# Solved: trojan removal



## mehigh (Aug 5, 2005)

I'm having the same problem.
First, let me say I'm no expert in this kind of fixings, just that I've been searching for some internet references toward this problem - which unfortunately is very little. Though I've come here to add my own data, maybe it'll help.

I suspect 3 things can be key to solving the problem: Qhost.BP, hclean32.exe, and rdsndin.

Qhost.BP was found in the operating system by Panda with its free online scan and says it was disinfected - but every time I repeat the scan, Qhost.BP is there again (with / without the System Restore turned off).
With Panda Titanium, Qhost.BP is linked to hclean32.exe, and rdsndin - again fixed, again they re-appear. If I remember well - Titanium also discovered Adware.Findspy which is to my knowledge close to Adware.Livechat in being responsible for those 'windows firewall detected suspicious...' and 'your computer might be at risk' fake balloon.

Bitdefender only discovered something suspected to be a Downloader behaving file lloxjmnm.exe in my 'Downloaded Program Files'. Well, even if I make Windows show me the hidden files, that file doesn't exist in my PC. Anyway, I hardly think that lloxjmnm.exe has much to do with our problem.

I also know a few days ago I got to delete a file named msym32.exe infected with Agent.bq - another virus responsible for those fake messages.

Btw - I believe part of the same virus' action is that - when I for example search something via Google, I'm almost always re-directed to some nasty search engines like abcsearch.com, or even MSN (yes, that MSN). I believe the cause is that line O1 - Hosts: localhost 127.0.0.1 in your HJT log (identical with what I have too). If I delete it, it cares to re-appear anyway.

And - something interesting again - another effect of the virus is both Spybot and Spyware Doctor run way, way slower than usual - although they don't detect anything special.

Again pls forgive my language and terms - as I have nothing to do with the IT unless this problem is the most intriguing one my PC has had in some time.
I hope we can solve it - although I'm afraid we're facing something really, really smart and hard to deal with.

Thank you.


----------



## Flrman1 (Jul 26, 2002)

Hi mehigh 

Welcome to TSG! 

I have split your post off into your own thread. In the future if you have a Question/Problem please start a "New Thread". It get's too confusing trying to address two different people's problem in the same thread and you may get overlooked.

Please continue in this thread.


----------



## Flrman1 (Jul 26, 2002)

Please do this:

First create a permanent folder somewhere like in My Documents and name it Hijack This.

Now *Click here* to download Hijack This. Download it and click "Save". Save it to the Hijack This folder you just created.

Click on Hijackthis.exe to launch the program. Click on the *Do a system scan and save a logfile* button. It will scan and then ask you to save the log. Click "Save" to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## mehigh (Aug 5, 2005)

Thank you. First I thought my post was just deleted.
I apologize for that first post, I'm just not accustomed with writing on forums. Thought that was an opened thread.

Below I'm posting my HJT log as that appears at the moment.
The only suspicious line I myself see is that O1. Tried to delete it, but it re-appears over and over again. Just like the Qhost.BP thing Panda detects in its online scan - infecting the operating system -, cleared but again re-appearing (even with the System Restore turned off).

Searching 'Qhost.BP' in Google, I just ran into another forum thread in which somebody wrote Ewido has just caught up with this thing and running a scan solves the problem. I'll give it a chance early next Monday after scanning online again with several anti-virus solutions, and running Spybot, AdAware, Spyware Doctor, etc in Safe Mode.

Any further suggestions are welcome, flrman1. They're already being appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 6:36:14 PM, on 8/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SPYWARES\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: MG Financial Group - {5877AFC2-C036-4821-8A6A-DFA7EE855E4B} - C:\Program Files\Mgforex\Launcher.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.ro/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B2CD6005-80DA-4EC6-9D35-ECA638F8C086} (fsdemo.iScanDemo) - http://www.dciseries.com/malwarescan/dciscan/iScanDemo.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6BC0B38-2BDD-11D4-815E-006097385FF5} (TranderX Control) - http://www.inverline.com/trander/WebTrander.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4549/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A4EF79A-8FB7-4797-919D-4C1F0C034EB6}: NameServer = 195.95.218.1,85.255.112.7
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


----------



## Flrman1 (Jul 26, 2002)

Open Hijack This. Click on the "Config" button in the lower right corner. Now click on "Misc Tools" then under "Generate Startup List" put a check by "List also minor sections (full)", "List empty sections (Complete)" and "Calculate MD5 of files if possible". Now click on the "Generate Startup List" button and copy and paste the contents of the list back here in a reply.


----------



## mehigh (Aug 5, 2005)

'List also minor sections (full)' and 'List empty sections (Complete)' I have them under 'Generate Startup List', while 'Calculate MD5 of files if possible' I have it under 'Advanced settings' (also inside 'Misc Tools'). Hope it's fine. I have HJT v1.99.1.

Contents of the list you've required is as follows (I just splitted it in 2 parts because of the length):

StartupList report, 8/6/2005, 7:49:59 PM
StartupList version: 1.52.2
Started from : C:\Program Files\SPYWARES\hijackthis\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SPYWARES\hijackthis\HijackThis.exe

--------------------------------------------------


----------



## mehigh (Aug 5, 2005)

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
WinampAgent = C:\Program Files\Winamp\winampa.exe
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Spyware Doctor = "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------


----------



## mehigh (Aug 5, 2005)

(and the 3rd part - I apologize for the length)

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

[{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] *
StubPath = rundll32 iesetup.dll,IEAccessUserInst

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\GetRight\xx2gr.dll - {31FF080D-12A3-439A-A2EF-4BA95A3148E8}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab

[{00000161-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/msaudio.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[PPSDKActiveXScanner.MainScreen]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\PPSDKActiveXScanner.ocx
CODEBASE = http://ppupdates.ca.com/downloads/scanner/axscanner.cab

[Malicious Software Removal Tool]
InProcServer32 = C:\WebCleaner.dll
CODEBASE = http://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

[{556DDE35-E955-11D0-A707-000000521957}]
CODEBASE = http://www.xblock.com/download/xclean_micro.exe

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://www.bitdefender.ro/scan8/oscan8.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[TSCCInstall Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tsccinst.dll
CODEBASE = http://www.techsmith.com/codec/tsccinst.cab

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

[Java Plug-in 1.4.2_08]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[WebSpyWareKiller Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WebSWK.dll
CODEBASE = http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5free/asinst.cab

[Anonymizer Anti-Spyware Scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.2\WebAAS.dll
CODEBASE = http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab

[CRAVOnline Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ravonline.dll
CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

[fsdemo.iScanDemo]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\iScanDemo.ocx
CODEBASE = http://www.dciseries.com/malwarescan/dciscan/iScanDemo.CAB

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

[ASquaredScanForm Element]
InProcServer32 = C:\WINDOWS\DOWNLO~1\axscan.ocx
CODEBASE = http://www.windowsecurity.com/trojanscan/axscan.cab

