj[67]=File : c:\program files\date manager\datemanager.exe
obj[68]=File : c:\program files\date manager\datemanager.dat
obj[69]=File : c:\program files\date manager\date manager website.url
obj[70]=File : c:\program files\common files\gmt\scripts
obj[71]=File : c:\program files\common files\gmt\meprca.dat
obj[72]=File : c:\program files\common files\gmt\mepimg.dat
obj[73]=File : c:\program files\common files\gmt\mepgh.dat
obj[74]=File : c:\program files\common files\gmt\mepcmeft.dat
obj[75]=File : c:\program files\common files\gmt\mepcme.dat
obj[76]=File : c:\program files\common files\gmt\mepbs.dat
obj[77]=File : c:\program files\common files\gmt\helper.wav
obj[78]=File : c:\program files\common files\gmt\guninstaller.exe
obj[79]=File : c:\program files\common files\gmt\gmt.exe.manifest
obj[80]=File : c:\program files\common files\gmt\gatorstubsetup.exe
obj[81]=File : c:\program files\common files\gmt\gatorres.dll
obj[82]=File : c:\program files\common files\gmt\gator.log
obj[83]=File : c:\program files\common files\gmt\fillin.wav
obj[84]=File : c:\program files\common files\gmt\egnsengine.dll
obj[85]=File : c:\program files\common files\gmt\egieprocess.dll
obj[86]=File : c:\program files\common files\gmt\egieengine.dll
obj[87]=File : c:\program files\common files\gmt\eggcengine.dll
obj[88]=File : c:\program files\common files\gmt\downloadtemp
obj[89]=File : c:\program files\common files\gmt\data
obj[90]=File : c:\program files\common files\gmt\63735n58cj
obj[91]=File : c:\program files\common files\cmeii\store
obj[92]=File : c:\program files\common files\cmeii\gui
obj[93]=File : c:\program files\common files\cmeii\gtools.dll
obj[94]=File : c:\program files\common files\cmeii\gstoreserver.dll
obj[95]=File : c:\program files\common files\cmeii\gstore.dll
obj[96]=File : c:\program files\common files\cmeii\gobjs.dll
obj[97]=File : c:\program files\common files\cmeii\gmtproxy.dll
obj[98]=File : c:\program files\common files\cmeii\gioclclient.dll
obj[99]=File : c:\program files\common files\cmeii\giocl.dll
obj[100]=File : c:\program files\common files\cmeii\gdwldeng.dll
obj[101]=File : c:\program files\common files\cmeii\gcontroller.dll
obj[102]=File : c:\program files\common files\cmeii\gatorsupportinfo.txt
obj[103]=File : c:\program files\common files\cmeii\gappmgr.dll
obj[104]=File : c:\program files\common files\cmeii\cmesys.exe
obj[105]=File : c:\program files\common files\cmeii\cmeiiapi.dll
obj[106]=File : c:\program files\common files\cmeii\cmediagnostics.log
obj[107]=File : c:\program files\common files\cmeii\apps
obj[191]=File : c:\documents and settings\all users\start menu\programs\startup\precisiontime.lnk
obj[192]=File : c:\documents and settings\all users\start menu\programs\startup\gstartup.lnk
obj[193]=File : c:\documents and settings\all users\start menu\programs\startup\date manager.lnk

BLAZEFIND
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[4]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5941EE5-6DFA-11D8-86B0-0002441A9695}
obj[29]=RegKey : CLSID\{C5941EE5-6DFA-11D8-86B0-0002441A9695}

HUNGRYHANDS BHO
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[5]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bcf96fb4-5f1b-497b-aecc-910304a55011}
obj[19]=RegKey : TYPELIB\{03f8822f-8877-4002-8bcd-b532d53d8471}
obj[20]=RegKey : Interface\{F8FB4EA2-6C05-4DE5-8CD0-625B03F48E22}
obj[23]=RegKey : hungryhands.hungrybho
obj[24]=RegKey : hungryhands.hungrybho.1
obj[30]=RegKey : CLSID\{bcf96fb4-5f1b-497b-aecc-910304a55011}
obj[34]=RegKey : AppID\{03F8822F-8877-4002-8BCD-B532D53D8471}
obj[35]=RegKey : AppID\HungryHands.DLL

