*Please* help--ntsystem.exe malware

Comments

• Crunchie Mandurah. Western Australia. Member

  September 2006 edited September 2006

  Can you please do the following.
  
  ===============
  
  Scan with HijackThis and then place a check next to all the following, if present:
  
  
  O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
  
  
  Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
  
  ===============
  
  Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
  
  files...
  
  C:\WINDOWS\system32\ntsystem.exe
  
  -
  
  Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

  Select the first option to run Windows in Safe Mode hit enter.
  
  -
  
  Reboot.
  
  ===============
  
  After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

  0
• marseille

  September 2006 edited September 2006

  No luck--the problem keeps coming back when we reboot.
  
  McAfee is continuing to detect new 'pup' files--always with 8-letter gibberish names. There's got to be some root file that is generating them?
  
  Any info appreciated. Thanks.
  
  HijackThis log:
  
  Logfile of HijackThis v1.99.1
  Scan saved at 11:16:07 PM, on 9/3/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\ehome\ehtray.exe
  C:\WINDOWS\system32\hkcmd.exe
  C:\WINDOWS\system32\igfxpers.exe
  C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
  C:\Program Files\Dell\Media Experience\DMXLauncher.exe
  C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
  C:\WINDOWS\System32\DLA\DLACTRLW.EXE
  C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
  C:\Program Files\Picasa2\PicasaMediaDetector.exe
  C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\Program Files\McAfee.com\VSO\mcvsshld.exe
  C:\Program Files\McAfee.com\VSO\oasclnt.exe
  c:\program files\mcafee.com\agent\mcagent.exe
  c:\progra~1\mcafee.com\vso\mcvsescn.exe
  C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
  C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\WINDOWS\system32\ntsystem.exe
  C:\Program Files\Dell Support\DSAgnt.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Google\Google Updater\GoogleUpdater.exe
  C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\WINDOWS\eHome\ehRecvr.exe
  C:\WINDOWS\eHome\ehSched.exe
  C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
  c:\program files\mcafee.com\agent\mcdetect.exe
  c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
  C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\dllhost.exe
  c:\progra~1\mcafee.com\vso\mcvsftsn.exe
  C:\WINDOWS\eHome\ehmsas.exe
  C:\Program Files\HijackThis\HijackThis.exe
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
  O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
  O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
  O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
  O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
  O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
  O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
  O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
  O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
  O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
  O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
  O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
  O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
  O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
  O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
  O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
  O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
  O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
  O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
  O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
  O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
  O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
  O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
  O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
  O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
  O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
  O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
  O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
  O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
  O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
  O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
  O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
  O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe

  0
• Crunchie Mandurah. Western Australia. Member

  September 2006 edited September 2006

  Go here and download then run Silent Runners.vbs. It generates a log. Please post the information back in this thread.
  If you have a script blocking program, please allow the file to run. It is not malicious.

  0
• marseille

  September 2006 edited September 2006

  I ran the script....results follow:
  
  "Silent Runners.vbs", revision 47, http://www.silentrunners.org/
  Operating System: Windows XP SP2
  Output limited to non-default values, except where indicated by "{++}"
  
  
  Startup items buried in registry:

  ---

  
  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
  "DellSupport" = ""C:\Program Files\Dell Support\DSAgnt.exe" /startup" ["Gteko Ltd."]
  "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
  
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
  "ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
  "igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
  "igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
  "igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
  "SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
  "DMXLauncher" = "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [null data]
  "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
  "ISUSPM Startup" = ""C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" ["InstallShield Software Corporation"]
  "ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
  "DLA" = "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" ["Sonic Solutions"]
  "Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" ["Google"]
  "Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" ["Google Inc."]
  "MSKDetectorExe" = "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall" ["McAfee, Inc."]
  "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
  "VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
  "VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."]
  "OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."]
  "MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
  "MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
  "MaxtorOneTouch" = "C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" ["Maxtor Corporation"]
  "(Default)" = (empty string)
  "mxomssmenu" = ""C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"" ["Maxtor Corp."]
  "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
  "gwiz" = "C:\WINDOWS\system32\ntsystem.exe" [file not found]
  
  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
  \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
  {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
  \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
  {5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "DriveLetterAccess"
  \InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
  {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Google Toolbar Helper"
  \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
  {CA6319C0-31B7-401E-A518-A07C3DB8F777}\(Default) = "Browser Address Error Redirector"
  -> {HKLM...CLSID} = "CBrowserHelperObject Object"
  \InProcServer32\(Default) = "c:\Program Files\BAE\BAE.dll" ["Dell Inc."]
  
  HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
  "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
  \InProcServer32\(Default) = "deskpan.dll" [file not found]
  "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
  \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
  "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {HKLM...CLSID} = "Portable Media Devices"
  \InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
  "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {HKLM...CLSID} = "Portable Media Devices Menu"
  \InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
  "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
  -> {HKLM...CLSID} = "Shell Search Band"
  \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
  "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
  -> {HKLM...CLSID} = "DriveLetterAccess"
  \InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
  "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
  \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office\OLKFSTUB.DLL" [MS]
  "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
  \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
  "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
  \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
  "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
  -> {HKLM...CLSID} = "AVG7 Find Extension Class"
  \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
  
  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
  INFECTION WARNING! "AppInit_DLLs" = "C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL" ["Google"]
  
  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
  INFECTION WARNING! igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
  
  HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
  {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
  \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
  
  HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
  AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
  \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
  
  HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
  AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
  \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
  
  
  Active Desktop and Wallpaper:

  ---

  
  Active Desktop is disabled at this entry:
  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
  
  
  Enabled Screen Saver:

  ---

  
  HKCU\Control Panel\Desktop\
  "SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssmypics.scr" [MS]
  
  
  Startup items in "Joan" & "All Users" startup folders:

  ---

  
  C:\Documents and Settings\All Users\Start Menu\Programs\Startup
  "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
  "Google Updater" -> shortcut to: "C:\Program Files\Google\Google Updater\GoogleUpdater.exe -systray -startup" ["Google"]
  "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
  
  
  Winsock2 Service Provider DLLs:

  ---

  
  Namespace Service Providers
  
  HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
  000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
  000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
  000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
  
  Transport Service Providers
  
  HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
  0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
  %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
  %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
  
  
  Toolbars, Explorer Bars, Extensions:

  ---

  
  Toolbars
  
  HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
  "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
  -> {HKLM...CLSID} = "&Google"
  \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
  
  HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
  "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
  -> {HKLM...CLSID} = "&Google"
  \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
  
  HKLM\Software\Microsoft\Internet Explorer\Toolbar\
  "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
  -> {HKLM...CLSID} = "&Google"
  \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
  "{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
  -> {HKLM...CLSID} = "McAfee VirusScan"
  \InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]
  
  Explorer Bars
  
  HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
  {21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Shell Search Band"
  \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
  
  HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
  {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Real.com"
  \InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]
  
  Extensions (Tools menu items, main toolbar menu buttons)
  
  HKLM\Software\Microsoft\Internet Explorer\Extensions\
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
  "MenuText" = "Sun Java Console"
  "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
  
  {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
  "ButtonText" = "Real.com"
  
  {FB5F1910-F110-11D2-BB9E-00C04F795683}\
  "ButtonText" = "Messenger"
  "MenuText" = "Windows Messenger"
  "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
  
  
  Running Services (Display Name, Service Name, Path {Service DLL}):

  ---

  
  AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
  AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
  MaxBackServiceInt, MaxBackServiceInt, ""C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe"" [empty string]
  MaxSyncService, NTService1, ""C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe"" [" "]
  McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
  McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
  McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
  Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
  Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
  Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
  
  
  Print Monitors:

  ---

  
  HKLM\System\CurrentControlSet\Control\Print\Monitors\
  Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
  
  

  ---

  + This report excludes default entries except where indicated.
  + To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
  + The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 13 seconds.
  + The search for all Registry CLSIDs containing dormant Explorer Bars
  took 9 seconds.

  ---

  (total run time: 45 seconds)

  0
• Crunchie Mandurah. Western Australia. Member

  September 2006 edited September 2006

  Not seeing anything there. Can you go to the kaspersky site and do an online scan. Post back the report you get.
  
  http://www.kaspersky.com/virusscanner

  0
• phaedrus

  September 2006 edited September 2006

  Greetings,
  
  I hope you'll pardon the intrusion but I have exactly the same problem as is being discussed here. Unfortuntantely I don't have any answers but my experience with this issue may give another point of reference and help resolve the problem.
  