[McObjectFactory Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\McMysec.dll
CODEBASE = http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab

[Java Plug-in 1.4.2_08]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[TranderX Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\TranderXProj.ocx
CODEBASE = http://www.inverline.com/trander/WebTrander.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4549/mcfscan.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Antivirus Filter Driver: \SystemRoot\system32\drivers\av5flt.sys (manual start)
basic2: System32\DRIVERS\HSF_BSC2.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fallback: System32\DRIVERS\HSF_FALL.sys (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Fsks: System32\DRIVERS\HSF_FSKS.sys (autostart)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
hsf_msft: System32\DRIVERS\HSF_MSFT.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
K56: System32\DRIVERS\HSF_K56K.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
Service for NVIDIA(R) nForce(TM) Audio Enumerator: system32\drivers\nvax.sys (manual start)
NVIDIA nForce MCP Networking Adapter Driver: System32\DRIVERS\NVENET.sys (manual start)
Service for NVIDIA(R) nForce(TM) Audio: system32\drivers\nvapu.sys (manual start)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Panda Process Protection Driver: \??\C:\WINDOWS\System32\DRIVERS\PavProc.sys (autostart)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Rksample: System32\DRIVERS\HSF_SAMP.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Serial Mouse Driver: System32\DRIVERS\sermouse.sys (manual start)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SoftFax: System32\DRIVERS\HSF_FAXX.sys (autostart)
SpeakerPhone: System32\DRIVERS\HSF_SPKP.sys (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{349D478A-2391-49A1-B92D-D5C52B23F0B4} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)
Tones: System32\DRIVERS\HSF_TONE.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
V124: System32\DRIVERS\HSF_V124.sys (autostart)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34,324 bytes
Report generated in 0.156 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Flrman1 (Jul 26, 2002)

Download the Hoster from *here* . UnZip the file and press "Restore Original Hosts" and press "OK". Exit the Hoster.

Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Click here* to download Silentrunners.vbs.

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

When it is finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.

*Post a new HiJackThis log along with the report from the Housecall scan and the Startup Programs text file*


----------



## mehigh (Aug 5, 2005)

Ok, ran Hoster and did what you required. Not accustomed with the program, but in its left side of the panel I saw that O1 line from HJT Log I mentioned a couple of days ago.

The anti-virus online scan apparently didn't find anything, anyway I did attach the print report, alongside the other 2 reports requested.


----------



## mehigh (Aug 5, 2005)

By the way - trying to anticipate one question - the file hclean32.exe apparently is nowhere to be found in my computer (with the ability of viewing hidden files turned on, of course)...


----------



## Flrman1 (Jul 26, 2002)

I'd be interested to see if we can see the C:\WINDOWS\system32\hclean32.exe file in the Recovery Console. Do you have a XP installation disk to boot to or install the Recovery Console with?

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Do a file search and see if you have any of these files with a .dll or .exe extension:

*dmxsi
dllhstgp
rdsndin
sgola
hclean
loadctr
hlpww
hgqhp
empty
msexnpfi*


----------



## mehigh (Aug 5, 2005)

None of those files was found. Closest in name was emptyregdb.dat (in system32).

I'll talk with somebody about that XP installation desk, can't find it at hand right now.

And, thank you kindly again for all support!


----------



## mehigh (Aug 5, 2005)

By the way - you remember one of the effects is a fake error, yellow balloon appears in my desktop tray at random times saying 'Your computer might be at risk (...)', and something like 'click on this baloon (...)' (you see, 'baloon' is misspelled). Heard that is specific to having SP2, which I don't.

Well - I do have a file called 'balloon.wav' (correctly spelled this time) in C:\Windows (7 Kb), modified on August 8th (so, today). I believe that's suspicious enough.
Noted it a few days ago - did delete it - but it re-appears.

Also, Panda did track Qhost.BP in the operating system (that's the only anti-virus scan online which alerts me of it) - says it disinfects - yet it apparently re-occurs over and over again.


----------



## Flrman1 (Jul 26, 2002)

Any luck finding that XP disk?


----------



## mehigh (Aug 5, 2005)

Will speak with somebody about that disk momentarily, it's most probable I do have it.

Suppose I get it, what would you advise I should with that disk?


----------



## Flrman1 (Jul 26, 2002)

We are going to boot to the Recovery Console and delete those files. Also I hope to copy them and get a sample to test.


----------



## mehigh (Aug 5, 2005)

Had some time free today, and did the following: installed NOD32 and ran an anti-virus scan - it detected only one virus yet not connected with my problem.
Also ran Spybot in Safe Mode, and detected FindSpy.A, which interesting it was linked to sound file balloon.wav (the one I wrote about yesterday). Deleted it.

Also installed Ewido today, made a full scan and detected a few wrong registries which are now in the program's quarantine.
Interesting, when I did reboot, Ewido alerted me automatically of having an infection in file hclean32.exe, with Trojan.Qhost.qr. Cleaned and quarantined, and then deleted the file. (Btw, I'm still running with System Restore turned off nowadays...)

Had to reboot again and start running Spybot - but it was again moving very slow which makes me think my problem is yet not gone.

About that XP installation disk - I do have it.
I would appreciate if you can describe what exactly must I do with it.


----------



## mehigh (Aug 5, 2005)

By the way - I see a lot of stuff in the 'Recovery' folder of Spybot.

Can I delete all that content?


----------



## mehigh (Aug 5, 2005)

And, last thing...while browsing on my own website (which is safe enough), Ewido has just alerted me on these infections:

hclean32.exe - Trojan.Qhost.qr (although I thought I'd deleted it earlier today also from Ewido's quarantine)
rdsndin.exe - Spyware.FindSpy
ntfsnlpa.exe - Spyware.Msnagent

Again deleted those, and removed from Ewido's quarantine.
But as far as I have a feeling the creator of this Qhost.BP is a co-national, I think the virus is smarter and faster and will make my day tomorrow again...


----------



## Flrman1 (Jul 26, 2002)

Put the XP disk in the drive and restart the computer.

As it begins booting up you should see towards the bottom of the screen some tect that says, "Press any key to boot from CD".

Press any key and it will begin booting to the disk.

After it goes through setup you will arrive at a blue screen with three options. The second one is what you want. It says:

To repair a Windows XP installation using the Recovery Console, press R.

Press the R key on your keyboard and press enter.

If you have only one copy of Windows installed, you will arrive at a prompt like this:

1: C:\Windows

Press 1 on your keyboard and press Enter.

If you have an admin password you will be asked to enter it. Enter the passwword and press Enter. If you don't have a password, go ahead and press enter.

You will arrive at a prompt like this:

C:\Windows>

Type the following line exactly as it appears below:

Type:

*ren c:\windows\system32\hclean32.exe hclean32.old*

Hit Enter.

Type:

*copy c:\windows\system32\hclean32.old C:*

Hit Enter.

Type:

*del c:\windows\system32\hclean32.old*

Hit Enter.

