<div>
try sfc /scannow. 
 
Its the Microsoft System File Checker and will verify your windows installation files. 
 
At worst, an in-place upgrade of XP should retain your data. 
 
HiJackthis might be worth it also.. 
 

</div>

<div>
Unfortunately adding new programs within Windows is not possible, anything I have tried fails, referencing some Service that is not running. I will try SFC when I get back to my office. thanks 
 
I think the office employees already tried LAST KNOW GOOD a few times and tried to perform a restore, but the system restore shows as being DISABLED when I checked. The SAV Server Alert log had about 15 threats reported on this users HOSTNAME from 7/15...Rootkits, Trojans, Joke programs. I will list details ASAP. 
 
This is like one of those really good puzzles and would be great to reverse the damage if possible to prevent in future. I see some .bmp and .scr files were also caught by SAV, So I assume users opened some infected emails/attachments. 
 
:-)
</div>

<div>
 
I would suggest you get an antivirus rescue cd... you can create one on your other PC...and then boot from that cd and scan the PC before trying windows repair. Thats your best shot as the viruses are unactive while you scan. 
Here are some free rescue CDs I would recommend: 
<a href="http://dnl-eu10.kaspersky-labs.com/devbuilds/RescueDisk/kav_rescue_2008.001.iso" rel="ugc">http://dnl-eu10.kaspersky-labs.com/devbuilds/RescueDisk/kav_rescue_2008.001.iso</a> 
<a href="http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html" rel="ugc">http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html</a> 
 
Simply download the iso and burn it to a CD. 
 
Keep in mind that by far the best option is still the a format and clean install. 
 

</div>

<div>
Ofcourse, after a good scan with the rescue cd I would do a windows reinstall from an installation cd...thisway all the windows files are reinstalled while keeping all your programs and files. 
Hijack this is also good to detect any unwanted programs starting up, but its tough to fix anything like that if they are already running and they tend to reinstall themselves very quickly.
</div>

<div>
Strobo, 
 
Thanks for the quick replies. 
 
I will try at least one and maybe both. 
 
I have a spare drive and time for rebuild, Just wanted to spend an hour or so to see if anyone has come across this. This is a pretty nasty one and I have seen some good one. Like I said so many changes have been made, I don't know where the viruses stop and the users screw-ups begin. 
 
Another user in the office is always downloading Cracks and Keygens and is putting everyone in the office at risk. 
 
I think I need to completely lock down their access to certain websites and files types that they can download. 
Know any good apps to monitor/block/secure networked systems? 
 
I know of WebSense, but kind of costly. 
 
Thanks again.
</div>

<div>
Reinstalling/repairing OS in a very infected machine(without reformatting) can sometimes make the pc unbootable. 
 
I assume you can still boot in normal mode and safe mode right? 
If .exe file associations are messed up you can Go to Start &gt;&nbsp;Run &gt;&nbsp;type in: 
 
command.com 
 
In the command prompt, type: 
 
ftype exefile=&quot;%1&quot; %* 
 
 
 
1. Please download ComboFix by sUBs:(run it in normal mode) 
<a href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="ugc">http://download.bleepingcomputer.com/sUBs/ComboFix.exe</a>&nbsp; 
 
You must download it to and run it from your Desktop(rename it before you save the file to your desktop just in case bagle is present it will not let combofix run unless you rename it). 
 
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix. 
From the run box type the following: 
 
&quot;%userprofile%\desktop\ComboFix.exe&quot; /KillAll 
 
 
Or you can just doubleclick the combofix.exe on the desktop to start combofix. 
When finished, it will produce a log. Please save that log and attach it in your next reply. 
 
Note: 
Do not mouse-click combofix's window while it is running. That may cause it to stall. 
 
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. 
 
 
2. You can also try SDFix.exe(it must be run in Safe Mode) 
Download SDFix and save it to your desktop.(either one below) 
<a href="http://downloads.andymanchesta.com/RemovalTools/SDFix.zip" rel="ugc">http://downloads.andymanchesta.com/RemovalTools/SDFix.zip</a>&nbsp; 
<a href="http://downloads.andymanchesta.com/RemovalTools/SDFix.exe" rel="ugc">http://downloads.andymanchesta.com/RemovalTools/SDFix.exe</a>&nbsp; 
 
If needed: How to use SDFix. 
<a href="http://www.bleepingcomputer.com/forums/topic131299.html" rel="ugc">http://www.bleepingcomputer.com/forums/topic131299.html</a>
</div>

<div>
too time consuming to manage, I'd just stop their privilages.. 

</div>

<div>
 
Well, using an app like websense is a quick fix, but this can easily be bypassed by using proxies, translators or other methods. As long as the blocking happens on the workstation itself it is very vunerable. 
 
Most effective way to block users would be to have a proxy server on your network through which users access the internet... and then implement all the blocking on that proxy. ie. they can access the net only through your proxy server which blocks the content... 
 
Here is a link with a list of some content-filtering software... it includes free ones as well as some with server-side filtering. 
 
<a href="http://www.efa.org.au/Issues/Censor/cens2.html#filtering" rel="ugc">http://www.efa.org.au/Issues/Censor/cens2.html#filtering</a> 

</div>

<div>
tried the Kaspersky CD...both ISO's were for the same RescueCD...both loaded a bunch of things and go to a black screen with X as cursor...after about 20 seconds the PC powers off. 
Did I miss something? 
 
Now I can't even get the PC to recognize the keyboard in Windows...works fine during POST and in BIOS...could there be a service that is not starting that is requred for keyboard input? 
 
GamerGirl. 
 
As I explained above, browser won't open, no internet or network access so can't download anything. I can try to copy data over...but as of yet system is not loading USB keys and does not see Optical drive within windows, just the C: Drive...which for some weird reason is full accessible...until now...since keyboard won't work I can't login...SAFE or NORMAL boots...yarg! 
 
I will be back soon...Basketball league starts in 20 minutes...ty all.
</div>

<div>
Not sure why Kasperski wouldnt work. It works fine for me. I really dont see why it would not. 
So are you saying that the AntiVir CD does the same thing? 
 

</div>

<div>
Your links downloaded 2 separate files, different names and sizes. I created a boot CD with each file, both load into Kaspersky Rescue CD, same version...sometimes all I get is a black screen with the X cursor...I got it to run the Kaspersky scan twice....1st ran for about 42%...then went back to text rolling by and it unmounted and started to shutdown everything, PC turned off...2nd time it ran for about 15% and same thing, just powers system off. 
 
I found a BitDefender Knoppix boot ISO and am running that right now...we shall see what happens. The OS no longer loads the keyboard no matter what I try...I can go into BIOS and F8 menu, but once the XP GUI starts to load the KB turns off. 
 
tried 5 different USB keyboard, in every USB slot front and back...no PS2 ports to try...will let it scan and then try XP repair console...if not looks like a format tonight... 
 
