Viruses/Trojans causing havoc...START Button and task bar missing...all windows services have been disabled...sends SPAM

User opened a bad email and/or attachment that has opened up into a much bigger problem.

First system was attempting to send large amounts of SPAM. Then START button/task bar is now hidden. Check Services, all are not running except for about 7. I assume enough to keep it working. When you try to RESTART a service, it says file or location not found or dependency is missing.

Same issue in Normal and Safe Modes with multiple user accounts and ADMIN/Local logon.

Tried running SAV 10.1 client, finds nothing. Ran TrendMicro Housecall online yesterday and it just found some cookies. Ewido from some malware and removed. Tried loading AVG 8, fails with a message stating Windows Firewall Service not found and AVG service unable to start. After reboot now IE does not open any more, all network functions lost. I can get into REGEDIT/SERVICES/Browse the Hard drive and that is it. No programs will run, unless I start from task manager. except for IE which looks like it opens and closes right away.

I am going to pull the drive and run a full scan on it as a slave on another PC. I will add more details as I find them.

Trying to avoid a format and reload if possible. The office "tech" got a hold of the PC before me and ran all kinds of things and deleted some REG entries before I found out about the issue..

Hope I can salvage a few things. I will also try an XP repair to see if that fixes missing files and associations.

System is a DELL Optiplex and has a RESTORE XP PRO disc.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

try sfc /scannow.

Its the Microsoft System File Checker and will verify your windows installation files.

At worst, an in-place upgrade of XP should retain your data.

HiJackthis might be worth it also..

kcham44Author Commented:
Unfortunately adding new programs within Windows is not possible, anything I have tried fails, referencing some Service that is not running. I will try SFC when I get back to my office. thanks

I think the office employees already tried LAST KNOW GOOD a few times and tried to perform a restore, but the system restore shows as being DISABLED when I checked. The SAV Server Alert log had about 15 threats reported on this users HOSTNAME from 7/15...Rootkits, Trojans, Joke programs. I will list details ASAP.

This is like one of those really good puzzles and would be great to reverse the damage if possible to prevent in future. I see some .bmp and .scr files were also caught by SAV, So I assume users opened some infected emails/attachments.


I would suggest you get an antivirus rescue cd... you can create one on your other PC...and then boot from that cd and scan the PC before trying windows repair. Thats your best shot as the viruses are unactive while you scan.
Here are some free rescue CDs I would recommend:

Simply download the iso and burn it to a CD.

Keep in mind that by far the best option is still the a format and clean install.

Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Ofcourse, after a good scan with the rescue cd I would do a windows reinstall from an installation cd...thisway all the windows files are reinstalled while keeping all your programs and files.
Hijack this is also good to detect any unwanted programs starting up, but its tough to fix anything like that if they are already running and they tend to reinstall themselves very quickly.
kcham44Author Commented:

Thanks for the quick replies.

I will try at least one and maybe both.

I have a spare drive and time for rebuild, Just wanted to spend an hour or so to see if anyone has come across this. This is a pretty nasty one and I have seen some good one. Like I said so many changes have been made, I don't know where the viruses stop and the users screw-ups begin.

Another user in the office is always downloading Cracks and Keygens and is putting everyone in the office at risk.

I think I need to completely lock down their access to certain websites and files types that they can download.
Know any good apps to monitor/block/secure networked systems?

I know of WebSense, but kind of costly.

Thanks again.
Reinstalling/repairing OS in a very infected machine(without reformatting) can sometimes make the pc unbootable.

I assume you can still boot in normal mode and safe mode right?
If .exe file associations are messed up you can Go to Start > Run > type in:

In the command prompt, type:

ftype exefile="%1" %*

1. Please download ComboFix by sUBs:(run it in normal mode) 

You must download it to and run it from your Desktop(rename it before you save the file to your desktop just in case bagle is present it will not let combofix run unless you rename it).

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
From the run box type the following:

"%userprofile%\desktop\ComboFix.exe" /KillAll

Or you can just doubleclick the combofix.exe on the desktop to start combofix.
When finished, it will produce a log. Please save that log and attach it in your next reply.

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

2. You can also try SDFix.exe(it must be run in Safe Mode)
Download SDFix and save it to your desktop.(either one below) 

If needed: How to use SDFix.
too time consuming to manage, I'd just stop their privilages..

Well, using an app like websense is a quick fix, but this can easily be bypassed by using proxies, translators or other methods. As long as the blocking happens on the workstation itself it is very vunerable.

Most effective way to block users would be to have a proxy server on your network through which users access the internet... and then implement all the blocking on that proxy. ie. they can access the net only through your proxy server which blocks the content...

Here is a link with a list of some content-filtering software... it includes free ones as well as some with server-side filtering.
kcham44Author Commented:
tried the Kaspersky CD...both ISO's were for the same RescueCD...both loaded a bunch of things and go to a black screen with X as cursor...after about 20 seconds the PC powers off.
Did I miss something?

Now I can't even get the PC to recognize the keyboard in fine during POST and in BIOS...could there be a service that is not starting that is requred for keyboard input?