Type:

*ren c:\windows\system32\rdsndin.exe rdsndin.old*

Hit Enter.

Type:

*copy c:\windows\system32\rdsndin.old C:*

Hit Enter.

Type:

*del c:\windows\system32\rdsndin.old*

Hit Enter.

Type:

*ren c:\windows\system32\ntfsnlpa.exe ntfsnlpa.old*

Hit Enter.

Type:

*copy c:\windows\system32\ntfsnlpa.old C:*

Hit Enter.

Type:

*del c:\windows\system32\ntfsnlpa.old*

Hit Enter.

Type:

*exit*

Hit Enter and your computer will reboot. Let it reboot normally.

*Note:* Spaces are very important in these commands. Here is an example of the sequence of commands with the (space) where each space goes:

*ren(space)c:\windows\system32\ntfsnlpa.exe(space)ntfsnlpa.old*

Hit Enter.

Type:

*copy(space)c:\windows\system32\ntfsnlpa.old(space)C:*

Hit Enter.

Type:

*del(space)c:\windows\system32\ntfsnlpa.old*

This may not get rid of the infection, but it may. Hopefully we can at least get copies of the files and figure out how this sucker works and defeat it finally.

Now go to the forum *here* and upload these files'

C:\ntfsnlpa.old 
C:\rdsndin.old
C:\hclean32.old

Here are the directions for uploading the files:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the files on your computer. If there are multiple files to be uploaded click the "More attachments" button for each extra file and browse to the files. When all the files are listed in the windows click "Post" to upload the files.


----------



## mehigh (Aug 5, 2005)

Ok maybe I'm ignorant, - but where will those files copy..?

I mean, when I'm in the Recovery Console and executing those operations.


----------



## Flrman1 (Jul 26, 2002)

They will copy to C:


----------



## mehigh (Aug 5, 2005)

I am sorry for my short absence, had to keep some vital applications running on my PC so couldn't re-boot.

Will do it tomorrow (Saturday) as instructed, and will post the results as soon as possible.
Once again, I apologize.


----------



## Flrman1 (Jul 26, 2002)

No problem! :up:


----------



## mehigh (Aug 5, 2005)

OK, entered the Recovery Console til I saw that prompt C:\Windows.
So in the continuation of that C:\Windows I wrote the lines required, and these are the messages I got from my computer:

ren C:\windows\system32\hclean32.exe hclean32.old
The system cannot find the file or directory specified

copy c:\windows\system32\hclean32.old c:
The system cannot find the file specified

del c:\windows\system32\hclean32.old
No matching files were found

Same about the other 2 files.

Typed 'dir' and the only suspicious file I discovered was that 'balloon.wav' I wrote about a few days ago.

In the meantime, Ewido hasn't let those fake pop-ups appear, but do alert me about those 3 tricky files. 
I care to clean, quarantine, delete. They care to come back.


----------



## Flrman1 (Jul 26, 2002)

I'm at a loss as to what to do at this point. I'll do some looking around the other forums and see if anyone else has fixed this one yet and get an idea of what else and where to look for to stop this thing.


----------



## mehigh (Aug 5, 2005)

Thank you kindly.

I've been extensively browsing other forums myself - with almost zero success so far. But I can only sense the problem is spreading across the board.

Sure I can re-install XP in half a day and save the huge time I'm spending with trying to fix this problem - but it's become more like a personal challenge.
Plus, I'm interested to leave details about how will we have been able to fix this, so that other people can do the same.

Once again, thank you.


----------



## Narsus (Aug 13, 2005)

Hey guys,
I've been battling this same S.O.B. for about a week, and I'm determined to get rid of it today. Reformatting is not an option for me, so I've been doing a ton of research on how to get rid of it. It's an extremely stealthy thing. What I know that it does is the following:

c:\windows\system32\hclean32.exe is one of the files it creates but only temporarily (long enough to load into memory). If you run silentrunners (www.silentrunners.org), you will see that hclean32.exe is running, but the file is nowhere to be found. I talked to another guy who said that he caught hclean32.exe starting up right when he booted windows. I haven't been able to recreate this effect, and hclean32.exe doesn't show up in any sort of safe mode, or when the file system is dormant (e.g. linux boot disk that reads NTFS). I have no idea where this ******* goes, or what is making it rename/move/etc.

I HAVE been able to make a little forward progress with the bogus popups and virus detections. It seems that this hclean32.exe creates a couple of randomly named executables that do the same thing as hclean32.exe, meaning they're renamed or moved so you can't delete them directly. However, I was able to delete the random name bogus .exe using killbox (http://www.bleepingcomputer.com/files/killbox.php) and deleting on reboot. I'm trying to do the same with hclean32.exe right now from safe mode, but the first time I tried it was unsuccessful.

The other thing that is really strange about this virus is that it re-writes your /etc/drivers/hosts file to say localhost 127.0.0.1 instead of 127.0.0.1 localhost. I got it to stop doing that, once I was able to get rid of the balloon.wav and random .exe, as well as all the virus'ed files in the system backup. So ultimately, I feel I'm getting closer, and hope this helps you guys. Ultimately, here are my most useful toolkit pieces:

Hijack This
Killbox
Silentrunners
Regedit (still doesn't show what silentrunners does, but it helps)
Ewido Security Suite
Spybod S&D
Ad-Aware
CleanUp!

Essentially, I think that the virus does the following:
1. Jacks up your /etc/drivers/hosts file
2. Creates random executables that are called from the registry on startup
3. Moves/Renames the executables it creates
4. Removes the Registry entries it creates
5. Uses Balloon.wav to trick users into thinking it's Microsoft legit
6. MAY use HKLM/Software/Microsoft/WinNT/Winlogon/system key to call some more random .exe (not confirmed yet, but I'm working on this)
7. Infects the _restore folder files with spyware and malware.
8. Makes some DNS server entries in the registry

That's all I can figure out that it does, but I'm still trying to figure the whole thing out. I got this crap from an unpatched IE browser (of course now updated).