HTTPER
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[6]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a5483501-070c-41dd-af44-9bd8864b3015}
obj[14]=RegKey : Software\Httper
obj[18]=RegKey : TYPELIB\{ab7b627d-b2af-4b6d-bda1-4930579ffcd8}
obj[22]=RegKey : Interface\{7D49A302-3C1C-4706-B6DC-8C8BBB500BA0}
obj[25]=RegKey : httper.iefriendly
obj[26]=RegKey : httper.iefriendly.1
obj[31]=RegKey : CLSID\{a5483501-070c-41dd-af44-9bd8864b3015}
obj[39]=Folder : c:\program files\Httper
obj[59]=File : c:\program files\httper\unwise.exe
obj[60]=File : c:\program files\httper\install.log
obj[61]=File : c:\program files\httper\httper.ini
obj[62]=File : c:\program files\httper\httper.dll

ALEXA
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[8]=RegKey : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a


CLARIA would not remove intially also listed as cmeii adaware could not intially remove it but I instructed it to remove it after reboot... which it did successfully do.

I also ran AVG Anti Virus it found nothing...

I then ran HIJACK THIS  and i removed this entry

HKCU\Software\Microsoft\CurrentVersion\Internet Settings\Proxy Override = ;127.0.0.1;<local>


after that I regained internet access

I went to trendmicroHousecall and ran the online virus scan it found:
Malware.JS_FORTNIGHT.M and removed it this was the only thing that it found.

Here is the logfile from HIJACK THIS...

StartupList report, 4/4/2004, 1:01:10 AM
StartupList version: 1.52
Started from : C:\HiJackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Washer Pro\iw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\HiJackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Lavon\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
Billminder.lnk = C:\Program Files\Quicken\billmind.exe
Digital Line Detect.lnk = ?
hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
Microsoft Works Calendar Reminders.lnk = ?
officejet 6100.lnk = ?
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
BCMSMMSG = BCMSMMSG.exe
diagent = "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
UpdReg = C:\WINDOWS\UpdReg.EXE
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Alogserv = C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
McAfee Guardian = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
DwlClient = C:\Program Files\Common Files\Dell\EUSW\Support.exe
nwiz = nwiz.exe /install
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
Internet Washer Pro = C:\Program Files\Internet Washer Pro\iw.exe min

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{39347012-A94D-4CF3-A2B3-5EA3E924A728}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 2100 series#1040263182.job

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[{421A63BA-4632-43E0-A942-3B4AB645BE51}]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IWCHECK.DLL
CODEBASE = http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/123e635de35d01745823/netzip/RdxIE601.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

[CQD2Loader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\installer.dll
CODEBASE = http://smartdownloader.com/installer.dll

[CustomerCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\customerclient.dll
CODEBASE = http://cs5b.instantservice.com/jars/customerxsigned33.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