I had a Voicemail from client's ISP this afternoon...numerous complaints of SPAM generating from their IP...OUCH...good thing I took this zombie off network...before they cut their service. 
 
Thanks to all who assisted I will check the proxy stuff Strobo...I'm sure Kaspersky works fine, probably the virus/trojan is causing to crash, must be a real nice mess...I will scan the drive later and let you know what I find. 
 
I keep telling people, use your business computers for BUSINESS...not forwarding junk emails and jokes...sad but without peoples mistakes we would have no jobs. 
 
:-)...all we can do is recommend and try to keep the place secure...if users willingly leave the door open and let strangers in...I'm sure their boss won't like the report I give him tomorrow and the bill. 
 
more updates soon... 
 

</div>

<div>
No probs, 
 
Yeah, I never tried the AnitVir CD but i heard its good. Would never have guessed that its actually the Kaspersky one. 
 
In any case, yes, try scanning it more and then try Windows XP repair console, or beter yet a reinstall on top of the old windows. You can try that even if the scan doesnt work...and then try using the Rescue CDs again to scan it. With these things u never really know you got rid of them until you do a format. 
 
Good luck!!! :)
</div>

<div>
FYI...found the BitDefender ISO here: 
 
<a href="http://leechermods.blogspot.com/2008/06/antivirus-rescue-disk-bootable-startup.html" rel="ugc">http://leechermods.blogspot.com/2008/06/antivirus-rescue-disk-bootable-startup.html</a> 
 

</div>

<div>
Risk &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Action &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Filename &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Original Location &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Computer &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Current Location &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Date 
Trojan.Pandex &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcpsr.sys &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DRIVERS\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DRIVERS\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 23:28 
Downloader &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;BN2.tmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 23:28 
Trojan.Pandex &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcpsr.sys &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DRIVERS\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DRIVERS\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 18:15 
Downloader &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;BN2.tmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 18:15 
Hacktool.Rootkit &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Reboot Processing &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 17:53 
Trojan.Pandex &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcpsr.sys &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DRIVERS\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DRIVERS\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 17:53 
Downloader &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;BN2.tmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 17:53 
Hacktool.Rootkit &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sysrest.sys &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 17:35 
Hacktool.Rootkit &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Reboot Processing &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 17:13 
Hacktool.Rootkit &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Reboot Processing &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 17:13 
Trojan.Pandex &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Reboot Required - Reboot Processing &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcpsr &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcpsr &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcpsr &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 17:13 
Trojan.Pandex &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcpsr.sys &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DRIVERS\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DRIVERS\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 17:12 
Downloader &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;BN2.tmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 17:12 
Hacktool.Rootkit &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Reboot Required - Reboot Processing &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sysrest.sys &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sysrest.sys &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sysrest.sys &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:59 
Trojan.Pandex &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Reboot Required - Reboot Processing &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcpsr &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcpsr &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcpsr &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:59 
Trojan.Pandex &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;tcpsr.sys &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DRIVERS\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DRIVERS\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:57 
Downloader &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;BN2.tmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:57 
Downloader &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;APQ194.tmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:52 
Downloader &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;BN193.tmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\Temp\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:52 
AntiSpywareExpert &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Quarantined &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Quarantine &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:51 
Joke.Blusod &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Access Denied &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;blphcr4uj0e95a.scr &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:49 
Trojan.Blusod &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;phcr4uj0e95a.bmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:48 
Hacktool.Rootkit &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Reboot Processing &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:46 
Joke.Blusod &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Access Denied &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;blphcr4uj0e95a.scr &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:36 
Trojan.Blusod &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;phcr4uj0e95a.bmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:35 
Hacktool.Rootkit &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Reboot Processing &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unavailable &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:34 
Joke.Blusod &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Access Denied &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;blphcr4uj0e95a.scr &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:13 
Trojan.Blusod &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;phcr4uj0e95a.bmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/15/2008 16:13 
Joke.Blusod &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Access Denied &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;blphcr4uj0e95a.scr &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/14/2008 17:57 
Trojan.Blusod &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;phcr4uj0e95a.bmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/14/2008 17:57 
Joke.Blusod &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Access Denied &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;blphcr4uj0e95a.scr &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/14/2008 8:29 
Trojan.Blusod &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Cleaned by deletion &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;phcr4uj0e95a.bmp &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;7/14/2008 8:29 
AVSystemCare &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Pending Analysis &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;a0097982.exe &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp551\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;COMPUTER16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp551\ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;4/18/2008 13:09 

</div>

<div>
Found the culprits...in SAV log on server...BitDefender has found nothing yet...AntiMalware Scan, step 1 of 3, 160,000 files and still going. 
 
Trojan.Pandex: Per Symantec: 
 
Discovered: January 5, 2007 
Updated: April 20, 2007 2:25:36 AM 
Also Known As: Win32/Cutwail.B [Computer Associates], Win32/Cutwail.C [Computer Associates], Win32/Cutwail.M [Computer Associates], W32/Agent.BOY [F-Secure], Troj/Pushdo-B [Sophos] 
Type: Trojan 
Infection Length: Varies 
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP 
 
Trojan.Pandex is a Trojan horse that sends spam from a remote server and gathers email addresses from the compromised computer. 
 
************************************************** 
 
Hacktool.Rootkit: &quot;As an interesting aside: it seems that ONLY people who run NAV/NORTON/SYMANTEC bloatware seem to be HIT by this!&quot; found on TechSpot. 
 
Per Symantec: 
 
Discovered: September 27, 2001 
Updated: February 13, 2007 11:38:00 AM 
Type: Trojan Horse 
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP 
 
 
Hacktool.Rootkit comprises a set of programs and scripts that work together to allow attackers to break into a system. If Hacktool.Rootkit is detected on a system, it is very likely that an attacker has gained complete control of that system. All files that are detected as Hacktool.Rootkit should be deleted. Infected systems may need to be restored from backups or patched to restore security. 
 
*************************************************** 
AntiSpywareExpert: Per Symantec: 
Updated: April 11, 2008 9:58:17 AM 
Type: Misleading Application 
Name: AntiSpywareExpert 
Version: 1.0.7.1 
Publisher: AntiSpywareExpert Inc. 
Risk Impact: Medium 
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP 
 
BehaviorAntiSpywareExpert is a misleading application that may give exaggerated reports of threats on the computer. 
 
************************************************** 
 
Joke.Blusod: Per Symantec: 
 
Updated: June 30, 2008 8:52:48 AM 
Type: Joke 
Risk Impact: High 
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP 
 
BehaviorJoke.Blusod is a joke screen-saver program that displays a series of system failure messages on the computer. 
 