  The facts so far:
  
  Discovered O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
  I decided this was a nasty and deleted the key.
  
  The key reappeared.
  I switched off system restore.
  Then after booting in safe mode I purged my system of all occurences of ntsystem.exe
  Deleted the registry key
  Created a new dummy C:\WINDOWS\system32\ntsystem.exe which is zero bytes, read only and removed all access priviledges to it.
  
  The registry key reappears.
  
  In safe mode I do a full system scan for viruses using fully up to date Mcafee Virus Enterprise 7.1.0 and a spware scan using fully up to date Spyware Doctor 4.0.02613
  These come back clean.
  I delete the ntsystem registry key.
  
  On boot the key reappears.
  During this time my dummy C:\WINDOWS\system32\ntsystem.exe file remains unmodified.
  
  In a fit of pique I remove the registry key and access permissions to the key using regedit.
  This stops the key from reappearing but of course does not address the issue of the snaeaky little blighter which is putting it there in the first place.
  
  On resetting the registry access permissions the key reappears.
  
  Tried to run Sysinternals Regmon v6.06 in log boot mode (should start before everything else) in an attempt to identify the culprit. For some reason Regmon fails to generate the log.
  
  For reference I enclose my HijackThis log.
  
  Logfile of HijackThis v1.99.1
  Scan saved at 13:32:39, on 06/09/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\csrss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
  C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
  C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\System32\SCardSvr.exe
  C:\PROGRA~1\NETSUP~1\client32.exe
  C:\WINDOWS\system32\eTSrv.exe
  C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
  C:\Program Files\Network Associates\VirusScan\Mcshield.exe
  C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
  C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
  C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
  C:\WINDOWS\system32\nvsvc32.exe
  C:\WINDOWS\system32\PGPserv.exe
  C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
  C:\Program Files\Spyware Doctor\sdhelp.exe
  C:\WINDOWS\system32\svchost.exe
  C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
  C:\WINDOWS\system32\wdfmgr.exe
  C:\WINDOWS\system32\wbem\wmiprvse.exe
  C:\WINDOWS\System32\alg.exe
  C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
  C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
  C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
  C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
  C:\Program Files\Microsoft ActiveSync\wcescomm.exe
  C:\Program Files\Spyware Doctor\swdoctor.exe
  C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
  C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
  C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
  C:\PROGRA~1\MICROS~3\rapimgr.exe
  C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
  C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
  C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
  C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
  C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
  C:\WINDOWS\system32\WISPTIS.EXE
  C:\Program Files\Internet Explorer\IEXPLORE.EXE
  C:\Program Files\Internet Explorer\IEXPLORE.EXE
  C:\Documents and Settings\Paul\Desktop\HijackThis1991.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DK
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/advanced_search?hl=en
  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
  R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
  O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
  O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
  O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
  O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
  O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
  O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
  O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
  O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
  O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
  O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
  O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
  O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
  O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
  O4 - Global Startup: Bluetooth Manager.lnk = ?
  O4 - Global Startup: PGPtray.exe.lnk = ?
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
  O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
  O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
  O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
  O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll
  O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll
  O16 - DPF: {0C6F59AC-8A7F-41F0-84F2-87C36BA6E976} - https://p8p.leaseplan.co.uk/cab/BWS_API.cab
  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
  O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
  O16 - DPF: {A991CC2F-63AB-48A6-A129-ABC8AFDD0DDB} (BWS_AdvancedReport4.BW_AdvReport4) - https://p8p.leaseplan.co.uk/cab/BWS_AdvancedReport4.cab
  O16 - DPF: {B0E836A7-3098-49F1-B401-8BFBE1D24451} - https://p8p.leaseplan.co.uk/p8p/cab/BWSHttpConnect.cab
  O20 - AppInit_DLLs: OCMAPIHK.DLL
  O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
  O23 - Service: Client32 - NetSupport Ltd - C:\PROGRA~1\NETSUP~1\client32.exe
  O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exe
  O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
  O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
  O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
  O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
  O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
  O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
  O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
  O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
  O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
  O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
  O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
  O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  
  That's about as far as I've got a the moment but any thoughts or suggestions would be appreciated.