abp480n5: \SystemRoot\System32\DRIVERS\ABP480N5.SYS (disabled)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: \SystemRoot\System32\DRIVERS\adpu160m.sys (disabled)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Compaq AGP Bus Filter: \SystemRoot\System32\DRIVERS\agpCPQ.sys (disabled)
Aha154x: \SystemRoot\System32\DRIVERS\aha154x.sys (disabled)
aic78u2: \SystemRoot\System32\DRIVERS\aic78u2.sys (disabled)
aic78xx: \SystemRoot\System32\DRIVERS\aic78xx.sys (disabled)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AliIde: \SystemRoot\System32\DRIVERS\aliide.sys (disabled)
ALI AGP Bus Filter: \SystemRoot\System32\DRIVERS\alim1541.sys (disabled)
AMD AGP Bus Filter Driver: \SystemRoot\System32\DRIVERS\amdagp.sys (disabled)
amsint: \SystemRoot\System32\DRIVERS\amsint.sys (disabled)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: \SystemRoot\System32\DRIVERS\asc.sys (disabled)
asc3350p: \SystemRoot\System32\DRIVERS\asc3350p.sys (disabled)
asc3550: \SystemRoot\System32\DRIVERS\asc3550.sys (disabled)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AutoComplete Service: C:\PROGRA~1\INTERN~2\autocomp.exe (manual start)
AVG6 Kernel: \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys (autostart)
AVG6 Rezident Driver: \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys (autostart)
AVG6 Service: C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (autostart)
AVSync Manager: "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" (autostart)
BCM V.92 56K Modem: System32\DRIVERS\BCMSM.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
C-DillaCdaC11BA: C:\WINDOWS\System32\drivers\CDAC11BA.EXE (autostart)
cbidf: \SystemRoot\System32\DRIVERS\cbidf2k.sys (disabled)
cd20xrnt: \SystemRoot\System32\DRIVERS\cd20xrnt.sys (disabled)
CdaC15BA: \??\C:\WINDOWS\System32\drivers\CdaC15BA.SYS (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
CmdIde: \SystemRoot\System32\DRIVERS\cmdide.sys (disabled)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: \SystemRoot\System32\DRIVERS\cpqarray.sys (disabled)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: \SystemRoot\System32\DRIVERS\dac2w2k.sys (disabled)
dac960nt: \SystemRoot\System32\DRIVERS\dac960nt.sys (disabled)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
dpti2o: \SystemRoot\System32\DRIVERS\dpti2o.sys (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel(R) PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
hpn: \SystemRoot\System32\DRIVERS\hpn.sys (disabled)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
i2omp: \SystemRoot\System32\DRIVERS\i2omp.sys (disabled)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: \SystemRoot\System32\DRIVERS\ini910u.sys (disabled)
IntelIde: \SystemRoot\System32\DRIVERS\intelide.sys (disabled)
IPv6 Firewall Driver: System32\DRIVERS\Ip6Fw.sys (manual start)
IPv6 Internet Connection Firewall: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
McShield: "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe" (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
mraid35x: \SystemRoot\System32\DRIVERS\mraid35x.sys (disabled)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
NaiFiltr: System32\DRIVERS\NaiFiltr.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NIC Management Service Configuration Driver: \??\C:\WINDOWS\System32\drivers\NMSCFG.SYS (manual start)
Intel(R) NMS: C:\WINDOWS\System32\NMSSvc.exe (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OMCI WDM Device Driver: System32\DRIVERS\omci.sys (system)
Creative SB Live! Series (WDM): system32\drivers\P16X.sys (manual start)
Intel PentiumIII Processor Driver: System32\DRIVERS\p3.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
perc2: \SystemRoot\System32\DRIVERS\perc2.sys (disabled)
perc2hib: \SystemRoot\System32\DRIVERS\perc2hib.sys (disabled)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINDOWS\System32\HPZipm12.exe (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
ql1080: \SystemRoot\System32\DRIVERS\ql1080.sys (disabled)
Ql10wnt: \SystemRoot\System32\DRIVERS\ql10wnt.sys (disabled)
ql12160: \SystemRoot\System32\DRIVERS\ql12160.sys (disabled)
ql1240: \SystemRoot\System32\DRIVERS\ql1240.sys (disabled)
ql1280: \SystemRoot\System32\DRIVERS\ql1280.sys (disabled)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SIS AGP Bus Filter: \SystemRoot\System32\DRIVERS\sisagp.sys (disabled)
Sparrow: \SystemRoot\System32\DRIVERS\sparrow.sys (disabled)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{F79A1568-D6C5-4C69-A086-936CF52DBBE3} (manual start)
symc810: \SystemRoot\System32\DRIVERS\symc810.sys (disabled)
symc8xx: \SystemRoot\System32\DRIVERS\symc8xx.sys (disabled)
sym_hi: \SystemRoot\System32\DRIVERS\sym_hi.sys (disabled)
sym_u3: \SystemRoot\System32\DRIVERS\sym_u3.sys (disabled)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TosIde: \SystemRoot\System32\DRIVERS\toside.sys (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: \SystemRoot\System32\DRIVERS\ultra.sys (disabled)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Bus Filter: \SystemRoot\System32\DRIVERS\viaagp.sys (disabled)
ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 36,869 bytes



LET ME KNOW IF ANY OF YOU SEE ANYTHING THAT LOOKS OUT OF THE ORDINARY THE System seems to be back to normal.
0
 
LVL 6

Assisted Solution

by:jthow
jthow earned 100 total points
ID: 10751412
The fact that you had JS_Fortnight and numerous malware apps on your system would be the most likely cause of your problem.  If, having removed all that junk, the system now works as you require, I think you can assume you are safe - for the time being....  Keep your AV software and AdAware up-to-date and run regular checks.