Here is my silentrunners log (the very first one):

_"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"hclean32.exe" = "C:\WINDOWS\system32\hclean32.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"dmivq.exe" = "C:\WINDOWS\system32\dmivq.exe" [null data]
"yaemu.exe" = "C:\WINDOWS\system32\yaemu.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{08BEC6AA-49FC-4379-3587-4B21E286C19E}\(Default) = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\qcsiv.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csrxj.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WB\DLLName = "C:\Program Files\AlienGUIse\fastload.dll" ["Stardock"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001 
[disables toolbar status changes in Internet Explorer|View|Toolbars]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Toolbars|Disable customizing browser toolbars}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\ddyer\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - ddyer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\qcsiv.dll" [file not found]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\qcsiv.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\qcsiv.dll" [file not found]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{DF304F91-AD6E-5678-3E65-8B128E0377FB}" = "TemplateDongle"
-> {CLSID}\InProcServer32\(Default) = "media64.dll" [file not found]

HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
ProductivIT Service, ProductivITService, "C:\Program Files\AlienAutopsy\TEKS_Service.exe" ["DynTek, Inc."]
SAVScan, SAVScan, ""C:\Program Files\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"]
SmartLinkService, SLService, "slserv.exe" [" "]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 21 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 6 seconds.
---------- (total run time: 50 seconds)
_

*And here is my very first HJT log:*

_Logfile of HijackThis v1.99.1
Scan saved at 8:16:00 PM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Data\Applications\ADSSpy\adsspy\ADSSpy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Data\Applications\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/Mothership...36E3D33303834323426706F3D504F2D33323239343541
R3 - URLSearchHook: (no name) - {DF304F91-AD6E-5678-3E65-8B128E0377FB} - media64.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\qcsiv.dll (file missing)
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\qcsiv.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EB3F2CA-315F-471C-8697-1872A091BEB5}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{52D76AE3-B505-4E47-A045-62CD5A8C4CC1}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{559A819D-9278-4F89-904B-8C8E9EE1F03B}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{98B53DC8-331F-4751-A2A5-7E14EF0C698D}: NameServer = 69.50.176.198,85.255.112.12
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
_
Hope this helps somehow. Post any questions and I'll do what I can to help, but I sure could use some help figuring out the timing and the method on how this mofo hides itself, and what (if any) .dll is the brains behind all of this logic. As I said, I'm determined to fix this today, so I'd really appreciate any help


----------



## mehigh (Aug 5, 2005)

Thank you for the information provided, Narsus.

So far I couldn't get rid of that localhost 127.(...), I delete it from HJT but it always re-appears. I also tried to delete balloon.wav - same thing.

Beside what you posted, I may only add Spybot and Spyware Doctor are running way slower nowadays, even in Safe Mode. I'm absolutely sure it's got to do with our problem (same thing was reported on a different forum). Anyway, neither Spybot nor SD find anything special.

Also - what exactly is this? I mean, does it have a name, has it occured as a popular virus recently, etc? I don't exactly know what I'm looking for, there're already several viruses - older or newer - which do pretty much the same things which happen to my computer -, and browsing the internet by their effects is extremely difficult (next question being, how come no major spyware software or anti-virus have caught up with this deal).

Keep us updated.


----------



## SeaShele (Aug 15, 2005)

I am battling the same virus/spyware only its not my computer but my former roommate's computer who lives 1300 miles away. She is getting the same baloon (notice the spelling) pop ups and was unable to browse the internet but email works just fine.

So far what we have done to get her functional (at some level) was to disconnect the pc from the internet, run Symantec AV which found nothing today but did find the Hclean file and removed it. We ran spybot and and removed everything it found. Edited the Hosts file to remove the line for localhost with a # in front of the IP addy. Returned the internet connection and then she could browse.

We also downloaded MS new spyware removal program which detected the following and may be the cause of yours as well:
Trojan.startup.nameshifter.cq
Trojan.downloader.msshed32
FreshBar
Searchtoolbar


What I have read on another site was referring to this misspelled Baloon.wav file. But I believe it is tied into the virus you have.

If anyone has found a 'cure' please post and I will post if/when I find the fix.

Thanks for everything so far,

SeaShele


----------



## Narsus (Aug 13, 2005)

Yeah, no idea what it actually is named. I wish I knew. It seems like some gnarly trojan variant that someone made bulletproof. I can't help but think that there's some "brain" .dll or some such that's making all this happen. I think I've got the trojan down to a dormant state, as silentrunners no longer shows anything funny running, but I'm still surprised that none of the spyware/antivirus companies can deal with this thing.

As for the host file, I had to go in and manually fix it. Open the hosts file from c:\windows\system32\drivers\etc\hosts and just swap the names. The IP address (127.0.0.1) should be first, then <tab> then type in "localhost". I was able to delete balloon.wav from safe mode, if I remember correctly. Hopefully that will give you a starting point. Also, I'd highly suggest silentrunners to see what's really going on.

Please let me know how the deletion is going. I'm doing more testing to make sure this thing is really dormant/gone, and I'll post more if I figure something out.


----------



## Narsus (Aug 13, 2005)

By the way, be careful with Norton. Mcafee, Norton and Ewido all told me they cleaned this file, but it recreates itself somehow. Also, it seems to trigger when you open a browser (even firefox), so after you reboot, see if Norton fires off again when you open a browser.


----------



## RMAzumi (Nov 12, 2004)

```
Silent Runners.vbs", revision 40, [url]http://www.silentrunners.org/[/url]
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMJPMIG8.1" = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"WinFast Schedule" = "C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" ["Leadtek Research Inc."]
"Ulead AutoDetector v2" = "C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" ["Ulead Systems, Inc."]
"Ulead Quick-Drop" = ""C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL" ["Ulead Systems, Inc."]
"USIUDF_Eject_Monitor" = "C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe" ["Ulead Systems"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [file not found]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = ""C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"" ["Symantec Corporation"]
"Serviceprocess" = "Uint32.exe" [file not found]
"dmlzz.exe" = "C:\WINDOWS\System32\dmlzz.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}
"Flag" = 2

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
                                       \StubPath   = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{08BEC6AA-49FC-4379-3587-4B21E286C19E}\(Default) = "SearchToolbar" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\qsrew.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}\(Default) = "NAV Helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "****** ** CPL **" (unwritable string)
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{DBD8E168-244D-448C-9922-25508950D1DC}" = "Ulead UDF Driver"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll" ["Ulead Systems, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csqfu.exe" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/x-mrml\CLSID = "{C51721BE-858B-4A66-A8BF-D2882FF49820}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\YAMAHA\MidRadio Player\MidRadio.ocx" ["YAMAHA CORPORATION"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001 
[disables toolbar status changes in Internet Explorer|View|Toolbars]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Toolbars|Disable customizing browser toolbars}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Azumi" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users.WINDOWS\&#12473;&#12479;&#12540;&#12488; &#12513;&#12491;&#12517;&#12540;\&#12503;&#12525;&#12464;&#12521;&#12512;\&#12473;&#12479;&#12540;&#12488;&#12450;&#12483;&#12503;
"InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" ["InterVideo Inc."]


Enabled Scheduled Tasks:
------------------------

" - Run Full System Scan - Azumi" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /TASK:"C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\qsrew.dll" [file not found]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\qsrew.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{C4069E3A-68F1-403E-B40E-20066696354B}" = "Norton AntiVirus"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{42541B33-50BB-F8F2-6E82-2BE11C9FBA3E}" = "xsetup"
  -> {CLSID}\InProcServer32\(Default) = "Brong32.dll" [file not found]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
      1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
LiveUpdate, LiveUpdate, ""C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"" ["Symantec Corporation"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
Norton Protection Center Service, NSCService, ""C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSrvce.exe"" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Sygate Personal Firewall, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
  use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 31 seconds, including 4 seconds for message boxes)
```
I know this hclean32 thing is a problem but also these null entries:
*"dmlzz.exe" = "C:\WINDOWS\System32\dmlzz.exe" [null data]*
*HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csqfu.exe" [null data]*

I messed around for a while looking into this hclean32 file and had the idea of creating a write protected file called hclean32.exe from a blank text document. To my supprise , doing this , even in the root c:\ , creates an un-deletable file which will later be removed by itsself and the ability to create said file is lost. Next thing on the list is to do this via a dos prompt. I'll let you know how things go.