************************************************ 
 
Trojan.Blusod: Per Symantec: 
 
Discovered: June 27, 2008 
Updated: June 29, 2008 3:34:03 PM 
Type: Trojan 
Infection Length: 109,056 bytes 
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 
 
Trojan.Blusod is a Trojan horse that may download files on to the compromised computer. 
 
******************************************** 
 
AVSystemCare: Per Symantec: 
 
Updated: June 15, 2007 2:06:52 PM 
Type: Misleading Application 
Risk Impact: Medium 
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000 
 
BehaviorAVSystemCare is a security risk that may give exaggerated reports of threats on the computer. 
 
 
I need to look into a way to block this stuff from even reaching the systems. Anyone ever use the Baracuda Networks solutions or something similar? 
 

</div>

<div>
I have 2 XP Pro clients on seperate SBS2003 networks that have been hit with the joke.blusod trojan. All the clients (and servers) had the same protection. SAV Corporate 10, spyware blaster, spybot s&amp;d, windows defender. Only two machines out of a total of 10 (servers and clients) were hit with this thing. I have had NO luck removing it so far. I have tried several other AV's and malware removers, NONE worked. Symantec keeps stopping it (or so it sez) but will NOT remove it (or the part of it that keeps triggering the alert). 
&nbsp;Unless someone can recommend an application that they KNOW works it would be faster to just wipe and re-install rather than spend HOURS fighting this thing. 
BOTH of the machines were hit over the weekend when no one was actually using them and they had no browser windows open. I SURE woulkd like to know HOW this happens! 
I'm open to ANY advice but I'll bet I've tried most of what's out there. 
THANX for any replies!!
</div>

<div>
I have lost all faith in SAV... 
 
I slaved the drive and ran an AVG scan...all it found was a possible false positive...Win32\Heur. 
 
Format time...my only concern is the data that is on the disk being badly infected. 
 
I wish I had better news for you ...try this to remove joke.blusod...just found it. Let us know if it helped at all. 
 
<a href="http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htm" rel="ugc">http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htm</a> 
 
Good Luck!
</div>

<div>
Did I mention the Extended Services Tab was empty? &nbsp;Standard Services was there, but only 7 services were running. 
 
Ace, your systems probably had the bad stuff on their from before and it probably woke up or someone isn't telling you everything. 
 
End user's will usually try to avoid giving info so they don't get blamed, basic info would make this so much easier. 
 
I guess final solution is to lock everything down, but I have about 25 users at this site, 15 users with XP, 10 users still running windows 2000...ARGH**:-(....Many different engineering apps being used and some will not function with limited access, the users need to have admin rights. Blocking the internet and download capabilities would solve many issues. Just allow the proxy to access certain business related websites. 
 
Bad part is 2 employees know the Admin password and for some reason they keep sharing with others...boss doesn't seem to care. 
 
oh well. 
 

</div>

<div>
More info on the issue... 
 
<a href="http://msmvps.com/blogs/donna/archive/2008/07/14/ups-packet-service-malware-spam.aspx" rel="ugc">http://msmvps.com/blogs/donna/archive/2008/07/14/ups-packet-service-malware-spam.aspx</a> 
<a href="http://veroblog.wordpress.com/2008/07/14/ups_invoiceexe-trojan-received-by-email/" rel="ugc">http://veroblog.wordpress.com/2008/07/14/ups_invoiceexe-trojan-received-by-email/</a> 
 
Example of email received: 
 
From: United Parcel Service [someone@not_ups.com] 
 
Subject: UPS Paket N2410170593 
 
Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipients address is not correct. 
 
Please print out the invoice copy attached and collect the package at our office 
 
Your UPS 
 
Attachment: UPS_Invoice_317.zip 
 
so phishy...and sneaky...proves that people do not read their emails carefully and will click anything if told.
</div>

<div>
Update: 07/15/2008 
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: 
<a href="http://urbanlegends.about.com/b/2008/07/15/ups-virus-warning.htm" rel="ugc">http://urbanlegends.about.com/b/2008/07/15/ups-virus-warning.htm</a> 
 
Update: 07/15/2008 
 
A new variant of Generic Downloader.ab has been observed which comes as an attachment to a fake email claiming to be from UPS. The following is the message of the email: 
 
&quot;Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office 
 
Your UPS&quot; 
 
The attached file is an executable which downloads files from the following server: 
 
hxxp://fixaserver.ru/ldr/[Removed] 
During the time of testing, this server has been known to serve multiple malicious files with varying behavior. 
 
********************** 
 
Low Profile does not help thos infected. 
 
?
</div>

<div>
another forum discussing the UPS email: 
 
<a href="http://www.dslreports.com/forum/r20789896-UPS-packet-upsinvoicezip-WORM" rel="ugc">http://www.dslreports.com/forum/r20789896-UPS-packet-upsinvoicezip-WORM</a> 
 
Still as of yet, no cleanup or removal steps or tools out there. 
 

</div>

<div>
aha...details. 
 
File ups_invoice.zip received on 07.14.2008 18:18:35 (CET) 
Current status: finished 
 