BTW, did the trendmicro removal of JS_Fortnight also remove the registry entries / e-mail sigs etc?  See:-

http://securityresponse.symantec.com/avcenter/venc/data/js.fortnight.html

JohnT
0
 

Expert Comment

by:skaha
ID: 10762230
Try Scanning with TrendMicro's free virus scan, it may find what your looking for

http://housecall.trendmicro.com/housecall/start_corp.asp
0
 
LVL 21

Author Comment

by:briancassin
ID: 10762333
skaha I already did that and also Norton and AVG none of them detected the 17669.exe file as a virus. I am going to submit it to symantec and see what they say.
0
 
LVL 21

Author Comment

by:briancassin
ID: 10934501
symantec would not let me submit it at all through their automatic system said it was not a virus tried submitting it through SARC which is their downloadable submisson tool (which ended up when it took the file(s) I saved on disk that were the virus files and put them in a temp folder on the hard drive of my other PC (how nice of them)-sarcasim

At any rate they still have not gotten back I also submitted it to F-Prot who came back saying it is a Trojan known as W32/Rdom.a but gave no further info other then it was a backdoor program.

In addition I just found out last night when I used Trend Micro' housecall to scan the system last night (since I have lost my sense of security with symantec) which still reports no virus Trend micro discovered the submitted virus in a temp folder under the directory of SARC which is symantec's submission tool. I do not know why SARC saved this to my hard drive considering I pointed SARC to the diskette with the virus files. SARC also required the diskette to have write access (which to me is a security risk).

Symantec still has no answer for why I am paying for their anti virus product when two of their competitors have identified the trojan. They keep telling me in email I can have a Virus suport technician help me by either calling a 900 number or paying $20.00 to $50.00 for them to remove it they do not seem to understand I have already removed I just want to know about it and why they did not pick it up.

At any rate here is what housecall identified it as sdown.a

here is the link http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SDOWN.A

QUICK LINKS Solution  

--------------------------------------------------------------------------------
 
Virus type: Trojan
 
Destructive: No
 
Aliases: SDOWN.A
 
Pattern file needed: 848 (1.848.25)
 
Scan engine needed: 6.500
 
 Overall risk rating:  Very Low  

--------------------------------------------------------------------------------
 
Reported infections:  Low  
 
Damage Potential:  Low  
 
Distribution Potential:  Low  
 
 

--------------------------------------------------------------------------------
 
Description:



This memory-resident Trojan checks if a system has Internet connection and then links to a particular IP address to download a malicious file.

It drops a copy of itself using a randomly generated 5-character file name in the Windows folder.

This UPX-compressed malware runs on Windows 95, 98, ME, NT, 2000, and XP.

Solution:



Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as TROJ_SDOWN.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. This is also an effective way to terminate its process. In this procedure, you will need the name/s of the file/s detected earlier.

Open Registry Editor. Click Start>Run, type Regedit then hit Enter.
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file/s detected earlier.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as TROJ_SDOWN.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.

 
In the wild: Yes
 
Language: English
 
Platform: Windows 95, 98, ME, NT, 2000, XP
 
Encrypted: No
 
Size of virus: 27,648 Bytes (compressed)
57,344 Bytes (decompressed)
 
 Pattern file needed: 848 (1.848.25)
 
Scan engine needed: 6.500
 
Discovered: Apr. 4, 2004
 
Detection available: Apr. 4, 2004
 
 

--------------------------------------------------------------------------------
 
Details:



Installation

Upon execution, this memory-resident Trojan drops a copy of itself using a randomly generated file name in the Windows folder. The file name is composed of 5-character combinations of letters and numbers (i.e. 4a086.exe, 5740f.exe, 38dbd.exe, etc.).