----------



## mehigh (Aug 5, 2005)

I was just about to ask if anything new has come our way.

I still want to figure out how this thing works, and since it may delete himself soon after reboot and reappear just before shutdown - how would we able to find it and fix it, and moreover how does Ewido tracks those 3 tricky files during my regular computer hours...?


----------



## Flrman1 (Jul 26, 2002)

Sorry I haven't replied back here sooner, but I've been too busy to be online much and just haven't had time to look at this infection any closer.

I think I'm seeing something common in these infections now. Everyone kept mentioning that the hclean32.exe file was being deleted and recreated at startup which meant that there would likely be an entry in the HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key that would be effecting that change. I don't know how I missed this before, but I went back and looked at the silentrunners logs in the threads I've seen with this infection and I see it now.

Mehigh this is from your silentrunners log:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csizf.exe" [null data]

This is from the log that Narsus posted:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csrxj.exe" [null data]

I have looked at another one and it too has a similar entry with a randome file. Before we attempt to do anything else to remove this, I'd like to get a copy of the *csizf.exe* file. It will most likely be in the C:\Windows\System32 folder.

Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Go to the forum *here* and upload the C:\Windows\System32\*csizf.exe* file.

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.


----------



## mehigh (Aug 5, 2005)

Well, thing is csizf.exe is nowhere to be found in my computer...with all those options unchecked, and applied to all folders. Searched in Safe Mode as well.

Would be interesting to see whether Narsus finds csrxj.exe in his own computer.

Thinking, maybe this file has already changed somehow in my computer.
If you want a new SilentRunners log, let me know.


----------



## Flrman1 (Jul 26, 2002)

Yes please post a new Silentrunners log.


----------



## Rainworx (Aug 23, 2005)

Hi...

I ran into the same virus (right after a clean install - SP2)...just in a different way (lucky, I guess  ). After I cleaned it up I googled the files and found you guys. Anyway, I run F-Prot AntiVirus and I was surfn'...minding my own business and I see two Java icons appear and blink for a fraction of a second in my taskbar! Self sayz, "that's strange!" and I carry on. A nanosecond later, F-Prot nabs four files and stops them from executing. I figure you know which ones (lol).

Ok this piece of crap executes through Java .class files - the three culprits are:

classloader.jar-3821a986-423e8238.zip->GetAccess.class
classloader.jar-3821a986-423e8238.zip->InsecureClassloader.class
classloader.jar-3821a986-423e8238.zip->Installer

The associated files that F-Prot "NUKED" for me (after the stop-execution I scanned with F-Prot OnDemand Scanner and it plucked 'em off):


hclean.exe (which is a known virus - W32/Downloader.FAP)

rdsndin.exe (which is a known virus - W32/AdClicker.FG)

qvnmy.dll (which is a known virus - W32/Agent.ND)

dllhstgp.exe (which is a known virus - W32/[email protected])
Easiest way I suppose to nuke this prob would be get F-Prot - but, if you want to do it manually, you'll have to delete the .class files above first and they are found here:

C:\Documents and Settings\{User}\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\

Next delete the the .exe & .dll files above in the C:\Windows\System32 folder and reboot.

Should clear the prob. 

Hope this helps...

Rain


----------



## mehigh (Aug 5, 2005)

Ok, took a few hours free from my job this morning, and did the following:

First, ran an online scan with F-Secure: nothing was detected.
Then, installed a trial version of the F-Secure Anti-Virus for home users. It ran into hclean32.exe in \system32, infected with Trojan.Win32.Qhost.qr. Couldn't fix it, but instead it renamed it (anyway, I got no notification on what the new name would be - or I must be missing something...).
Scanned again, and the virus did not re-appear.
You must recall that - several weeks ago - the scan online module of Panda's was also alerting me yet that time on Qhost.bp, - but although Panda was telling me it disinfected, virus kept on showing up over and over again during the scanning (with or without turning off System Restore).

I un-installed F-Secure, and ran Silent Runners.
Well, my suspicions were confirmed as in that Winlogon line I didn't find my previous file csizf.exe, but there was a new one called cstsf.exe.
Then I repeated the Silent Runners scan, and this second log I've attached here. Of course, that tricky file occured again, yet this time it was named cscbj.exe.
I'm pretty sure that - if Narsus runs Silent Runners again - he will run into a different file than his original csrxj.exe as well.

Rainworx - thank you kindly for the information you've provided yourself.
The only connection I saw with Java was that, as far as I can remember, only seconds after my infection Zone Alarms started to alert me on files like jusched asking permit for connecting. Of course, I did not grant it. Such alerts did not happen again eversince.
As for deleting those Java files - I would consider doing it if we believe they're really part of the problem. As far as I'm concerned, I'm not really a Java's outright fan, but 90% of my job applications which are super time sensitive are basically Java related, and I wouldn't want to risk a crash.

Once again, thank you Flrman hugely.


----------



## freddychop (Aug 23, 2005)

Its a bit of a mystery to me why this nuisance trojan has not yet found some sort of recognition from the big boys i.e. symantec and others.
I found your page by typing in the symptoms of the "baloon" (which I also can´t seem to get rid of) into google, but I think we are united by our determination to find a formula for this bug.

I did follow your advice on second page of this post to delete from startup disk the system32 files, hclean32.exe and the other two before starting windows, but though I managed to delete two of them (third was absent) the 'baloon' is back again. (Was I meant to turn off system restore too?)

Yes Sybot S&D does run very slow with this infection and countless other problems have appeared, such as system freeze-up after boot.

I notice from the silent runners log that another exe file, that starts with 'dm' plus 3 other random letters gets put into system 32: 2 separate logs

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CARPService" = "carpserv.exe" ["Conexant Systems"]
"hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [file not found]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"dmqdz.exe" = "C:\WINDOWS\System32\dmqdz.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CARPService" = "carpserv.exe" ["Conexant Systems"]
"hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [null data]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"dmlaz.exe" = "C:\WINDOWS\System32\dmlaz.exe" [null data]

I would settle for any advice on how to neutralise this problem, since, if it persists I will probably have to reinstall XP. 3 days now struggling with it, thought I knew my way around XP too.

Thanks Freddy


----------



## mehigh (Aug 5, 2005)

My trial time with Ewido has recently expired, so I'm back to receiving those fake 'baloon' and Windows firewall alert. It would've been so refreshing had I been missing those.
Anyway, if really this virus is so smart, maybe I can leave it handle my own job and business - and I can take a vacation and leave desk for a while...