  0
• marseille

  September 2006 edited September 2006

  Phaedrus, your story sounds very similar to mine. I was deleting the appropriate registry entries as well.
  
  There's got to be a way to get to the bottom of this?
  
  Crunchie, I'll run the next step tonight, unless I can get my mom to run it during the day (it's her computer and I'm at work.....).
  
  Thanks so much to both of you for helping me with this!

  0
• ntshall

  September 2006 edited September 2006

  I'm also having EXACTLY the same problem, which seems to have started around Sept. 1.
  
  Though no consolation , I've noticed similar "New Malware.j" posts in other forums (including McAfee's)starting at about the same time, leading me to believe this may be the start of a widespread problem.

  0
• marseille

  September 2006 edited September 2006

  This is my log from Kaspersky"
  
  KASPERSKY ONLINE SCANNER REPORT
  Wednesday, September 06, 2006 3:29:19 PM
  Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
  Kaspersky Online Scanner version: 5.0.83.0
  Kaspersky Anti-Virus database last update: 6/09/2006
  Kaspersky Anti-Virus database records: 208458
  
  
  Scan Settings
  Scan using the following antivirus database standard
  Scan Archives true
  Scan Mail Bases true
  
  Scan Target My Computer
  C:\
  D:\
  E:\
  G:\
  H:\
  I:\
  J:\
  
  Scan Statistics
  Total number of scanned objects 50079
  Number of viruses found 1
  Number of infected objects 1 / 0
  Number of suspicious objects 0
  Duration of the scan process 00:34:22
  
  Infected Object Name Virus Name Last Action
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\dbc2e.ht1 Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\dbdam Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\dbdao Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\dbeam Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\dbeao Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\dbm Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\dbu2d.ht1 Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\dbvm.cf1 Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\dbvmh.ht1 Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\fii.cf1 Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\fiih.ht1 Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\hp Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\hpt2i.ht1 Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\rpm.cf1 Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\rpm1m.cf1 Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\rpm1mh.ht1 Object is locked skipped
  
  C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Desktop\4aa4f1509c38\rpmh.ht1 Object is locked skipped
  
  C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
  
  C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
  
  C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
  
  C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
  
  C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
  
  C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
  
  C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
  
  C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
  
  C:\Documents and Settings\Joan\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
  
  C:\Documents and Settings\Joan\Cookies\index.dat Object is locked skipped
  
  C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
  
  C:\Documents and Settings\Joan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
  
  C:\Documents and Settings\Joan\Local Settings\History\History.IE5\index.dat Object is locked skipped
  
  C:\Documents and Settings\Joan\Local Settings\Temp\~DF94E9.tmp Object is locked skipped
  
  C:\Documents and Settings\Joan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
  
  C:\Documents and Settings\Joan\mobdedtm.exe Object is locked skipped
  
  C:\Documents and Settings\Joan\NTUSER.DAT Object is locked skipped
  
  C:\Documents and Settings\Joan\ntuser.dat.LOG Object is locked skipped
  
  C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
  
  C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
  
  C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
  
  C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
  
  C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
  
  C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
  
  C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
  
  C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
  
  C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
  
  C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
  
  C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
  
  C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
  
  C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
  
  C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
  
  C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8584ECBE-324D-483F-A3E2-0EE25E93F205}.crmlog Object is locked skipped
  