Once executed, it checks if a system is currently connected to the Internet. If so, it connects to the following IP address:

209.4<BLOCKED>15.83
It then tries to download one of the following files, which are suspected to be malicious:

FT39.COM
KR62.COM
QT94.COM
RD19.COM
XT40.COM
Autostart Technique

This malware creates the following registry entry so that it executes at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
<5-digit_filename.exe> = <"5-digit_filename.exe">

(Note: 5-digit_filename.exe represents the dropped copy of this malware.)

Other Details

The following text strings are found in the body of this malware:

"Program:
<program name unknown>

A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Buffer overrun detected!

A security error of unknown cause has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated. Unknown security failure detected!"





--------------------------------------------------------------------------------
Analysis by: Reuel A. Morales



 

Description created: Apr. 4, 2004
 

0
 

Expert Comment

by:enginethatdid
ID: 11050055
I would suggest uninstalling the road runner medic.  I have heard of major issues due to Road Runner Medic installed.  You may have to resort to a fresh system format.
0
 
LVL 21

Author Comment

by:briancassin
ID: 11052427
I don't have road runner medic on the system i got rid of that a long time ago because it installs broadjump client foundation (which is spyware)
0
 
LVL 10

Expert Comment

by:timothyfryer
ID: 11095918
Thanks for the points briancassin, hope I helped a little.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 21

Author Comment

by:briancassin
ID: 11096816
Your welcome and yes you helped :)
0
 
LVL 21

Expert Comment

by:gemarti
ID: 11096855
Thank you.
0
 
LVL 21

Author Comment

by:briancassin
ID: 11101064
your welcome gemarti thank you for your help sorry to all of you it took so long for me to close out.
0
 

Expert Comment

by:knuthf
ID: 11165035
Assume that anything may attempt to create nuisance.
When you experience this - go to "Windows" and "Windows\system32" - place Explorer in "details" and display the directories according to modified date. Only "Performance Logs" should be a late entries. Take "Properties" on all late ".exe" files - check for orgination, version identification. Hit CRTL+ALT+DEL to activate Taskman/Processes - and try to stop the process with this image. Rename image from "xx.exe" - to "xx.exe.vir" if you are suspicious. Use the copied image in the  cached folder if you have to rename a "DLL" file. You will not be able to copy running images..

In Regedit - verify the two RUN keys. Remove all entries you do not know - or rename key with '% first in the key name if you are suspicous.
Now reboot after power down. take notice of messages that occur and inspect the event logs at succesful boot.

Back up, go to Windows - raname all ".exe" files with a combination of UPPERcase and lowerCASE letter - according to your pattern - e.g. 3rd and 6th letter in UPPER case:
rename taskman.exe taSkmAn.exe
Copy or zip all ".exe"+ ".dll" to "System32.zip" and "Windows.zip" - restore changed files from this, remake library after every system upgrade.
Next time you reboot, you will be able to see "trusted" files immediately in Taskman and "novelties" will stand out, e.g. if you have renamed dlLhoSt.exe - back to old DLLHOST.EXE is revealing.

Search the "Documents and Settings" for ".exe" files. Usually the viruses are temporarily stored here before being copied. If you find any files - then search the computer for copies - and remove any reference in the registry.

Do not rely on virus scanner - viruses now come as adverts on sites and on a 50Mbps wireless connection you can get a pile of them in a few seconds. IT TAKES HOUR TO UPGRADE A VIRUS SCANNER WITH NEW "PATTERNS". Finally, post your findings in places like this for others to review.
0
 

Expert Comment

by:Sp0cky
ID: 11284044
If "malware" is so bad then why does Norton or any of the other major anit-v programs detect this?  Should this person be running adaware in ADDITION??
0
 
LVL 21

Expert Comment

by:gemarti
ID: 11284103
>>If "malware" is so bad then why does Norton or any of the other major anit-v programs detect this?
It's an opportunity to make more money and expand the product line. Simple economics. ....
0
 