Result: 21/33 (63.64%) 
&nbsp;Compact Print results &nbsp; 
Antivirus Version Last Update Result 
AhnLab-V3 2008.7.11.0 2008.07.14 - 
AntiVir 7.8.0.64 2008.07.14 TR/Dldr.Tiny.brm 
Authentium 5.1.0.4 2008.07.13 W32/Trojan2.ATAB 
Avast 4.8.1195.0 2008.07.14 Win32:Tiny-UR 
AVG 7.5.0.516 2008.07.14 SHeur.BWIM 
BitDefender 7.2 2008.07.14 Trojan.Downloader.Gadja.C 
CAT-QuickHeal 9.50 2008.07.14 TrojanDownloader.Tiny.brm 
ClamAV 0.93.1 2008.07.14 Trojan.Agent-30547 
DrWeb 4.44.0.09170 2008.07.14 Trojan.DownLoad.1379 
eSafe 7.0.17.0 2008.07.14 - 
eTrust-Vet 31.6.5954 2008.07.14 Win32/SillyDl.EUC 
Ewido 4.0 2008.07.14 - 
F-Prot 4.4.4.56 2008.07.13 - 
F-Secure 7.60.13501.0 2008.07.14 Trojan-Downloader.Win32.Tiny.brm 
Fortinet 3.14.0.0 2008.07.14 - 
GData 2.0.7306.1023 2008.07.14 Trojan-Downloader.Win32.Obitel.a 
Ikarus T3.1.1.26.0 2008.07.14 Trojan-Downloader.Win32.Tiny.brm 
Kaspersky 7.0.0.125 2008.07.14 Trojan-Downloader.Win32.Obitel.a 
McAfee 5337 2008.07.11 - 
Microsoft 1.3704 2008.07.14 Trojan:Win32/Agent.EE 
NOD32v2 3266 2008.07.14 Win32/TrojanDownloader.Tiny.NDM 
Norman 5.80.02 2008.07.14 - 
Panda 9.0.0.4 2008.07.14 Suspicious file 
Prevx1 V2 2008.07.14 Malware Downloader 
Rising 20.53.02.00 2008.07.14 - 
Sophos 4.31.0 2008.07.14 Troj/Agent-HFU 
Sunbelt 3.1.1536.1 2008.07.12 - 
Symantec 10 2008.07.14 Downloader 
TheHacker 6.2.96.379 2008.07.14 - 
TrendMicro 8.700.0.1004 2008.07.14 PAK_Generic.001 
VBA32 3.12.6.9 2008.07.13 - 
VirusBuster 4.5.11.0 2008.07.14 - 
Webwasher-Gateway 6.6.2 2008.07.14 Trojan.Dldr.Tiny.brm 
Additional information 
File size: 5124 bytes 
MD5...: 5bf574f62af6ecedbc8d3b43d4ed5f4b 
SHA1..: e92f2f5d7e4cfde44ff85cbb9e16b15754f4c15b 
SHA256: ce7a4dca5dd4562ad5857424cf4e82f6b6688ca2148f63f825d6a8f67b9ce587 
SHA512: 711573fda83ebe8fac94f84396f503022cc19b37045e84c7f48bff73ec56ea4d 
543ad7b9c41d7b213daa924442ab3832b701130bdac9d6ff2df61e40a55b46ac 
PEiD..: - 
PEInfo: - 
Prevx info: <a href="http://info.prevx.com/aboutprogramtext.asp?PX5=3AD5EE0D0038C663204A001719A4940023BD373F" rel="ugc">http://info.prevx.com/aboutprogramtext.asp?PX5=3AD5EE0D0038C663204A001719A4940023BD373F</a>&nbsp; 

</div>

<div>
<a href="http://freeforum.avg.com/read.php?4,137542,137574" rel="ugc">http://freeforum.avg.com/read.php?4,137542,137574</a>
</div>

<div>
SHeur.BWIM is what AVG finds
</div>

<div>
egads...tried a Repair Install of XP over the zombie...went smooth...keyboard now works in GUI...but... 
 
any account I login with...it starts loading...then immediately starts to logoff. 
 
Loopy. 
 
Progress!? 
 
:-)
</div>

<div>
 
Uh, such a recent virus, its no wonder there arent any removal tools yet. 
 
Anyway, logon - logoff issue could be caused by the virus as well, or possibly not. 
as expelled recommended, userinit.exe is usually removed by a virus (BlazeFind). 
Here are some more links on the issue: 
<a href="http://www.winxptutor.com/wsaremove.htm" rel="ugc">http://www.winxptutor.com/wsaremove.htm</a> 
<a href="http://support.microsoft.com/?kbid=313322" rel="ugc">http://support.microsoft.com/?kbid=313322</a> 
<a href="http://www.kellys-korner-xp.com/xp_wel_screen.htm" rel="ugc">http://www.kellys-korner-xp.com/xp_wel_screen.htm</a> 

</div>

<div>
Does ComboFix only work on the C: drive or all drives attached. I can only run on another box, with the infected drive connected externally via USB. I was able to run full scans with AVG, Housecall, Ewido, and it found a few random malware including AVG finding: SHeur.BWIM. 
 
In Fact one of the files that showed as infected with this was &quot;userinit.exe&quot;. This is when testing the drive on the other PC. &nbsp;I recall the last time (Yesterday morning) I was logged into the system I checked TaskManager and &quot;userinit.exe&quot; was running like 12 times...sounds like the virus was up to something. This is likely why the taskbar, Start Button were not visible and apps would not run. hmmm... 
 
Once I can boot into the bad drive I will try ComboFix again. 
 
I started The Kaspersky RescueCD scan before I left the office. Hope it runs through, I tried twice more last night and keeps running for some time and then powers down the PC without any notice or anything. 
 
I will try the login loop fixes and see what happens. I'm going to restore OS on a new HD so I can keep working on this issue. I must find solution...so close. 
 
Thanks again for the new info.
</div>

<div>
Tried malwarebytes. It found a few things the others missed,, but not the blusod. Ran SAV in safe mode. said it found blusod and had deleted it. Re-boot,, OK for a few minutes then SAV pops up with a pando trojan (joke changing names??). Reboot in safe mode and SAV does the same thing. 
&nbsp;I'll end up wipe and re-install this thing but I wanted to try a few things and see if ANY of them worked. 
Blusod must be deleted or at least not working because the &quot;background&quot; tab is back and you can now change wallpaper. 
I'd like to pull a Jesse Jackson on the person who wrote this thing!!!
</div>

<div>
:-) Pando may be the Trojan.Pandex...look it up. 
 
Maybe it was FedEx. 
 
:-D
</div>

<div>
Sweet...tried the &quot;COPY USERINIT.EXE WSAUPDATER.EXE&quot;... 
error file not found...??? 
 
The filename was changed to USERINI.EXE...I added the &quot;T&quot; and rebooted....SUCCESS...Registry is pretty badly hosed, I am throwing everything I have at it...SAVE Quarantine had 5 instances of DOWNLOADER (Verycreative Symantec)...killed those...ran ComboFix and HijackThis...nothing major found that I can see. 
 
I tried to load AVG and I get an error that HKCU in registry could not be accessed. 
 
Any ideas...I am scanning with other online tools and researching... 
 
stay tuned!
</div>

<div>
please post your hjt log and combofix log file here for analysis
</div>

<div>
Now I get an IE window that pops up, but is blank and it takes CPU usage up to 100%...running SFC right now. 
 
What is the best way to rebuild the REGISTRY, without having a working backup? 
 
Whatever man makes, he can also break...but there is always someone who can fix it!
</div>

<div>
Can you attach the combofix log, most often it will show bad files that combofix wasn't able to removed which can be removed in the second run using a script.
</div>

<div>
Here we go: 
 
AVG Install Failure (Version 8.0 Basic) 
 
Local machine: installation failed 
&nbsp; &nbsp; Initialization: 
&nbsp; &nbsp; &nbsp; &nbsp; Error: Connecting to item registry root HKCU (USER_NAME) failed. 
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Error 0x80070005 
 
========================================================= 
 
ComboFix 08-07-15.4 - Administrator 2008-07-17 21:47:42.1 - NTFSx86 
Microsoft Windows XP Professional &nbsp;5.1.2600.2.1252.1.1033.18.521 [GMT -7:00] 
Running from: C:\Documents and Settings\Administrator.BNBSTRUCTURAL\Desktop\ComboFix.exe 
&nbsp;* Created a new restore point 
 
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] 
. 
 