As I explained above, browser won't open, no internet or network access so can't download anything. I can try to copy data over...but as of yet system is not loading USB keys and does not see Optical drive within windows, just the C: Drive...which for some weird reason is full accessible...until now...since keyboard won't work I can't login...SAFE or NORMAL boots...yarg!

I will be back soon...Basketball league starts in 20 minutes...ty all.
Not sure why Kasperski wouldnt work. It works fine for me. I really dont see why it would not.
So are you saying that the AntiVir CD does the same thing?

kcham44Author Commented:
Your links downloaded 2 separate files, different names and sizes. I created a boot CD with each file, both load into Kaspersky Rescue CD, same version...sometimes all I get is a black screen with the X cursor...I got it to run the Kaspersky scan twice....1st ran for about 42%...then went back to text rolling by and it unmounted and started to shutdown everything, PC turned off...2nd time it ran for about 15% and same thing, just powers system off.

I found a BitDefender Knoppix boot ISO and am running that right now...we shall see what happens. The OS no longer loads the keyboard no matter what I try...I can go into BIOS and F8 menu, but once the XP GUI starts to load the KB turns off.

tried 5 different USB keyboard, in every USB slot front and PS2 ports to try...will let it scan and then try XP repair console...if not looks like a format tonight...

I had a Voicemail from client's ISP this afternoon...numerous complaints of SPAM generating from their IP...OUCH...good thing I took this zombie off network...before they cut their service.

Thanks to all who assisted I will check the proxy stuff Strobo...I'm sure Kaspersky works fine, probably the virus/trojan is causing to crash, must be a real nice mess...I will scan the drive later and let you know what I find.

I keep telling people, use your business computers for BUSINESS...not forwarding junk emails and jokes...sad but without peoples mistakes we would have no jobs.

:-)...all we can do is recommend and try to keep the place secure...if users willingly leave the door open and let strangers in...I'm sure their boss won't like the report I give him tomorrow and the bill.

more updates soon...

No probs,

Yeah, I never tried the AnitVir CD but i heard its good. Would never have guessed that its actually the Kaspersky one.

In any case, yes, try scanning it more and then try Windows XP repair console, or beter yet a reinstall on top of the old windows. You can try that even if the scan doesnt work...and then try using the Rescue CDs again to scan it. With these things u never really know you got rid of them until you do a format.