Expert Comment

by:Sp0cky
ID: 11284287
Most people don't consider the stuff that adware picks up to be harmful.  But looks like it is!  EEK!
0
 
LVL 21

Expert Comment

by:gemarti
ID: 11284322
Yeah it's a nuisance...
0
 

Expert Comment

by:msnia
ID: 11286095
How can i Remove IE Small Icon from the title bar of theModal DIalog Box.
HELLO EXPERTS,
I WANT TO KNOW HOW CAN I REMOVE SMALL INTERNET EXPLORER ICON AND THE "WEB DIALOG BOX" TITLE FROM THE MODAL DIAOG BOX OR ANY OTHER TYPE OF DIALOG BOX.

I SEE THE AUTOCOMPLETE ADVERTISEMENT OF THE DIALOG BOX WHICH DO NOT CONTAIN ANY ICON ON IT WHEN I BROWSE GOOGLE.COM.

PLEASE ANSWER MY QUESTION AND SEND THE SCRIPT OF THE DIALOG BOX WHICH DO NOT CONTAIN ANY ICON ON THE TOP LEFT CORNER SITE...
0
 
LVL 6

Expert Comment

by:jthow
ID: 11288049
msnia,

This is a new question.  Please raise it properly.  [And don't shout (use block capitals.)]

lol

JohnT
0
 

Expert Comment

by:knuthf
ID: 11300857
"Malware" or not, I raised this with the "Better Business Beurau".
If you consider it appropriate that another company can at any time inspect you computer - see all installed software, what you are running and possibly intercept what is typed - then fine; just leave this discussion.

I also know that trace of the doings of "commercial exploitation" is not searched for by any virus scanner - including Norton. You have to detect this yourself - remove what is inapropriate and retain sufficient to allow e.g. Kodak camera software to be used.

There is a need for the public (US and the rest of the world) to stand up and dictate to companies what we find "reasonable" trespassing on our computer; -  where they cross the border of "privacy". Is it acceptable to leave a port open "LISTEN" for code update? - that send "I'm on the net"? - or does a company need to notify the user of an update policy, and leave it to this to "the consumer" to chose? To make the Kodak update, much of the Blaster virus code was used, while Kodak claim that they just outsourced this to a company that provided the sollution they distribute - and they are unaware of links between the codes.

To halt what I consider a nuisance - I need to understand more than a virus scanner - and cannot rely on that. To determine what a community accepts as "threat" or "invasion of privacy" we need another forum. This is not even security it is ethics.

So I ask the moderator to recommend further action
Knut H.
0
 
LVL 21

Author Comment

by:briancassin
ID: 11303950
As far as I am concerned the spyware should be illegal.... it opens up ports like opening doors and windows on your house... If my computer was a work computer say a laptop that connects through VPN or what not to my company this is a big security risk in my eyes having this spyware on a system. If companies can code stuff like coolweb search (which should be considered 100% malicious code because of what it does) and distribute it and then cause my system and other peoples systems to be unusable in addition to hogging bandwidth etc... this should be illegal...

cable theft is illegal so why is not illegal for companies to rip off my bandwidth allocated to me by my ISP who is a cable provider ?

Tapping someones phone or recording a conversation without consent is illegal so why is it legal for companies to tap my computer ?

If I put a program on someone elses computer it would be considered hacking and so forth if it collected data about them so why is it that these companies that make spyware do not go to jail ?

With the Patriot act why is it not illegal for these companies to aquire personal data about you ? How do we know that some of these spywares are not developed by other goverments or individuals just waiting for the spyware to get on the right persons PC to get information off of their system to sell or use for other malicious purposes.

Even better yet these marketing companies are making money off of putting their junk on peoples computers seeing as how no one will buy the telemarketing junk and/or participate in surveys now they have to be sneaky about it and they get money for this, this data is sold to the highest bidder for demographic / marketing data.