Now, what I can figure out so far is - the key to the resolve may be with those few nasty files found with Silent Runners, as previous posters have already suggested.
Furthermore, if I click on that fake Windows popup, Zone Alarms requests permit to let that rdsndin.exe file connect to the internet. 
Ewido would have also alerted me on hclean32.exe, etc..

So, my next question is, how do these files play hide-and-seek on my computer...? I mean, are they created at random times, then just disappear? If yes, which file exactly creates the other files...? Does that mother-file change its name too?

By the way - imagine the general whispering envy in the industry of virus creation nowadays...
And - to keep up amusing - why should I need to install SP2 since I can get the security popus anyway...?!


----------



## freddychop (Aug 23, 2005)

I think this sort of infection is definitely a worm since it buries itself in the java and requires you to open internet browser to show itself (though it is still there lurking). I tried a reinstall of XP without a disk format just to see if I could overwrite anything bad but, alas no luck.

My suspicion is that it is an anti-piracy nasty, since I think I accidentally browsed using IE instead of Moxilla and entered a crackers site. I do use P2P and have hitherto not had any problems, but one thing I do notice now that all Kazaalite p2p downloads gets corrupted - they start to download at ludicrous speeds, (since I am still on dial-up) - hence my suspicion about copyright puritans.

I reiterate I am still surprised that so little mention has been made of this problem, since it must be pretty prevalent on many comps by now. It is the first major thing to stump me in 5 years, and I am extremely resourceful and ruthless too, and it has made me very grumpy and irritable for the last 3 days. 
Yes the idea of a holiday does sound like the best idea, then maybe a format C:/ on return. 


Freddy


----------



## mehigh (Aug 5, 2005)

A format C:\...? What fun would be, then?

No, I feel this has gone too far for me to give it all up. Incidentally, I always have very little installed on my working computer so that - in case of emergency - I can take everything from zero in only half a day, but this virus is not THAT nasty for me to format C:\. At least, not yet.

About requiring to open internet browser - well, there are extended times when I leave computer standing by with no internet browser opened, and the fake popups still show up.


----------



## Flrman1 (Jul 26, 2002)

Hi mehigh. Sorry I didn't post back here yesterday, but when i got off work I was too sick to do anything and went straight to bed. I had some kind of stomach bug.

Anyway this is what is showing in the log now:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cscbj.exe" [null data]

This thing is changing with every reboot so it is going to be a tricky removal. I have someting i want to try, but we need to do it at a time when we both are going to be able to be online for a while at the same time. Let me know when is a good time for you. We will need to get a new silentrunners log at that time.


----------



## Narsus (Aug 13, 2005)

I don't believe there's any reason for winlogon to be running in windows XP, especially if you keep your machine relatively clean like me.


----------



## freddychop (Aug 23, 2005)

I can see by the symptoms of this worm 'thing' that it has a number of variants. I did not have any NT login entry in my registry though I must admit to doing a format C: the night before last and saving extra hours of work.
I think for me at least I have cottoned on to the fact how much I have come to rely on support software, like anti virus, spyware removers, and when they let me down they do so big-time! The lesson for me at least is that personal knowledge is probably one's biggest safeguard. Hope you dont mind me lurking here to discover how things sort out.

Freddy


----------



## mehigh (Aug 5, 2005)

Flrman, thank you.
I'm being online for most part of the day, every day.
If you can tell me an EST hour for me to be connected on this forum - say Monday, or whenever else that suits you - I'll of course make it down here.

I suspect you want me to run Silent Runners, and try to get the tricky file before making a reboot...


----------



## Flrman1 (Jul 26, 2002)

Can you do it Sunday afternoon say around 1 or 2 pm EDT?


----------



## dbimaging (Aug 27, 2005)

Run HijackThis from the "RunOnceExt" section of regedit, so it runs before Winows does:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
"Flags"=dword:00000008
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\000]
"runonce1"="\"C:\\HJT\\hijackthis.exe\""

When it opens, do a scan, and it will point to the regedit reference that's causing the problem. Once fixed, the file will show up in explorer. In my case it was c:\windows\system32\dmqak.exe.


----------



## PiK (Aug 27, 2005)

Another way: run Silent Runners.vbs first and hijackthis.exe after that. Then it will point to problematic register references, too (in my case "hclean32.exe" and "dmahx.exe"). After rebooting I deleted those files and also cleared from:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
"csowu.exe" text (though this file did not exist)

EDIT:
I misinformed you yesterday (I misinterpreted the results and the reason which caused them).
The correct way is:
- run the system in a safe mode (must be safe mode)
- cut down the power (then the system does not close properly)
- boot (a normal mode is OK)
- run HijackThis 1.99.1
- fix 2 files: "hclean32.exe" and randomly named one, e.g. "dmah.exe" dated 04-Aug-04, 01:44, size 43kB
- re-boot
- delete those 2 files in windows\system32 folder
- clear entry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
- delete randomly named 54kB file in windows\system32 (in my case "cshie.exe", dated 17-Aug-05 09:17). Please note that the name has already been changed and it is different from the one in Winlogon\System entry

If that 54kB exec is not deleted and is run accidentally the whole game starts again.


----------



## barncat (Jan 11, 2005)

dbimaging; "RunOnceExt" ? please tell me how would i do that? little experience with regedit.... i have os95...thanks...sorry if this is breaking a tread, but others may want info. on what dbimaging suggested....thank you very much...


----------



## mehigh (Aug 5, 2005)

No, I believe it doesn't break this thread. Any piece of information is welcome.

Flrman - unfortunately, this Sunday I'll be online all the time except at those hours you indicated.
If you have any free time starting on Monday, please let me know.


----------



## dbimaging (Aug 27, 2005)

Following is the text of the .reg file I used to get rid of Wareout/Findspy... I battled that bogus system tray baloon for three days!

Copy the text into notepad, & name with a .reg extension, then merge into your registry by rightclicking on the file & selecting "Merge". Once confirming the prompts, restart your computer. You'll need to edit the last line to point to your copy of HijackThis:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""
[-HKEY_LOCAL_MACHINE\Software\CLASSES\HCLEAN32.EXE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WareOut]
[-HKEY_CURRENT_USER\Software\WareOut]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 
"NoBandCustomize"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"Disabled"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar]
[-HKEY_CURRENT_USER\Software\SearchToolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hclean32.exe"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
"Flags"=dword:00000008
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\000]
"runonce1"="\"C:\\HJT\\hijackthis.exe\""


----------



## mehigh (Aug 5, 2005)

I can understand the frustration. It's been almost a month since I opened this thread, and very little progress has been made so far for solving this whole problem. In the meantime, I have run dozens of anti-virus scans and alike which have taken a lot of time (and not only). At some point, those scans could take a lot more time than my daily job applications themselves.

That's it anyway - I mean, I'm not complaining.
But, if anybody can help with any idea - I, for what is worth, welcome it.