Good luck!!! :)
kcham44Author Commented:
kcham44Author Commented:
Risk      Action      Filename      Original Location      Computer      Current Location      Date
Trojan.Pandex      Cleaned by deletion      tcpsr.sys      C:\WINDOWS\SYSTEM32\DRIVERS\      COMPUTER16      C:\WINDOWS\SYSTEM32\DRIVERS\      7/15/2008 23:28
Downloader      Cleaned by deletion      BN2.tmp      C:\WINDOWS\Temp\      COMPUTER16      C:\WINDOWS\Temp\      7/15/2008 23:28
Trojan.Pandex      Cleaned by deletion      tcpsr.sys      C:\WINDOWS\SYSTEM32\DRIVERS\      COMPUTER16      C:\WINDOWS\SYSTEM32\DRIVERS\      7/15/2008 18:15
Downloader      Cleaned by deletion      BN2.tmp      C:\WINDOWS\Temp\      COMPUTER16      C:\WINDOWS\Temp\      7/15/2008 18:15
Hacktool.Rootkit      Reboot Processing      Unavailable      Unavailable      COMPUTER16      Unavailable      7/15/2008 17:53
Trojan.Pandex      Cleaned by deletion      tcpsr.sys      C:\WINDOWS\SYSTEM32\DRIVERS\      COMPUTER16      C:\WINDOWS\SYSTEM32\DRIVERS\      7/15/2008 17:53
Downloader      Cleaned by deletion      BN2.tmp      C:\WINDOWS\Temp\      COMPUTER16      C:\WINDOWS\Temp\      7/15/2008 17:53
Hacktool.Rootkit      Cleaned by deletion      sysrest.sys      C:\WINDOWS\SYSTEM32\      COMPUTER16      C:\WINDOWS\SYSTEM32\      7/15/2008 17:35
Hacktool.Rootkit      Reboot Processing      Unavailable      Unavailable      COMPUTER16      Unavailable      7/15/2008 17:13
Hacktool.Rootkit      Reboot Processing      Unavailable      Unavailable      COMPUTER16      Unavailable      7/15/2008 17:13
Trojan.Pandex      Reboot Required - Reboot Processing      tcpsr      tcpsr      COMPUTER16      tcpsr      7/15/2008 17:13
Trojan.Pandex      Cleaned by deletion      tcpsr.sys      C:\WINDOWS\SYSTEM32\DRIVERS\      COMPUTER16      C:\WINDOWS\SYSTEM32\DRIVERS\      7/15/2008 17:12
Downloader      Cleaned by deletion      BN2.tmp      C:\WINDOWS\Temp\      COMPUTER16      C:\WINDOWS\Temp\      7/15/2008 17:12
Hacktool.Rootkit      Reboot Required - Reboot Processing      sysrest.sys      sysrest.sys      COMPUTER16      sysrest.sys      7/15/2008 16:59
Trojan.Pandex      Reboot Required - Reboot Processing      tcpsr      tcpsr      COMPUTER16      tcpsr      7/15/2008 16:59
Trojan.Pandex      Cleaned by deletion      tcpsr.sys      C:\WINDOWS\SYSTEM32\DRIVERS\      COMPUTER16      C:\WINDOWS\SYSTEM32\DRIVERS\      7/15/2008 16:57
Downloader      Cleaned by deletion      BN2.tmp      C:\WINDOWS\Temp\      COMPUTER16      C:\WINDOWS\Temp\      7/15/2008 16:57
Downloader      Cleaned      APQ194.tmp      C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\      COMPUTER16      C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\      7/15/2008 16:52
Downloader      Cleaned by deletion      BN193.tmp      C:\WINDOWS\Temp\      COMPUTER16      C:\WINDOWS\Temp\      7/15/2008 16:52
AntiSpywareExpert      Quarantined      Unavailable      Unavailable      COMPUTER16      Quarantine      7/15/2008 16:51
Joke.Blusod      Access Denied      blphcr4uj0e95a.scr      C:\WINDOWS\SYSTEM32\      COMPUTER16      C:\WINDOWS\SYSTEM32\      7/15/2008 16:49
Trojan.Blusod      Cleaned by deletion      phcr4uj0e95a.bmp      C:\WINDOWS\SYSTEM32\      COMPUTER16      C:\WINDOWS\SYSTEM32\      7/15/2008 16:48
Hacktool.Rootkit      Reboot Processing      Unavailable      Unavailable      COMPUTER16      Unavailable      7/15/2008 16:46
Joke.Blusod      Access Denied      blphcr4uj0e95a.scr      C:\WINDOWS\SYSTEM32\      COMPUTER16      C:\WINDOWS\SYSTEM32\      7/15/2008 16:36
Trojan.Blusod      Cleaned by deletion      phcr4uj0e95a.bmp      C:\WINDOWS\SYSTEM32\      COMPUTER16      C:\WINDOWS\SYSTEM32\      7/15/2008 16:35
Hacktool.Rootkit      Reboot Processing      Unavailable      Unavailable      COMPUTER16      Unavailable      7/15/2008 16:34
Joke.Blusod      Access Denied      blphcr4uj0e95a.scr      C:\WINDOWS\SYSTEM32\      COMPUTER16      C:\WINDOWS\SYSTEM32\      7/15/2008 16:13
Trojan.Blusod      Cleaned by deletion      phcr4uj0e95a.bmp      C:\WINDOWS\SYSTEM32\      COMPUTER16      C:\WINDOWS\SYSTEM32\      7/15/2008 16:13
Joke.Blusod      Access Denied      blphcr4uj0e95a.scr      C:\WINDOWS\SYSTEM32\      COMPUTER16      C:\WINDOWS\SYSTEM32\      7/14/2008 17:57
Trojan.Blusod      Cleaned by deletion      phcr4uj0e95a.bmp      C:\WINDOWS\SYSTEM32\      COMPUTER16      C:\WINDOWS\SYSTEM32\      7/14/2008 17:57
Joke.Blusod      Access Denied      blphcr4uj0e95a.scr      C:\WINDOWS\SYSTEM32\      COMPUTER16      C:\WINDOWS\SYSTEM32\      7/14/2008 8:29
Trojan.Blusod      Cleaned by deletion      phcr4uj0e95a.bmp      C:\WINDOWS\SYSTEM32\      COMPUTER16      C:\WINDOWS\SYSTEM32\      7/14/2008 8:29
AVSystemCare      Pending Analysis      a0097982.exe      C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp551\      COMPUTER16      C:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\rp551\      4/18/2008 13:09
kcham44Author Commented:
Found the SAV log on server...BitDefender has found nothing yet...AntiMalware Scan, step 1 of 3, 160,000 files and still going.

Trojan.Pandex: Per Symantec:

Discovered: January 5, 2007
Updated: April 20, 2007 2:25:36 AM
Also Known As: Win32/Cutwail.B [Computer Associates], Win32/Cutwail.C [Computer Associates], Win32/Cutwail.M [Computer Associates], W32/Agent.BOY [F-Secure], Troj/Pushdo-B [Sophos]
Type: Trojan
Infection Length: Varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Trojan.Pandex is a Trojan horse that sends spam from a remote server and gathers email addresses from the compromised computer.


Hacktool.Rootkit: "As an interesting aside: it seems that ONLY people who run NAV/NORTON/SYMANTEC bloatware seem to be HIT by this!" found on TechSpot.

Per Symantec:

Discovered: September 27, 2001
Updated: February 13, 2007 11:38:00 AM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Hacktool.Rootkit comprises a set of programs and scripts that work together to allow attackers to break into a system. If Hacktool.Rootkit is detected on a system, it is very likely that an attacker has gained complete control of that system. All files that are detected as Hacktool.Rootkit should be deleted. Infected systems may need to be restored from backups or patched to restore security.