((((((((((((((((((((((((((((((((((((((( &nbsp; Other Deletions &nbsp; ))))))))))))))))))))))))))))))))))))))))))))))))) 
. 
 
C:\WINDOWS\system32\drivers\fad.sys 
C:\WINDOWS\system32\MSINET.oca 
C:\WINDOWS\system32\pac.txt 
 
. 
((((((((((((((((((((((((( &nbsp; Files Created from 2008-06-18 to 2008-07-18 &nbsp;))))))))))))))))))))))))))))))) 
. 
 
2008-07-17 21:44 . 2008-07-17 21:45 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\LastGood 
2008-07-17 21:44 . 2008-07-17 21:44 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d---s---- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\Administrator.BNBSTRUCTURAL\UserData 
2008-07-17 21:41 . 2008-07-17 21:41 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;262,144 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\PA8EFB~1.ENG 
2008-07-17 21:33 . 2008-07-17 21:33 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;262,144 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\PAULIN~4.ENG 
2008-07-17 14:20 . 2004-08-04 03:00 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;1,875,968 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a--c--- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex 
2008-07-17 14:19 . 2004-08-04 03:00 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;13,463,552 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a--c--- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll 
2008-07-17 14:18 . 2004-05-13 00:39 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;876,653 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a--c--- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll 
2008-07-17 14:16 . 2004-08-04 03:00 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;16,384 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a--c--- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\DLLCACHE\isignup.exe 
2008-07-17 14:16 . 2008-07-17 14:16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;749 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-rah----- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\WindowsShell.Manifest 
2008-07-17 14:16 . 2008-07-17 14:16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;749 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-rah----- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest 
2008-07-17 14:16 . 2008-07-17 14:16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;749 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-rah----- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\sapi.cpl.manifest 
2008-07-17 14:16 . 2008-07-17 14:16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;749 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-rah----- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\nwc.cpl.manifest 
2008-07-17 14:16 . 2008-07-17 14:16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;749 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-rah----- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest 
2008-07-17 14:16 . 2008-07-17 14:16 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;488 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-rah----- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\logonui.exe.manifest 
2008-07-17 14:06 . 2004-08-04 03:00 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;1,086,058 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-ra------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SET69.tmp 
2008-07-17 14:06 . 2004-08-04 03:00 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;1,042,903 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-ra------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SET66.tmp 
2008-07-17 06:57 . 2008-07-17 06:57 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\dell 
2008-07-17 02:31 . 2008-07-17 12:46 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d--h----- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\$AVG8.VAULT$ 
2008-07-16 11:08 . 2008-07-16 11:11 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;262,144 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\PAULIN~3.ENG 
2008-07-16 11:00 . 2008-07-16 11:01 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;262,144 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\PAULIN~2.ENG 
2008-07-16 01:18 . 2008-07-16 01:18 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Program Files\AVG 
2008-07-16 01:18 . 2008-07-16 11:10 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\All Users\Application Data\avg8 
2008-07-16 00:23 . 2008-07-16 11:11 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;262,144 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\vladimir 
2008-07-16 00:23 . 2008-07-16 11:11 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;262,144 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\stella 
2008-07-16 00:23 . 2008-07-16 11:11 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;262,144 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\Pauline 
2008-07-16 00:23 . 2008-07-16 01:20 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;262,144 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\PAULIN~1.ENG 
2008-07-16 00:02 . 2008-07-16 01:18 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\Administrator\.housecall6.6 
2008-07-15 08:40 . 2008-07-15 08:41 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\All Users\Application Data\Lavasoft 
2008-07-14 08:28 . 2008-04-14 05:42 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;26,112 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\SYSTEM32\userinit.exe 
2008-06-28 22:04 . 2008-06-28 22:04 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\ServicePackFiles 
2008-06-28 22:01 . 2006-12-29 00:31 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;19,569 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--a------ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\WINDOWS\[u]0[/u]03205_.tmp 
 
. 
(((((((((((((((((((((((((((((((((((((((( &nbsp; Find3M Report &nbsp; )))))))))))))))))))))))))))))))))))))))))))))))))))) 
. 
2008-07-18 04:38 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-----w &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Program Files\Symantec AntiVirus 
2008-07-16 15:06 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-----w &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Program Files\Spybot - Search &amp;&nbsp;Destroy 
2008-07-16 07:17 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-----w &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Program Files\Common Files\Adobe 
2008-07-16 07:09 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-----w &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Program Files\Lavasoft 
2008-07-14 18:24 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-----w &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\pauline.BNBSTRUCTURAL\Application Data\AdobeUM 
2008-05-28 00:34 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-----w &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Program Files\Microsoft CAPICOM 2.1.0.2 
2008-05-26 23:12 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-----w &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Program Files\Common Files\Symantec Shared 
2008-05-26 23:11 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-----w &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Program Files\Symantec 
2008-05-26 23:11 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-----w &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Documents and Settings\All Users\Application Data\Symantec 
2008-05-26 22:20 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--------- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;d-----w &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Program Files\Microsoft Silverlight 
. 
 
((((((((((((((((((((((((((((((((((((( &nbsp; Reg Loading Points &nbsp; )))))))))))))))))))))))))))))))))))))))))))))))))) 
. 
. 
*Note* empty entries &amp;&nbsp;legit default entries are not shown 
REGEDIT4 
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
&quot;ctfmon.exe&quot;=&quot;C:\WINDOWS\system32\ctfmon.exe&quot; [2004-08-04 03:00 15360] 
&quot;swg&quot;=&quot;C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe&quot; [2007-11-02 23:45 171448] 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
&quot;ccApp&quot;=&quot;C:\Program Files\Common Files\Symantec Shared\ccApp.exe&quot; [2006-03-07 13:02 53408] 
&quot;vptray&quot;=&quot;C:\PROGRA~1\SYMANT~1\VPTray.exe&quot; [2006-03-17 06:34 124656] 
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ 
Address Book.lnk - C:\Program Files\Kyocera Mita\Address Book\AddrBook.exe [2006-08-18 17:53:17 73728] 
Scanner File Utility.lnk - C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe [2005-05-09 15:07:32 311296] 
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] 
&quot;DisableCAD&quot;= 0 (0x0) 
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Kla20.sys] 
@=&quot;Driver&quot; 
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk] 
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk 
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup 
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER] 
--a----t- 2005-05-04 19:03 6656 C:\Program Files\Qurb\QSP-2.1.213.3\QOELoader.exe 
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] 
&quot;DisableMonitoring&quot;=dword:00000001 
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] 
&quot;EnableFirewall&quot;= 0 (0x0) 
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] 
&quot;%windir%\\system32\\sessmgr.exe&quot;= 
&quot;%windir%\\Network Diagnostic\\xpnetdiag.exe&quot;= 
 