----------



## Flrman1 (Jul 26, 2002)

mehigh 

Go ahead and post a current log from Silentrunners. I manged to help fix this is another thread over the weekend.


----------



## mehigh (Aug 5, 2005)

Thank you, Flrman.

I've attached the new SR scan.
I'll also try to let the computer running with no reboot, at least for several hours today.


----------



## Flrman1 (Jul 26, 2002)

* *Click here* to download hcleanfix.zip. 

Download the file and save it to your desktop. 
Unzip the hclean.zip file to extract the hclean.reg file it contains.
Don't do anything else with it yet.

* *Click here* to download rkfiles.zip. 

Download the file and save it to your desktop. 
Unzip the rkfiles.zip file to extract the rkfiles.bat strings.exe files it contains.
Don't do anything else with it yet.

* Now doubleclick on the *hclean.reg* file to add it to the registry. 

Answer Yes when asked if you want to add it to the registry. 
After you receive the message that the reg file was successfully merged, *restart your computer*.

* After restarting your computer, run the rkfiles.bat file.

Double-click RKFiles.bat to run it.
It may take a while.

When it is finished a window should appear with a log.
Please copy the contents of the log and paste them here
Note: the log with be saved at *c:\log.txt*


* After you have posted the log.txt file, wait for further instructions. It is very important that you *do not restart your computer again until I have instructed you to do so.*


----------



## mehigh (Aug 5, 2005)

Will do as instructed tomorrow in the very early morning (EDT).
Will also let my computer running after that. Hopefully it will not restart by itself, anyway I'll try not giving it a hard time.

Again, thank you.


----------



## mehigh (Aug 5, 2005)

Did exactly as instructed.

That log required goes as follows:

C:\Documents and Settings\Administrator\Desktop\rkfiles 

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\system32\ntfsnlpa.exe: UPX!
C:\WINDOWS\system32\rdsndin.exe: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
C:\WINDOWS\imgurla.exe: UPX!
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye


----------



## Wireguided (Sep 1, 2005)

Iam curious the outcome ..Ive been watching this thread for help with it also..... :up:


----------



## Flrman1 (Jul 26, 2002)

* I am attaching an hcleanfix2.zip file to this post. 

Download the file and save it to your desktop. 
Unzip the hcleanfix2.zip file to extract the hcleanfix2.reg file it contains.
Doubleclick on the *hcleanfix2.reg* file to add it to the registry. 
Answer Yes when asked if you want to add it to the registry.

*Click Here* and download Killbox and save it to your desktop.

Double-click on Killbox.exe to run it. Now put a tick by *Delete on Reboot*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\system32\ntfsnlpa.exe

C:\WINDOWS\system32\rdsndin.exe

C:\WINDOWS\system32\hclean32.exe

C:\WINDOWS\system32\csxli.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox and *restart your computer.*

Come back here and poast a new Hijack This log along with a new Silentrunners log.


----------



## Flrman1 (Jul 26, 2002)

* Also fix this entry with Hijack This:

*O17 - HKLM\System\CCS\Services\Tcpip\..\{8A4EF79A-8FB7-4797-919D-4C1F0C034EB6}: NameServer = 195.95.218.1,85.255.112.7*

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .


Double-click the *Network Connections* icon
Right-click the *Local Area Connection icon* and select *Properties*.
Hilight *Internet Protocol (TCP/IP)* and click the *Properties* button.
Be sure *Obtain DNS server address automatically* is selected. 
*OK* your way out.

* Restart your computer.

* Got to Start > Run and type in *cmd*.
Click OK. 
Type this line in the command window:

*ipconfig /flushdns*

Hit Enter.

Come back here and poast a new Hijack This log along with a new Silentrunners log.


----------



## mehigh (Aug 5, 2005)

Hold on, please.

Do I need to reboot computer anytime before running KillBox? I haven't restarted it for the last 24 hours.

Second at hand - several week ago I tried to fix that 017 line in HJT myself, and once I did it I lost the internet connection. 
Luckily I had kept a scan log at that time, and could rebuild that line in regedit myself.


----------



## trleon (Sep 2, 2005)

I have also trouble with HClean. Used Hijack this to clean. After that nothing strange in the report but still the Pop-up "baloon" and trojan warning from Norton. 
Googled and read this thread. I have booted with Linux, Knoppix and found the earlier mentioned hidden files:

HClean.exe/NTFSNLPA.exe/RDSNDIN.exe

Renamed them and copied to separate folder. Found also 2 prefetchfiles for the last two files. Copied these also. Are these files any use to solve the problem  

I have removed the 3 files and CSSR.exe. Reboot and no more pop-up till now.

Will keep following this tread.


----------



## mehigh (Aug 5, 2005)

Ok, I guess you disconnected before seeing my last question...anyway, I did not reboot.
Instead, I merged hcleanfix2.reg, and ran that advertised routine about KillBox. Then, finally restarted computer.

About 'Network Connections' thing - I couldn't check that option 'Obtain DNS server address automatically' because it was already grayed, so couldn't touch it. Tell me whether I was missing something.

I also fixed that O17 line in HJT - and, as suspected, that caused me losing Internet connection. Had to tweak it myself for a couple of hours to get myself back online.

Given this whole story, I've never made it to the 'ipconfig /flushdns' step.

I would also want to recall that - as I reported several days ago - one particular anti-virus scan detected hclean32.exe and did rename it. 
I guess it was Ewido recently who told me that file's new name became hclean32.0xe.
I don't know how relevant that is, but I just wanted to recall of it.

I've also attached now the latest HJT and SilentRunners logs (done after all the last fixes) - but I don't believe I would be able to refrain from restarting PC once this day ends.

(In the meantime - I mean, like last 30 hours - I've got no fake popups anymore, but that may or may not be end of the deal.)


----------



## Flrman1 (Jul 26, 2002)

FYI: Hijack This keeps backups of anything you remove with it. You could have saved yourself a lot of trouble restoring the internet connection by restoring the O17 entry from thos backups by opening Hijack This then clicking the "Open Misc Tools section" button. From there click on the "Backups" button and you can restore any entry you have removed.

Go ahead and fix this with Hijack This:

*O4 - HKLM\..\Run: [hclean32.exe] C:\WINDOWS\System32\hclean32.exe*

Restart your computer.

Download RootkitRevealer from here:

http://www.sysinternals.com/utilities/rootkitrevealer.html

Unzip it then doubleclick the RootkitRevealer.exe file. Click the scan button and let it scan. Save the scan results and post them here.


----------



## mehigh (Aug 5, 2005)

Fixed that O4 line in HJT.
I'm very curious how hclean32.exe eventually appeared in the log there...

Also ran RootkitRevealer after restarting computer, but no discrepancies were found...so I guess I had nothing to save and report.

I also sent you a PM, Flrman - anyway, nothing of public importance really.


----------



## Flrman1 (Jul 26, 2002)

How is everything now?