AntiSpywareExpert: Per Symantec:
Updated: April 11, 2008 9:58:17 AM
Type: Misleading Application
Name: AntiSpywareExpert
Publisher: AntiSpywareExpert Inc.
Risk Impact: Medium
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

BehaviorAntiSpywareExpert is a misleading application that may give exaggerated reports of threats on the computer.


Joke.Blusod: Per Symantec:

Updated: June 30, 2008 8:52:48 AM
Type: Joke
Risk Impact: High
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

BehaviorJoke.Blusod is a joke screen-saver program that displays a series of system failure messages on the computer.


Trojan.Blusod: Per Symantec:

Discovered: June 27, 2008
Updated: June 29, 2008 3:34:03 PM
Type: Trojan
Infection Length: 109,056 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Trojan.Blusod is a Trojan horse that may download files on to the compromised computer.


AVSystemCare: Per Symantec:

Updated: June 15, 2007 2:06:52 PM
Type: Misleading Application
Risk Impact: Medium
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

BehaviorAVSystemCare is a security risk that may give exaggerated reports of threats on the computer.

I need to look into a way to block this stuff from even reaching the systems. Anyone ever use the Baracuda Networks solutions or something similar?

I have 2 XP Pro clients on seperate SBS2003 networks that have been hit with the joke.blusod trojan. All the clients (and servers) had the same protection. SAV Corporate 10, spyware blaster, spybot s&d, windows defender. Only two machines out of a total of 10 (servers and clients) were hit with this thing. I have had NO luck removing it so far. I have tried several other AV's and malware removers, NONE worked. Symantec keeps stopping it (or so it sez) but will NOT remove it (or the part of it that keeps triggering the alert).
 Unless someone can recommend an application that they KNOW works it would be faster to just wipe and re-install rather than spend HOURS fighting this thing.
BOTH of the machines were hit over the weekend when no one was actually using them and they had no browser windows open. I SURE woulkd like to know HOW this happens!
I'm open to ANY advice but I'll bet I've tried most of what's out there.
THANX for any replies!!
kcham44Author Commented:
I have lost all faith in SAV...

I slaved the drive and ran an AVG scan...all it found was a possible false positive...Win32\Heur.

Format only concern is the data that is on the disk being badly infected.

I wish I had better news for you ...try this to remove joke.blusod...just found it. Let us know if it helped at all.

Good Luck!
kcham44Author Commented:
Did I mention the Extended Services Tab was empty?  Standard Services was there, but only 7 services were running.

Ace, your systems probably had the bad stuff on their from before and it probably woke up or someone isn't telling you everything.

End user's will usually try to avoid giving info so they don't get blamed, basic info would make this so much easier.

I guess final solution is to lock everything down, but I have about 25 users at this site, 15 users with XP, 10 users still running windows 2000...ARGH**:-(....Many different engineering apps being used and some will not function with limited access, the users need to have admin rights. Blocking the internet and download capabilities would solve many issues. Just allow the proxy to access certain business related websites.

Bad part is 2 employees know the Admin password and for some reason they keep sharing with others...boss doesn't seem to care.

oh well.

kcham44Author Commented:
More info on the issue...

Example of email received:

From: United Parcel Service []

Subject: UPS Paket N2410170593

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipients address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS


so phishy...and sneaky...proves that people do not read their emails carefully and will click anything if told.
kcham44Author Commented:
Update: 07/15/2008
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

Update: 07/15/2008

A new variant of Generic Downloader.ab has been observed which comes as an attachment to a fake email claiming to be from UPS. The following is the message of the email:

"Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipients address is not correct. Please print out the invoice copy attached and collect the package at our office

Your UPS"

The attached file is an executable which downloads files from the following server:

During the time of testing, this server has been known to serve multiple malicious files with varying behavior.


Low Profile does not help thos infected.

kcham44Author Commented:
another forum discussing the UPS email:

Still as of yet, no cleanup or removal steps or tools out there.

kcham44Author Commented:

File received on 07.14.2008 18:18:35 (CET)
Current status: finished

Result: 21/33 (63.64%)
 Compact Print results  
Antivirus Version Last Update Result
AhnLab-V3 2008.7.11.0 2008.07.14 -
AntiVir 2008.07.14 TR/Dldr.Tiny.brm
Authentium 2008.07.13 W32/Trojan2.ATAB
Avast 4.8.1195.0 2008.07.14 Win32:Tiny-UR
AVG 2008.07.14 SHeur.BWIM
BitDefender 7.2 2008.07.14 Trojan.Downloader.Gadja.C
CAT-QuickHeal 9.50 2008.07.14 TrojanDownloader.Tiny.brm
ClamAV 0.93.1 2008.07.14 Trojan.Agent-30547
DrWeb 2008.07.14 Trojan.DownLoad.1379
eSafe 2008.07.14 -
eTrust-Vet 31.6.5954 2008.07.14 Win32/SillyDl.EUC
Ewido 4.0 2008.07.14 -
F-Prot 2008.07.13 -
F-Secure 7.60.13501.0 2008.07.14 Trojan-Downloader.Win32.Tiny.brm
Fortinet 2008.07.14 -
GData 2.0.7306.1023 2008.07.14 Trojan-Downloader.Win32.Obitel.a
Ikarus T3. 2008.07.14 Trojan-Downloader.Win32.Tiny.brm
Kaspersky 2008.07.14 Trojan-Downloader.Win32.Obitel.a
McAfee 5337 2008.07.11 -
Microsoft 1.3704 2008.07.14 Trojan:Win32/Agent.EE
NOD32v2 3266 2008.07.14 Win32/TrojanDownloader.Tiny.NDM
Norman 5.80.02 2008.07.14 -
Panda 2008.07.14 Suspicious file
Prevx1 V2 2008.07.14 Malware Downloader
Rising 2008.07.14 -
Sophos 4.31.0 2008.07.14 Troj/Agent-HFU
Sunbelt 3.1.1536.1 2008.07.12 -
Symantec 10 2008.07.14 Downloader
TheHacker 2008.07.14 -
TrendMicro 8.700.0.1004 2008.07.14 PAK_Generic.001
VBA32 2008.07.13 -
VirusBuster 2008.07.14 -
Webwasher-Gateway 6.6.2 2008.07.14 Trojan.Dldr.Tiny.brm
Additional information
File size: 5124 bytes
MD5...: 5bf574f62af6ecedbc8d3b43d4ed5f4b
SHA1..: e92f2f5d7e4cfde44ff85cbb9e16b15754f4c15b
SHA256: ce7a4dca5dd4562ad5857424cf4e82f6b6688ca2148f63f825d6a8f67b9ce587
SHA512: 711573fda83ebe8fac94f84396f503022cc19b37045e84c7f48bff73ec56ea4d
PEiD..: -
PEInfo: -
Prevx info: 
kcham44Author Commented:
kcham44Author Commented:
SHeur.BWIM is what AVG finds
kcham44Author Commented:
egads...tried a Repair Install of XP over the zombie...went smooth...keyboard now works in GUI...but...

any account I login starts loading...then immediately starts to logoff.



Check here for log on log off loop
If that dont work try accesing your registry via a bootable CD like UBCD4WIN from and check your userinit registry key which is also shown in the above question. Also check if the userinit.exe is still visible in c:\windows\system32.
btw did u try combofix as suggested by rpggamergal.

Uh, such a recent virus, its no wonder there arent any removal tools yet.

Anyway, logon - logoff issue could be caused by the virus as well, or possibly not.
as expelled recommended, userinit.exe is usually removed by a virus (BlazeFind).
Here are some more links on the issue:
kcham44Author Commented:
Does ComboFix only work on the C: drive or all drives attached. I can only run on another box, with the infected drive connected externally via USB. I was able to run full scans with AVG, Housecall, Ewido, and it found a few random malware including AVG finding: SHeur.BWIM.

In Fact one of the files that showed as infected with this was "userinit.exe". This is when testing the drive on the other PC.  I recall the last time (Yesterday morning) I was logged into the system I checked TaskManager and "userinit.exe" was running like 12 times...sounds like the virus was up to something. This is likely why the taskbar, Start Button were not visible and apps would not run. hmmm...

Once I can boot into the bad drive I will try ComboFix again.

I started The Kaspersky RescueCD scan before I left the office. Hope it runs through, I tried twice more last night and keeps running for some time and then powers down the PC without any notice or anything.

I will try the login loop fixes and see what happens. I'm going to restore OS on a new HD so I can keep working on this issue. I must find close.

Thanks again for the new info.
Tried malwarebytes. It found a few things the others missed,, but not the blusod. Ran SAV in safe mode. said it found blusod and had deleted it. Re-boot,, OK for a few minutes then SAV pops up with a pando trojan (joke changing names??). Reboot in safe mode and SAV does the same thing.
 I'll end up wipe and re-install this thing but I wanted to try a few things and see if ANY of them worked.
Blusod must be deleted or at least not working because the "background" tab is back and you can now change wallpaper.
I'd like to pull a Jesse Jackson on the person who wrote this thing!!!
kcham44Author Commented:
:-) Pando may be the Trojan.Pandex...look it up.

Maybe it was FedEx.

kcham44Author Commented:
error file not found...???

The filename was changed to USERINI.EXE...I added the "T" and rebooted....SUCCESS...Registry is pretty badly hosed, I am throwing everything I have at it...SAVE Quarantine had 5 instances of DOWNLOADER (Verycreative Symantec)...killed those...ran ComboFix and HijackThis...nothing major found that I can see.

I tried to load AVG and I get an error that HKCU in registry could not be accessed.

Any ideas...I am scanning with other online tools and researching...

stay tuned!
kcham44Author Commented:
SAV 10.1...not "SAVE"

please post your hjt log and combofix log file here for analysis
kcham44Author Commented:
Now I get an IE window that pops up, but is blank and it takes CPU usage up to 100%...running SFC right now.

What is the best way to rebuild the REGISTRY, without having a working backup?