R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-07-11 08:08] 
S0 Kla20;Kla20;C:\WINDOWS\system32\Drivers\Kla20.sys [] 
 
*Newly Created Service* - BITS 
*Newly Created Service* - CATCHME 
*Newly Created Service* - PROCEXP90 
. 
Contents of the 'Scheduled Tasks' folder 
&quot;2008-05-10 14:47:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job&quot; 
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe 
&quot;2008-07-15 21:04:16 C:\WINDOWS\Tasks\Disk Cleanup.job&quot; 
- C:\WINDOWS\SYSTEM32\cleanmgr.exe 
&quot;2008-07-15 21:04:19 C:\WINDOWS\Tasks\Disk Defragmentation.job&quot; 
- C:\WINDOWS\SYSTEM32\DFRG.MSC 
. 
************************************************************************** 
 
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, <a href="http://www.gmer.net" rel="ugc">http://www.gmer.net</a> 
Rootkit scan 2008-07-17 21:49:24 
Windows 5.1.2600 Service Pack 2 NTFS 
 
scanning hidden processes ... 
 
scanning hidden autostart entries ... 
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
************************************************************************** 
. 
Completion time: 2008-07-17 21:50:16 
ComboFix-quarantined-files.txt &nbsp;2008-07-18 04:50:10 
 
Pre-Run: 59,849,142,272 bytes free 
Post-Run: 60,008,439,808 bytes free 
 
118 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;--- E O F --- &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;2008-07-11 00:47:52 

</div>

<div>
HijackThis Scan: 
 
Logfile of Trend Micro HijackThis v2.0.2 
Scan saved at 21:56, on 2008-07-17 
Platform: Windows XP SP2 (WinNT 5.01.2600) 
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) 
Boot mode: Normal 
 
Running processes: 
C:\WINDOWS\System32\smss.exe 
C:\WINDOWS\system32\winlogon.exe 
C:\WINDOWS\system32\services.exe 
C:\WINDOWS\system32\lsass.exe 
C:\WINDOWS\system32\Ati2evxx.exe 
C:\WINDOWS\system32\svchost.exe 
C:\WINDOWS\System32\svchost.exe 
C:\WINDOWS\system32\spoolsv.exe 
C:\WINDOWS\system32\basfipm.exe 
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe 
C:\Program Files\Symantec AntiVirus\DefWatch.exe 
C:\WINDOWS\System32\svchost.exe 
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE 
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe 
C:\Program Files\Symantec AntiVirus\SavRoam.exe 
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe 
C:\WINDOWS\system32\svchost.exe 
C:\Program Files\Symantec AntiVirus\Rtvscan.exe 
C:\Program Files\RealVNC\VNC4\WinVNC4.exe 
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 
C:\Program Files\Common Files\Symantec Shared\ccApp.exe 
C:\PROGRA~1\SYMANT~1\VPTray.exe 
C:\WINDOWS\system32\ctfmon.exe 
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe 
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe 
C:\WINDOWS\system32\wuauclt.exe 
C:\WINDOWS\explorer.exe 
C:\Program Files\Internet Explorer\iexplore.exe 
C:\Program Files\Internet Explorer\iexplore.exe 
C:\Program Files\Trend Micro\HijackThis\ThisJacker.exe 
C:\WINDOWS\system32\wuauclt.exe 
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href="http://www.dell.com" rel="ugc">http://www.dell.com</a> 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = <a href="http://go.microsoft.com/fwlink/?LinkId=69157" rel="ugc nofollow">http://go.microsoft.com/fwlink/?LinkId=69157</a> 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = <a href="http://go.microsoft.com/fwlink/?LinkId=54896" rel="ugc">http://go.microsoft.com/fwlink/?LinkId=54896</a> 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = <a href="http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html" rel="ugc nofollow">http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html</a> 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = <a href="http://go.microsoft.com/fwlink/?LinkId=54896" rel="ugc">http://go.microsoft.com/fwlink/?LinkId=54896</a> 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll 
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) 
O2 - BHO: Spybot-S&amp;D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll 
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll 
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll 
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll 
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll 
O3 - Toolbar: &amp;Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll 
O4 - HKLM\..\Run: [ccApp] &quot;C:\Program Files\Common Files\Symantec Shared\ccApp.exe&quot; 
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe 
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe 
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe 
O4 - HKUS\S-1-5-21-3257268313-2688823123-1684939336-1118\..\Run: [SpySweeper] &quot;C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe&quot; /0 (User '?') 
O4 - HKUS\S-1-5-21-3257268313-2688823123-1684939336-1118\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') 
O4 - Global Startup: Address Book.lnk = ? 
O4 - Global Startup: Scanner File Utility.lnk = ? 
O8 - Extra context menu item: E&amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll 
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll 
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL 
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll 
O9 - Extra 'Tools' menuitem: Spybot - Search &amp;&nbsp;Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll 
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe 
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe 
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe 
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe 
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - <a href="http://housecall60.trendmicro.com/housecall/xscan60.cab" rel="ugc">http://housecall60.trendmicro.com/housecall/xscan60.cab</a> 
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - <a href="http://download.ewido.net/ewidoOnlineScan.cab" rel="ugc">http://download.ewido.net/ewidoOnlineScan.cab</a> 
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - <a href="http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab" rel="ugc">http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab</a> 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <a href="http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216356312109" rel="ugc nofollow">http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216356312109</a> 
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - <a href="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128317426470" rel="ugc nofollow">http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128317426470</a> 
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - <a href="http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1208668028_368c01b279a96b8c2da20053c95be132&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab" rel="ugc">http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1208668028_368c01b279a96b8c2da20053c95be132&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab</a> 
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - <a href="https://mvs01.unisys.com/dana-cached/setup/JuniperSetup.cab" rel="ugc">https://mvs01.unisys.com/dana-cached/setup/JuniperSetup.cab</a> 
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bnbstructural.com 
O17 - HKLM\Software\..\Telephony: DomainName = bnbstructural.com 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bnbstructural.com 
O17 - HKLM\System\CS1\Services\Tcpip\..\{52F3A8D3-5330-454A-99FA-A98B186AD659}: NameServer = 192.168.20.2,64.60.0.18 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bnbstructural.com 
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing) 
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe 
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe 
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe 
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe 
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe 
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe 
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe 
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE 
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe 
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe 
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe 
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe 
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe 
 
-- 
End of file - 8676 bytes 

</div>

<div>
SFC scan is done. I guess it did it's job. Shouldn't matter though since I did an in place Repair install of XP Pro from the DELL Restore CD. 
 
installing SP3 and windows updates so I can run housecall and bitdefender again. 
 