----------



## mehigh (Aug 5, 2005)

Actually, I've been that much busy with my job as of late that I couldn't notice the end of the world if that was to happen.

Anyway, no more fake popups for the last 48 hours - as that would've been the only apparent thing about my problem I could have noticed in the first place.


----------



## Flrman1 (Jul 26, 2002)

Let's try an online virus scan to see if there is anything else leftover:

http://www.kaspersky.com/virusscanner


----------



## mehigh (Aug 5, 2005)

Kaspersky found: C:\WINDOWS\system32\cssdx.exe (Infected: Trojan-Dropper.Win32.Vidro.u). 
I don't know whether there's any connection with my original problem.

Good news is, Spybot runs normally again. Amid other stuff, it found FindSpy.A (balloon.wav), which I deleted.
And, of course, no more fake popups.


----------



## mehigh (Aug 5, 2005)

Spent another few hours today scanning with different programs...
Panda tracked the same cssdx.exe and apparently disinfected, anyway personally I don't think that was related to my original problem.

Both Spybot and Spyware Doctor run normally, as they did before I got the nasty hclean32.exe.
Neither Ewido, nor any other program have tracked hclean32.exe, not anymore.
No more fake popups either.

I'll wait for another couple of days, for a final verdict.


----------



## Flrman1 (Jul 26, 2002)

mehigh said:


> Kaspersky found: C:\WINDOWS\system32\cssdx.exe (Infected: Trojan-Dropper.Win32.Vidro.u).
> I don't know whether there's any connection with my original problem.


I'm sure that was one of the random files that was loading from the Winlogon reg key that kept hiding and recreating the other files.


----------



## Dimiter (Sep 5, 2005)

Hi Firman1,

Should really the 7th line in hclean2.reg contain the string "\SOFTWARE" twice?


----------



## Dimiter (Sep 5, 2005)

Sorry, I meant hcleanfix2.reg in the above message.


----------



## mehigh (Aug 5, 2005)

All I can say at the moment is, the fake popups haven't shown up anymore.

But I'll continue to wait a couple of days, see if it re-appears.
If there's anything more I should do - like a new scan, or something - let me know.


----------



## Flrman1 (Jul 26, 2002)

As far as I know there is nothing left do do mehigh.


----------



## Flrman1 (Jul 26, 2002)

Dimiter said:


> Hi Firman1,
> 
> Should really the 7th line in hclean2.reg contain the string "\SOFTWARE" twice?


No it shouldn't. My mistake. I was wondering why the reg file didn't remove the Run entry pointing to the hclean32 file. That is why it didn't.


----------



## Freez (Sep 5, 2005)

I had the same problems with hclean.exe and I followed the removal guide you made for mehigh and it seems that it has worked for me 2. The pop-ups are gone and Spybot is running at his normal speed. Also my computer is a little faster now. 

Thanks flrman1, you've been a great help. Keep up the good work!


----------



## Flrman1 (Jul 26, 2002)

You're welcome!


----------



## Dimiter (Sep 5, 2005)

I hope Flrman's advices helped also me to clean an infected computer (Windows XP SP1, NTFS), and I thank him heartily. In addition to the favourable effects indicated by other members, I should like to mention also the following technical detail. Before the cleaning any scan of the folder C:\System Volume Information by means of F-Prot detected a number of infected files, and this number steadily increased (the infections were among the following ones: a dropper for W32/[email protected], a destructive program named W32/Trojan.WY, security risks named W32/Downloader.FAP, W32/AdClicker.FG, W32/AdClicker.FH). After I carried out yesterday the cleaning procedure finishing it by disinfecting the hard drive by means of F-Prot, no more infected files can be found.


----------



## Pentagon (Sep 7, 2005)

All you have todo is clean out your cookies and clean out your content clear SSL state clean all you can temp internet files all.

Me and XP have restore just restore to befor it happend say Example (one day ago)
make sure you run Spybot search and destroy befor running Restore to earlier date.
It works for me as soon as I see spyalert your antivirues is bad something like that.
Just follow these steps and you won't have to keep formating :up:  
I got the same stuff as all of you, once the cleanh32 came up in my nortons I was messed up bad.
had to reformat 
Now if you use black ice you can see what ip comes up to install the trojan
clean32 comes on if you block that ip befor it can complete then only half of spyware is complete and no trojan.
I know this sounds weird but it works and I havent had a problem yet.
I have restored my puter about 3 times in one week but thats all and only lose about half aday on restore and I make sure I back up everything and create new restore points when Needed.
if you see your puter lagg on a site for long time and you can click off or x out look to see what Ip is on your puter and always clear out attacks so you see the new ones coming.
Black ICe is the best firewall out there. I swear by the program and been using it for about 10 plus years.

remember:
can't click out or x out of site look on black ice and block all ips
then clean out cookies
then clean out content clear SSL state 
then run spybot search and destroy
then Restore puter to a earlier Date say last restore point.
I'm sure nortons and spybot search and destroy people are working on it.
Remember spybot search and destroy is very good and he runs and offers his program free and lives on Donations so Donate when you can.
Hope this helped all the troubled users. I went through the same thing and this is the best way I know to resolve it fast.
Peace out.
PentagonMaster


----------



## mehigh (Aug 5, 2005)

First of all, I had the System Restore turned off at the moment of my original infection - since ironically that was the day when I wanted to scan my computer extensively and get rid of any virus found. I do such scans regularly, like at the end of each month.
So, I could not restore computer to any previous point.

Secondly, I deleted everything in 'temporary internet files' and cookies, and favorites, and %temp%, and any alike for several times, with no positives at all.
Then, each anti-virus and anti-anything/else scan cycle lasted for 4-5 hours, sometimes each and every day - again, with nothing being fixed.

Neither Spybot, nor Spyware Doctor were running normally - not mentioning neither of them detected anything special (Spybot did FindSpy, but the original infection would not be reversed). That means, a Spybot normal scan of like 3 minutes would last 30 minutes or so.
I also have Adaware and others - they seemed to run normally, but they did not make any good.

I also have ZoneAlarms as firewall, but it did not prevent this infection.

Although I'm not working in the IT, this wasn't the single infection I had to deal with. But, all the others usually took me 15 minutes to fix, all by myself. 1 day, maybe. But THIS one took me 1 month.
In the meantime I'd tried almost everything possible, plus I read hundreds of posts here and there - because the problem spreaded out and there was no at-hand solution disclosed.

Anyway, if there're now more than just 1 solution to fix this problem, they are all welcome.
But, it's my turn now to salute Flrman's efforts, and to thank him hugely for fixing my computer.
And, since this thread apparently has become so popular, I hope many of us will support the forum by donating. I hope there's nothing wrong if I say that.

Once again, thanks to everyone involved in this.
I believe my primary goal - i.e. to create exposure for solving the problem - has been accomplished.


----------



## Flrman1 (Jul 26, 2002)

Glad we were able to help! 

Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