Whatever man makes, he can also break...but there is always someone who can fix it!
Can you attach the combofix log, most often it will show bad files that combofix wasn't able to removed which can be removed in the second run using a script.
kcham44Author Commented:
Here we go:

AVG Install Failure (Version 8.0 Basic)

Local machine: installation failed
        Error: Connecting to item registry root HKCU (USER_NAME) failed.
            Error 0x80070005


ComboFix 08-07-15.4 - Administrator 2008-07-17 21:47:42.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.521 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator.BNBSTRUCTURAL\Desktop\ComboFix.exe
 * Created a new restore point


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


(((((((((((((((((((((((((   Files Created from 2008-06-18 to 2008-07-18  )))))))))))))))))))))))))))))))

2008-07-17 21:44 . 2008-07-17 21:45            d--------      C:\WINDOWS\LastGood
2008-07-17 21:44 . 2008-07-17 21:44            d---s----      C:\Documents and Settings\Administrator.BNBSTRUCTURAL\UserData
2008-07-17 21:41 . 2008-07-17 21:41      262,144      --a------      C:\Documents and Settings\PA8EFB~1.ENG
2008-07-17 21:33 . 2008-07-17 21:33      262,144      --a------      C:\Documents and Settings\PAULIN~4.ENG
2008-07-17 14:20 . 2004-08-04 03:00      1,875,968      --a--c---      C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2008-07-17 14:19 . 2004-08-04 03:00      13,463,552      --a--c---      C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-07-17 14:18 . 2004-05-13 00:39      876,653      --a--c---      C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2008-07-17 14:16 . 2004-08-04 03:00      16,384      --a--c---      C:\WINDOWS\SYSTEM32\DLLCACHE\isignup.exe
2008-07-17 14:16 . 2008-07-17 14:16      749      -rah-----      C:\WINDOWS\WindowsShell.Manifest
2008-07-17 14:16 . 2008-07-17 14:16      749      -rah-----      C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2008-07-17 14:16 . 2008-07-17 14:16      749      -rah-----      C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2008-07-17 14:16 . 2008-07-17 14:16      749      -rah-----      C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
2008-07-17 14:16 . 2008-07-17 14:16      749      -rah-----      C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2008-07-17 14:16 . 2008-07-17 14:16      488      -rah-----      C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-07-17 14:06 . 2004-08-04 03:00      1,086,058      -ra------      C:\WINDOWS\SET69.tmp
2008-07-17 14:06 . 2004-08-04 03:00      1,042,903      -ra------      C:\WINDOWS\SET66.tmp
2008-07-17 06:57 . 2008-07-17 06:57            d--------      C:\WINDOWS\dell
2008-07-17 02:31 . 2008-07-17 12:46            d--h-----      C:\$AVG8.VAULT$
2008-07-16 11:08 . 2008-07-16 11:11      262,144      --a------      C:\Documents and Settings\PAULIN~3.ENG
2008-07-16 11:00 . 2008-07-16 11:01      262,144      --a------      C:\Documents and Settings\PAULIN~2.ENG
2008-07-16 01:18 . 2008-07-16 01:18            d--------      C:\Program Files\AVG
2008-07-16 01:18 . 2008-07-16 11:10            d--------      C:\Documents and Settings\All Users\Application Data\avg8
2008-07-16 00:23 . 2008-07-16 11:11      262,144      --a------      C:\Documents and Settings\vladimir
2008-07-16 00:23 . 2008-07-16 11:11      262,144      --a------      C:\Documents and Settings\stella
2008-07-16 00:23 . 2008-07-16 11:11      262,144      --a------      C:\Documents and Settings\Pauline
2008-07-16 00:23 . 2008-07-16 01:20      262,144      --a------      C:\Documents and Settings\PAULIN~1.ENG
2008-07-16 00:02 . 2008-07-16 01:18            d--------      C:\Documents and Settings\Administrator\.housecall6.6
2008-07-15 08:40 . 2008-07-15 08:41            d--------      C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-14 08:28 . 2008-04-14 05:42      26,112      --a------      C:\WINDOWS\SYSTEM32\userinit.exe
2008-06-28 22:04 . 2008-06-28 22:04            d--------      C:\WINDOWS\ServicePackFiles
2008-06-28 22:01 . 2006-12-29 00:31      19,569      --a------      C:\WINDOWS\[u]0[/u]03205_.tmp

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2008-07-18 04:38      ---------      d-----w      C:\Program Files\Symantec AntiVirus
2008-07-16 15:06      ---------      d-----w      C:\Program Files\Spybot - Search & Destroy
2008-07-16 07:17      ---------      d-----w      C:\Program Files\Common Files\Adobe
2008-07-16 07:09      ---------      d-----w      C:\Program Files\Lavasoft
2008-07-14 18:24      ---------      d-----w      C:\Documents and Settings\pauline.BNBSTRUCTURAL\Application Data\AdobeUM
2008-05-28 00:34      ---------      d-----w      C:\Program Files\Microsoft CAPICOM
2008-05-26 23:12      ---------      d-----w      C:\Program Files\Common Files\Symantec Shared
2008-05-26 23:11      ---------      d-----w      C:\Program Files\Symantec
2008-05-26 23:11      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 22:20      ---------      d-----w      C:\Program Files\Microsoft Silverlight