SAV is such a HOG...just removed it from a test system I had and running only AVG....feels like I add RAM and upgraded CPU...Symantec YUCK...what happened...They must have drunk the punch too...BE GONE!
</div>

<div>
Strobo is the man...My BitDefender Rescue CD is from June so likely didn't see it... 
 
Be right back...
</div>

<div>
Ace...try this: 
 
How to Remove Trojan.Blusod: 
by precisesecurity 
June 28th, 2008 at 1:57 am 
1. Temporarily Disable System Restore (Windows Me/XP). [how to] 
2. Update the virus definitions. 
3. Reboot computer in SafeMode [how to] 
4. Run a full system scan and clean/delete all infected file(s) 
5. Delete/Modify any values added to the registry. [how to edit registry] 
Navigate to and delete the following registry entry: 
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\EULAAccepted&nbsp;= 13 
 
Restore the following registry entries to their previous values, if required: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lph[RANDOM CHARACTERS]&nbsp;= %System%\lph[RANDOM CHARACTERS].exe 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier\InstallationID&nbsp;= 906b1f2d-66b5-439e-8c02-9d08858fe5273 
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper&nbsp;= %System%\ph[RANDOM CHARACTERS].bmp 
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE&nbsp;= %System%\blph[RANDOM CHARACTERS].scr 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage&nbsp;= 03 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage&nbsp;= 03 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR&nbsp;= 03 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Start&nbsp;= 03 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\ImagePath&nbsp;= *system32\DRIVERS\sr.sys* 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Parameters\FirstRun&nbsp;= 03 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Start&nbsp;= 03 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\ImagePath&nbsp;= *system32\DRIVERS\sr.sys* 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters\FirstRun&nbsp;= 03 
HKEY_CURRENT_USER\Control Panel\Colors\Background&nbsp;= 0 0 2553 
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive&nbsp;= 13 
HKEY_CURRENT_USER\Control Panel\Desktop\TileWallpaper&nbsp;= 03 
 
6. Exit registry editor and restart the computer. 
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner. 

</div>

<div>
updated write-up: 
 
<a href="http://veroblog.wordpress.com/2008/07/15/follow-up-post-about-ups_invoice-trojan/" rel="ugc">http://veroblog.wordpress.com/2008/07/15/follow-up-post-about-ups_invoice-trojan/</a> 

</div>

<div>
haha...just found it in my REG: 
 
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\EULAAccepted&nbsp;= 13 
 
[DELETE] 
 
running cleanup now...any other ideas on best REG fixer/scanner? 
 

</div>

<div>
Ace...do a search for &quot;Sysinternals&quot; in REG...Mine was here: 
 
HKEY_USERS\S-1-5-21-3257268313-2688823123-1684939336-1118\Software\Sysinternals\Bluescreen Screen Saver\ 
 
...WAS!
</div>

<div>
<a href="http://www.xp-vista.com" rel="ugc">www.xp-vista.com</a> does not load for me...The hackers must have exploited it...ABORT...ABORT! 
 
Plan B!
</div>

<div>
the things we find during cleanup is amazing... 
 
<a href="http://andymanchesta.com/" rel="ugc">http://andymanchesta.com/</a> 
 
Awesome site with all kinds of info and free tools. 
 

</div>

<div>
My advice Stay away from Symantec Products altogether. 
 
I'm considering upgrading my clients to AVG Enterprise, has anyone tried this. The Basic versions have served me and my clients well for last 3 years and always seem to bail out Failures by Symantec/McAfee. 
 
I agree with Ace...I think I got most of the bad stuff, but hard to tell. Also I had one of the client's employees use his &quot;skillz&quot; and though he took care of the issue on Monday. &quot;Don't worry I deleted a bunch of registry settings and everything is working fine.&quot; 
 
This from a guy who downloads cracks all day and rips DVD's. 
 
I may try the Websense Express option for SMB's. It's about $20/user per year. Blocks any sites by keywords/categories/threat levels. and also prevents downloading of files 
 
Another option will be to run some kind of pre-scan on all incoming/outgoing emails to prevent more threats like this one. 
 
I heard there was some kind of email filtering services, anyone try them? 
 
Baracuda hardware starts at like $5000, plus support, per year. The client won't go for that. 
 
Thanks to all who assisted. I will split the points among everyone. 
 
2 hours later...the bat signal went up again. 
 

</div>

<div>
This looks interesting... 
 
<a href="http://www.google.com/a/help/intl/en/security/index.html" rel="ugc">http://www.google.com/a/help/intl/en/security/index.html</a> 

</div>

<div>
Aceracer, 
 
rather than buying a new HDD its probably best, and cheaper, to do a low level format of your HDD. 
This erases absolutely everything on it beyond recovery.... its a definite way to clean your HDD :) 
 
Here are some utils for that: 
<a href="http://www.ariolic.com/activesmart/low-level-format.html" rel="ugc">http://www.ariolic.com/activesmart/low-level-format.html</a> 
<a href="http://hddguru.com/content/en/software/2006.04.12-HDD-Low-Level-Format-Tool/" rel="ugc">http://hddguru.com/content/en/software/2006.04.12-HDD-Low-Level-Format-Tool/</a> 

</div>

<div>
Strobo, 
I think you missed the direction I am headed with buy a new HD. You buy a new HD, do a fresh install of XP on it. When done install the old HD as a second drive and suck anything you need off it and transfer to the new HD. THEN format the old drive and use it as an internal backup drive. 
Most new HDs come with a &quot;light&quot; version of backup software like Acronis (what I use) which allows you to image the drive. It would have been helpful in this situation since the trojan turned off system restore. I could have re loaded the drive from the backup image and had the machine back working in a few hours, and WITHOUT all the pain and suffering I've went through. 

</div>

<div>
Oh, I see... yeah, I misunderstood. 
 
Yeah, this is exactly the reason why I keep all my personal files on a second drive. So whatever happens to my OS Im free to format and reinstall as I like. Atleast I know the files are safe.
</div>

<div>
I am doing this as the drives are replaced due to age, I recommend replacing drives older than 3 years. 
Unfortunately this machine hasn't got to that age yet,,, 
Hard drives, especially smaller IDE are REALLY getting cheap so it's not a big hardware expense like it used to be. 
 

</div>

<div>
 
Any luck with the cleanup?? 
Im curious if it all paid off :)
</div>

<div>
The machine is at a clients site which I will visit tomorrow. It's STILL showing Pandex and a few others with a Sy AV scan. I'm going to try the new VIPRE combo AV-Malware-Trojan remover from Sunbelt. This will be a REAL test for it!!! 
I'll post results here. If it works I'll be dumping Symantec and convert all my machines. 