  C:\WINDOWS\SchedLgU.Txt Object is locked skipped
  
  C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
  
  C:\WINDOWS\Sti_Trace.log Object is locked skipped
  
  C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
  
  C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
  
  C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
  
  C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
  
  C:\WINDOWS\system32\config\default.LOG Object is locked skipped
  
  C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
  
  C:\WINDOWS\system32\config\SAM Object is locked skipped
  
  C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
  
  C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
  
  C:\WINDOWS\system32\config\SECURITY Object is locked skipped
  
  C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
  
  C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
  
  C:\WINDOWS\system32\config\software.LOG Object is locked skipped
  
  C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
  
  C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
  
  C:\WINDOWS\system32\config\system.LOG Object is locked skipped
  
  C:\WINDOWS\system32\h323log.txt Object is locked skipped
  
  C:\WINDOWS\system32\ntoskrnl.dll Infected: Trojan.Win32.Agent.rx skipped
  
  C:\WINDOWS\system32\ntsystem.exe Object is locked skipped
  
  C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
  
  C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
  
  C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
  
  C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
  
  C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
  
  C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
  
  C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
  
  C:\WINDOWS\wiadebug.log Object is locked skipped
  
  C:\WINDOWS\wiaservc.log Object is locked skipped
  
  C:\WINDOWS\WindowsUpdate.log Object is locked skipped
  
  D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
  
  Scan process completed.

  0
• marseille

  September 2006 edited September 2006

  My mom tried calling McAfee's customer service last night--they were completely baffled, promoted it to 2nd tier customer service, but for that they call us back at another time, probably in a few days. Not sure what's up with that.
  
  I'm trying to decide if I should be restoring her machine from the Maxtor external backup we have (from three days before the infection) or if we should wait around to solve this the 'right' way.
  
  I'm kicking myself that I turned off Windows System Restore--I might've been able to fix it with that. But the first site I found that seemed to know what it was doing said to turn it off, and I did--that wiped out the previous restore points.
  
  Marseille

  0
• Crunchie Mandurah. Western Australia. Member

  September 2006 edited September 2006

  marseille wrote:

  I'm kicking myself that I turned off Windows System Restore--I might've been able to fix it with that. But the first site I found that seemed to know what it was doing said to turn it off, and I did--that wiped out the previous restore points.
  
  Marseille

  Yep, I never recommend disabling system restore until the pc is clean. A bad restore point is better than no restore point, imo.
  
  Please go to Jotti's or at virustotal and have these files scanned. Post the results back here.
  
  C:\WINDOWS\system32\ntoskrnl.dll
  C:\Documents and Settings\Joan\mobdedtm.exe
  C:\Documents and Settings\Joan\Local Settings\Temp\~DF94E9.tmp
  
  ==
  
  Please visit at least two of the following sites for an online virus scan:
  
  BitDefender Free Online Virus Scan
  http://www.bitdefender.com/scan/licence.php
  
  Panda ActiveScan
  http://www.pandasoftware.com/activescan/com/activescan_principal.htm
  Make sure you tick Disinfect automatically under Scan Options.
  
  Housecall at TrendMicro
  http://housecall60.trendmicro.com/en/start_corp.asp?id=scan
  Make sure you tick Auto Clean.
  
  eTrust Antivirus Web Scanner
  http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
  
  Also run this online trojan scanner
  
  TrojanScan

  0
• phaedrus

  September 2006 edited September 2006

  Hi Guys,
  
  I think I've cracked this...
  
  Here's what I did, whether you choose to try this is up to you.
  
  The first thing I did was remove ntsystem.exe from the path pointed to by the run key.
  In my case this was windows\system32
  I created a dummy zero length text file in this location and renamed it ntsystem.exe before locking it and removing all its security access priviledges.
  
  I then rebooted my system and went into regedit.
  
  Searched the registry for SecurityProviders
  There were 3 instances
  "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll
  
  I carefully edited each entry to remove the ntoskrnl.dll entry and leave the rest intact.
  
  I then deleted the offending run key.
  HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
  
  Rebooted
  
  My system now starts without reinstating the offending key.
  
  I think lsass.exe was invoking the rogue dll via the SecurityProviders keys.
  I have manually scanned both instances of lsass.exe on my system and they are both clean.
  
  Futhermore on checking a couple of XP systems they only have ntoskrnl.EXE NOT ntoskrnl.DLL. I believe this dll is a part of Windows 2000 systems not XP
  
  Anyhow I've since manually moved ntoskrnl.dll from the windows\system32 directory with no apparent ill effects.
  
  I think what we've been dealing with here is the remnants of a virus.
  The bit left being a method to ensure that the run key, if discovered and deleted, would be regenerated.
  
  Hope this helps.
  
  Regards Phaedrus
  
  And what is good, Phaedrus, And what is not good -- Need we ask anyone to tell us these things?