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-02 23:45 171448]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-03-17 06:34 124656]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Address Book.lnk - C:\Program Files\Kyocera Mita\Address Book\AddrBook.exe [2006-08-18 17:53:17 73728]
Scanner File Utility.lnk - C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe [2005-05-09 15:07:32 311296]

"DisableCAD"= 0 (0x0)


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER]
--a----t- 2005-05-04 19:03 6656 C:\Program Files\Qurb\QSP-\QOELoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"EnableFirewall"= 0 (0x0)

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-07-11 08:08]
S0 Kla20;Kla20;C:\WINDOWS\system32\Drivers\Kla20.sys []

*Newly Created Service* - BITS
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
Contents of the 'Scheduled Tasks' folder
"2008-05-10 14:47:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-15 21:04:16 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\SYSTEM32\cleanmgr.exe
"2008-07-15 21:04:19 C:\WINDOWS\Tasks\Disk Defragmentation.job"

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-07-17 21:49:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

Completion time: 2008-07-17 21:50:16
ComboFix-quarantined-files.txt  2008-07-18 04:50:10

Pre-Run: 59,849,142,272 bytes free
Post-Run: 60,008,439,808 bytes free

118      --- E O F ---      2008-07-11 00:47:52
kcham44Author Commented:
HijackThis Scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:56, on 2008-07-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Kyocera Mita\FileUtility\NsCatCom.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\ThisJacker.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-3257268313-2688823123-1684939336-1118\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 (User '?')
O4 - HKUS\S-1-5-21-3257268313-2688823123-1684939336-1118\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - Global Startup: Address Book.lnk = ?
O4 - Global Startup: Scanner File Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\..\{52F3A8D3-5330-454A-99FA-A98B186AD659}: NameServer =,
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

End of file - 8676 bytes
Here is your bastard!! :)

Its known as Agent.JEN

Esentially Bitdefender says that main part was to restore the original userinit.exe and then scan the PC. According to them that should get rid of it.
But then again, I would search for more info.

Also, check for this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kcham44Author Commented:
SFC scan is done. I guess it did it's job. Shouldn't matter though since I did an in place Repair install of XP Pro from the DELL Restore CD.

installing SP3 and windows updates so I can run housecall and bitdefender again.

SAV is such a HOG...just removed it from a test system I had and running only AVG....feels like I add RAM and upgraded CPU...Symantec YUCK...what happened...They must have drunk the punch too...BE GONE!
kcham44Author Commented:
Strobo is the man...My BitDefender Rescue CD is from June so likely didn't see it...

Be right back...
kcham44Author Commented:
Ace...try this:

How to Remove Trojan.Blusod:
by precisesecurity
June 28th, 2008 at 1:57 am
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\EULAAccepted = 13

Restore the following registry entries to their previous values, if required:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lph[RANDOM CHARACTERS] = %System%\lph[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier\InstallationID = 906b1f2d-66b5-439e-8c02-9d08858fe5273
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper = %System%\ph[RANDOM CHARACTERS].bmp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage = 03
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage = 03
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR = 03
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Start = 03
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\ImagePath = *system32\DRIVERS\sr.sys*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sr\Parameters\FirstRun = 03
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Start = 03
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\ImagePath = *system32\DRIVERS\sr.sys*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters\FirstRun = 03
HKEY_CURRENT_USER\Control Panel\Colors\Background = 0 0 2553
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive = 13
HKEY_CURRENT_USER\Control Panel\Desktop\TileWallpaper = 03

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.
kcham44Author Commented:
kcham44Author Commented:
haha...just found it in my REG:

HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver\EULAAccepted = 13


running cleanup now...any other ideas on best REG fixer/scanner?

kcham44Author Commented: a search for "Sysinternals" in REG...Mine was here:

HKEY_USERS\S-1-5-21-3257268313-2688823123-1684939336-1118\Software\Sysinternals\Bluescreen Screen Saver\

kcham44Author Commented: does not load for me...The hackers must have exploited it...ABORT...ABORT!

Plan B!
kcham44Author Commented:
the things we find during cleanup is amazing...

Awesome site with all kinds of info and free tools.

Reading the replies (thanx to all) it becomes aparent (at least to me) that the best way to combat this is to NOT fight it in the first place. Buy a new HD (they are cheap right now) do a fresh XP install and then set up the old HD as USB external and move any old stuff over. Format the old drive and use it as a backup drive.

The hours spent trying to remove the trojan are FAR more valueable than the price of a HD and fresh install.

The next question IS,, what's the BEST way to prevent this from happening again??  It seems SAV 10 has outlived it's usefulness!

I have 5 SBS2003 networks that are all using SAV 10. What luck has anyone had with a REASONABLY priced AV for SBS??
kcham44Author Commented:
My advice Stay away from Symantec Products altogether.

I'm considering upgrading my clients to AVG Enterprise, has anyone tried this. The Basic versions have served me and my clients well for last 3 years and always seem to bail out Failures by Symantec/McAfee.