</div>

<div>
I gave up wasting the man hours and rebuilt OS on a new HD for client. 
 
I still saw some strange freezing and blank IE windows popping up. 
 
Thanks to all for your help...BTW, I did not reload SAV 10.1 client and am starting to wean the office off of it. 
 
What do you prefer for small business running domain servers? About 25-30 users 
 
Spoke with client today and they are still seeing the UPS_Invoice.XXX email circulating. 
 
Safest way is to hide everyone's mice so they can't click stuff. 
 
Any luck with latest version of Vista in business environments? I heard Windows XP support will be available until 2014, Sounds like MS knows no one wants to upgrade. 
 
 
:-)
</div>

<div>
I would stick to XP for a while longer. Vista is just a pain :) 
 
Heh, funny, I just received an email from our company warning about the UPS email and that our antivirus still doesn't detect it. Eh eh eh... 
</div>

<div>
Funny you should mention Visty. I have set up a test Vista machine on my SBSnetwork here at home to give it a try before I try it on any of the networks I support. So far I have been advising my SBS Clients to avoid it for now. 
I'll have to admit it DOES have nice graphics,,, but that'a about it!!! It has been a REAL fight to try and get this thing to do what XP already does easily. I have had several basic networking issues I have NOT had with XP. Then there are several programs which do NOT seem to play well with Vista. There are many things which only a click or two away on XP that are 3 OR MORE CLICKS away on Vista,,,WHY?? 
And there seems to be NO clear directions (that I have found) telling you step by step what needs to be done to allow Vista to EASILY be added to a SBS network. 
I STILL see NO reason to move from XP to Vista on a small business network. 
Can you spell Unbuntu ??? 

</div>

<div>
Ace...look here, you may find something useful. 
 
<a href="http://www.microsoft.com/downloads/details.aspx?familyid=311f4be8-9983-4ab0-9685-f1bfec1e7d62&displaylang=en" rel="ugc">http://www.microsoft.com/downloads/details.aspx?familyid=311f4be8-9983-4ab0-9685-f1bfec1e7d62&displaylang=en</a> 
 
I'm an MS Partner and might be able to find you some more info. 
 
Compatibility guide: 
 
<a href="http://support.microsoft.com/kb/926505" rel="ugc">http://support.microsoft.com/kb/926505</a> 

</div>

<div>
thanks for the tip kcham44. But the underlying question is,, WHY did they ever deploy Vista KNOWING it had several important issues with SBS WITHOUT a guide to fixing it?? Makes it REAL hard to sell something so troublesome to START with! 
Anywho back to the original topic,,, 
I visited the clients site today and sure enough SY-AV was still popping up warnings even after the user had updated it and ran the scan in safe mode. It refused to clean the infection. So,,, I removed ALL the protection including SY-AV, spybot, spyware blaster, AVG anti spyware, malwarebytes. Installed Viper from Sunbelt software. Updated it and ran a scan. Said it found SIX infections and removed them all. Rebooted and the machine appears to be working normally!!! 
So,,, a BIG thumbs up (at least on this one) for Viper from Sunbelt software!! I'll be converting my machines to their product!! 

</div>

<div>
nice...MS is still Marketing VISTA as if it works perfectly. I think the Apple adds told the public all they needed to know. VISTA stinks and MS is still trying to go Smoke and Mirrors on everyone. 
 
if you need any info feel me to drop me an email...[armen &quot;@&quot; ny3d.net] 
 
I will ask the MS rep at our next partner event. 
 
:-)
</div>

<div>
<div class="content wysiwyg-content">
User opened a bad email and/or attachment that has opened up into a much bigger problem. 
 
First system was attempting to send large amounts of SPAM. Then START button/task bar is now hidden. Check Services, all are not running except for about 7. I assume enough to keep it working. When you try to RESTART a service, it says file or location not found or dependency is missing. 
 
Same issue in Normal and Safe Modes with multiple user accounts and ADMIN/Local logon. 
 
Tried running SAV 10.1 client, finds nothing. Ran TrendMicro Housecall online yesterday and it just found some cookies. Ewido from some malware and removed. Tried loading AVG 8, fails with a message stating Windows Firewall Service not found and AVG service unable to start. After reboot now IE does not open any more, all network functions lost. I can get into REGEDIT/SERVICES/Browse the Hard drive and that is it. No programs will run, unless I start from task manager. except for IE which looks like it opens and closes right away. 
 
I am going to pull the drive and run a full scan on it as a slave on another PC. I will add more details as I find them. 
 
Trying to avoid a format and reload if possible. The office &quot;tech&quot; got a hold of the PC before me and ran all kinds of things and deleted some REG entries before I found out about the issue.. 
 
Hope I can salvage a few things. I will also try an XP repair to see if that fixes missing files and associations. 
 
System is a DELL Optiplex and has a RESTORE XP PRO disc. 
 
Thank 
</div>
</div>

User opened a bad email and/or attachment that has opened up into a much bigger problem. 

First system was attempting to send large amounts of SPAM. Then START button/task bar is now hidden. Check Services, all are not running except for about 7. I assume enough to keep it working. When you try to RESTART a service, it says file or location not found or dependency is missing.

Same issue in Normal and Safe Modes with multiple user accounts and ADMIN/Local logon.

Tried running SAV 10.1 client, finds nothing. Ran TrendMicro Housecall online yesterday and it just found some cookies. Ewido from some malware and removed. Tried loading AVG 8, fails with a message stating Windows Firewall Service not found and AVG service unable to start. After reboot now IE does not open any more, all network functions lost. I can get into REGEDIT/SERVICES/Browse the Hard drive and that is it. No programs will run, unless I start from task manager. except for IE which looks like it opens and closes right away.

I am going to pull the drive and run a full scan on it as a slave on another PC. I will add more details as I find them.

Trying to avoid a format and reload if possible. The office "tech" got a hold of the PC before me and ran all kinds of things and deleted some REG entries before I found out about the issue..

Hope I can salvage a few things. I will also try an XP repair to see if that fixes missing files and associations.

System is a DELL Optiplex and has a RESTORE XP PRO disc.

Thank 

Viruses/Trojans causing havoc...START Button and task bar missing...all windows services have been disabled...sends SPAM

Anti-virus software was originally developed to detect and remove computer viruses. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious layered service providers (LSPs), dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity theft (privacy), online banking attacks, social engineering techniques, Advanced Persistent Threat (APT), botnets and DDoS attacks.

Anti-Virus Apps

Microsoft Windows XP is the sixth release of the NT series of operating systems, and was the first to be marketed in a variety of editions: XP Home and XP Professional, designed for business and power users. The advanced features in XP Professional are generally disabled in Home Edition, but are there and can be activated. There were two 64-bit editions, an embedded edition and a tablet edition.