  0
• marseille

  September 2006 edited September 2006

  Which supports the latest thing we found out--AVG is popping up, notifying about ntoskrnl.dll. I bet that's the main file. Apparently AVG is calling it Generic2.ATN.
  
  I'll try the other suggestions tonight--thanks everybody.

  0
• marseille

  September 2006 edited September 2006

  Okay, I ran BitDefender (turned up nothing) and Panda (found 45 cookies--nothing else).
  
  I did what Phaedrus suggested with the registry, removing ntsystem.exe (again....) and removing ntoskrnl.dll throughout.
  
  I'm currently running the trojan scanner.
  
  I'm really hoping this will do it.....
  
  We appear to have had two other 'issues'--NewPolyWin32, and Generic2.ATN. I'm going to log in in safe mode to remove NewPolyWin32, once this scan finishes (McAfee detected it after I'd started scanning). It's found a registry entry (Trace.Registry.Adclicker) and some cookies.

  0
• marseille

  September 2006 edited September 2006

  Okay, I ran BitDefender and Panda--BitDefender found nothing (though McAfee determined it was a virus) and Panda found some cookies.
  
  I'm running the Trojan program now.
  
  I tried the scans on the individual files, but couldn't actually locate any of the files--they no longer exist.
  
  I made the changes Phaedrus suggested in the registry--removed ntsystem.exe (as I have many times before....) and removed refs to ntoskrnl.dll.
  
  This last time I rebooted, I didn't get any virus detection popups, which I'm taking as a positive sign.
  
  Still continuing to run scans.....
  
  Marseille

  0
• phaedrus

  September 2006 edited September 2006

  Hi Marseille,
  
  I'd be interested to know if the key;
  HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
  has reappeared in your registry.
  
  If you run HiJackThis it would appear in the 04 - HKLM section of the log.

  0
• Silent Runner

  September 2006 edited September 2006

  Hi, Phaedrus.
  
  Thanks for identifying the malware responsible for this infection. From your description, I was able to quickly learn its registry launch point.
  
  I have just released version 48 of Silent Runners, which will examine this previously-unknown registry launch location during its run. (See location 53 here.)
  
  I can assure you from my own recent experience with a client, that this is a two-pronged infection consisting of a master in the SecurityProviders value and one or more servants in HKLM... Run.
  
  If anyone at Short-Media.com ever sees a shortcoming in my script, please don't hesitate to contact me.
  
  thanks again and best regards, Andy Aronoff
  (author, "Silent Runners.vbs")

  0
• Pfftdives

  September 2006 edited September 2006

  Phaedrus,
  
  THANK YOU! had just tracked it down to ntoskrnl.dll and had not found what was calling it. removing it from SecurityProviders with fingers crossed.
  Kaspersky online scanner found ntoskrnl.dll to be an issue, but of course symantec AV still does not flag the file (Why are we using this again?)
  
  -pfft

  0
• marseille

  September 2006 edited September 2006

  It's gone! *Finally*. And there have been no indications of trouble this morning.
  
  For future--is there a preferred combination of spyware and virus protection? We've got McAfee--the McAfee support people told us that McAfee and Ad-Aware were incompatible--I'm not sure I believe that--but do any of you have any suggestions?
  
  And, again, thanks *immensely* for all of this help!!!!!!
  
  Marseille

  0
• javtech

  September 2006 edited September 2006

  I did what you posted, creating the ntsystem.exe dummy, deleting the dlls, removing gwiz from the run key and now computer boots up, but it hangs.
  any other ideas on what can it be??

  0
• javtech

  September 2006 edited September 2006

  Phaedrus, all the steps i did on safe mode. thats the only way i can log into computer.

  0
• jmoney3457 Maine

  September 2006 edited September 2006

  Hi all, I know the 3 or so of you have the same (or similar) problem as the original thread starter but please START YOUR OWN THREAD when posting problems/HJT log as it confuses the helpers greatly,I won't move anyone into there own thread now as theres already helping going on for you all but again please in the future start your OWN thread thanks:)

  0
• Crunchie Mandurah. Western Australia. Member

  September 2006 edited September 2006

  This thread is now closed. If you need it reopened, please send a PM to one of our Mods.
  
  Include the link to the thread and detail why you need it reopened.
  
  If this is not your thread please start a New Topic.
  

  0