I agree with Ace...I think I got most of the bad stuff, but hard to tell. Also I had one of the client's employees use his "skillz" and though he took care of the issue on Monday. "Don't worry I deleted a bunch of registry settings and everything is working fine."

This from a guy who downloads cracks all day and rips DVD's.

I may try the Websense Express option for SMB's. It's about $20/user per year. Blocks any sites by keywords/categories/threat levels. and also prevents downloading of files

Another option will be to run some kind of pre-scan on all incoming/outgoing emails to prevent more threats like this one.

I heard there was some kind of email filtering services, anyone try them?

Baracuda hardware starts at like $5000, plus support, per year. The client won't go for that.

Thanks to all who assisted. I will split the points among everyone.

2 hours later...the bat signal went up again.

kcham44Author Commented:

rather than buying a new HDD its probably best, and cheaper, to do a low level format of your HDD.
This erases absolutely everything on it beyond recovery.... its a definite way to clean your HDD :)

Here are some utils for that:
I think you missed the direction I am headed with buy a new HD. You buy a new HD, do a fresh install of XP on it. When done install the old HD as a second drive and suck anything you need off it and transfer to the new HD. THEN format the old drive and use it as an internal backup drive.
Most new HDs come with a "light" version of backup software like Acronis (what I use) which allows you to image the drive. It would have been helpful in this situation since the trojan turned off system restore. I could have re loaded the drive from the backup image and had the machine back working in a few hours, and WITHOUT all the pain and suffering I've went through.
Oh, I see... yeah, I misunderstood.

Yeah, this is exactly the reason why I keep all my personal files on a second drive. So whatever happens to my OS Im free to format and reinstall as I like. Atleast I know the files are safe.
I am doing this as the drives are replaced due to age, I recommend replacing drives older than 3 years.
Unfortunately this machine hasn't got to that age yet,,,
Hard drives, especially smaller IDE are REALLY getting cheap so it's not a big hardware expense like it used to be.


Any luck with the cleanup??
Im curious if it all paid off :)
The machine is at a clients site which I will visit tomorrow. It's STILL showing Pandex and a few others with a Sy AV scan. I'm going to try the new VIPRE combo AV-Malware-Trojan remover from Sunbelt. This will be a REAL test for it!!!
I'll post results here. If it works I'll be dumping Symantec and convert all my machines.
kcham44Author Commented:
I gave up wasting the man hours and rebuilt OS on a new HD for client.

I still saw some strange freezing and blank IE windows popping up.

Thanks to all for your help...BTW, I did not reload SAV 10.1 client and am starting to wean the office off of it.

What do you prefer for small business running domain servers? About 25-30 users

Spoke with client today and they are still seeing the UPS_Invoice.XXX email circulating.

Safest way is to hide everyone's mice so they can't click stuff.

Any luck with latest version of Vista in business environments? I heard Windows XP support will be available until 2014, Sounds like MS knows no one wants to upgrade.

I would stick to XP for a while longer. Vista is just a pain :)

Heh, funny, I just received an email from our company warning about the UPS email and that our antivirus still doesn't detect it. Eh eh eh...
Funny you should mention Visty. I have set up a test Vista machine on my SBSnetwork here at home to give it a try before I try it on any of the networks I support. So far I have been advising my SBS Clients to avoid it for now.
I'll have to admit it DOES have nice graphics,,, but that'a about it!!! It has been a REAL fight to try and get this thing to do what XP already does easily. I have had several basic networking issues I have NOT had with XP. Then there are several programs which do NOT seem to play well with Vista. There are many things which only a click or two away on XP that are 3 OR MORE CLICKS away on Vista,,,WHY??
And there seems to be NO clear directions (that I have found) telling you step by step what needs to be done to allow Vista to EASILY be added to a SBS network.
I STILL see NO reason to move from XP to Vista on a small business network.
Can you spell Unbuntu ???
kcham44Author Commented:
Ace...look here, you may find something useful.

I'm an MS Partner and might be able to find you some more info.

Compatibility guide:
thanks for the tip kcham44. But the underlying question is,, WHY did they ever deploy Vista KNOWING it had several important issues with SBS WITHOUT a guide to fixing it?? Makes it REAL hard to sell something so troublesome to START with!
Anywho back to the original topic,,,
I visited the clients site today and sure enough SY-AV was still popping up warnings even after the user had updated it and ran the scan in safe mode. It refused to clean the infection. So,,, I removed ALL the protection including SY-AV, spybot, spyware blaster, AVG anti spyware, malwarebytes. Installed Viper from Sunbelt software. Updated it and ran a scan. Said it found SIX infections and removed them all. Rebooted and the machine appears to be working normally!!!
So,,, a BIG thumbs up (at least on this one) for Viper from Sunbelt software!! I'll be converting my machines to their product!!
kcham44Author Commented:
nice...MS is still Marketing VISTA as if it works perfectly. I think the Apple adds told the public all they needed to know. VISTA stinks and MS is still trying to go Smoke and Mirrors on everyone.

if you need any info feel me to drop me an email...[armen "@"]

I will ask the MS rep at our next partner event.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.