I think personally a class action lawsuit should be started based on and seeking:

Invasion of privacy
Loss of functionality / use of equipment
Emotional Damages - based on the stress of trying to get the garbage off the PC.
Misrepresentation / Fraud / False Advertising
Punitive damages - based on the above mentioned.
Repair costs and reimbursement for time loss due to problems caused by the spyware and also the removal of it. ( this should be available to the home user and corporations).
Using someone elses equipment for profit without written consent ( I would think anyone would charge money to rent equipment or space these days... so if their software is using my pc as a server then I want to be paid as a hosting company would be).
0
 

Expert Comment

by:knuthf
ID: 11304292
I have tried the "Invasion of Privacy"  - where the BBB (US "Consumer councils") rejected the case on the basis that the distributor of the "software" was "ignorant of malice" and "relied on professional recommendation when developing the software". I needed to provide evidence of intent of malice - furthermore the distribution was a "free" ad-on to a product, where functionality could be acheived without it. (So - what is the purpose, other than surveillance of buyers' behaviour?)

Illegal.
- Which law do you apply: US state law, UK law - my Kodak company has a mailing address in NJ - where complaints where treated out of courtesy because I was not a NJ resident.
In Europe, it is simpler - we may raise issues like this with local consumer councils that will make recommendation first with national ramifications - and then gradually end up as EC against ... - but until then we fight a dodging US community. I would recommend full public reporting of the activity - possibly even as virus, with full removal as an option. I would also like to see an agency that could "approve" code. That would involve verifying the source code, describe top-level actions, and the nature of he reporting. There used to be standards here - as a vendor we had to warrant that the code had no side effects and made no usage of other resources - and expected to be dragged to court of deviating from this. We could not subcontract development to other companies if we could not inspect the code to verify and ensure that they did not reopardise us.
There is a "cowboy" attitude in the industry - someone got away with it makes presendence. It is with full intent I refer to the company that brought this to my attention. I ask everyone to do likewise - not
                "I received spyware the other day" - but
                .."after installing new camara drivers from Kodak - I discovered that..." - ready with full name and address, to enable others that have installed a similar driver to inspect, see and learn.
My hope is that finally the companies will learn. This may entail that we may have to discourage installation and recommend against purchase of things. However, companies should be certain that the products they develop and sell products that the consumer meets consumer requirement - and not everything else.

I agree that we may need to get some lawyers out.
0
 

Expert Comment

by:Sp0cky
ID: 11307392
"To halt what I consider a nuisance - I need to understand more than a virus scanner - and cannot rely on that. To determine what a community accepts as "threat" or "invasion of privacy" we need another forum. This is not even security it is ethics."

I totally agree with all these comments.  Technology is great. But - Sheesh between the malware and outsourcing, companies are exploiting loopholes that interfere with our rights as far as I am concerned.  Big business is a worse threat than Big Brother.  Let them do business just don't interfere with my rights!  look at all of the posts of late with people upset about them screwing with our personal computers.  This is outrageous.
0
 

Expert Comment

by:knuthf
ID: 11323341
Beware,
It is not your "personal" computer that suffers the most.
In another discusion group I posted a virus that left a bank open - Anyone could write a simple VBA program. I used an LDAP browser to see who worked in the bank - link names, email addresses, PC/LAN names - and what they worked on. What you could have done with their banking systems is left for me and you to imagine. Had I hacked my way into the bank - instead of writing an email to the sysadm - they could have prosecuted me for criminal conduct. That they left a security hole and tried to infect my PC with a virus would be irrelevant. I would have a lot of explaining to do to the judge - and wonder if I ever would have got off the hook.

One company that was traced last year as orginator for such "Adware" - caused a major hickup on the Internet yesterday according to the Washington Post.
It makes me believe it is no long "Big Business" - but "Greedy Business", usually relatively small companies that cause the big problems. It is also the rest of us that leave it to others to fix our own problems. A virus scanner will detect persistent objects as "files" on your computer, compare with what has been found on others, give them a name that you can report and delete the files. Their skills in networking bothers me - and I rely on continuing updating Stinger - and no scanner- but a firewall that is effective. Beware the Microsoft's implementations of tcp/ip is incomplete and with so many security holes that I wonder why nobody has seen the business opprotunity in making a full "Winsocket" implementation - without the "Commercial exploitations".

Very much of all this could have been avoided by all of us if we had used a browser like Opera, that traps Adware.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now