Help! W2K is sick.

Unknown

Hello All!
I currently have a WIN2K machine with some sort of virus/spyware/malware infection.
It creates a file TMP?.TMP (replace ? with a number) in the %TEMP% directory.
It readjusts the security levels in IE, along with changing the TAB setup, and Home page to LOAD2K.INFO/TSALE/PLAY_POKER_ONLINE.HTM

I have run Ad-aware, Spybot, Panda, MS Spyware Beta, Trend Micro's House Call, and numerous others.

Does anyone have any suggestions/places to look/a small thermo nuclear device I can use on this system?
Thanks
Dave

sideboard

I also get Access execption errors from TASKMGR (if open), EXPLORER, and SPYSWEEPER of 0x1000120e

SpywareShooter

Please download HijackThis and post a new log.

sideboard

Logfile of HijackThis v1.99.1
Scan saved at 9:20:24 PM, on 7/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\belkin\Bluetooth Software\BTTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe
C:\downloads\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O1 - Hosts: 127.0.0.7 click.hotlog.ru
O1 - Hosts: 127.0.0.7 hit20.hotlog.ru
O1 - Hosts: 127.0.0.8 load2k.info
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [DirectX shell driver] C:\WINNT\sammp32.exe
O4 - Startup: Adobe Gamma.lnk.disabled
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PhylWall.lnk = C:\Program Files\Phyle's Wallpaper Switcher\PhylWall.exe
O4 - Startup: POW!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2386745D-827F-48A1-8F07-DA4A365A8A91} (TeleControl Class) - http://qw-telereach/Trc.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_09) - https://fileconnect.symantec.com/plugin/jinstall-1_4-windows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_09) - https://insight2:50000/ui/classes/j2re-1_3_1_09-windows-i586-i.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sandata.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD741071-2727-49DF-8464-506000AC209E}: Domain = sandata.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD741071-2727-49DF-8464-506000AC209E}: NameServer = 172.18.20.18,172.18.20.17,198.6.1.195
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sandata.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sandata.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Reflection Servers - WRQ, Inc. - C:\Program Files\Reflection\rninetd.exe
O23 - Service: WRQ Reflection TimeSync (Reflection TimeSync) - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: WhatsUp Gold Syslog - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 - C:\Program Files\WhatsUp\IPSyslog.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Buckeye_Sam

Please download, install, and run Cleanup 4.0
http://cleanup.stevengould.org/


=============


Download Hoster.

http://www.funkytoad.com/download/hoster.zip

This will restore your original Host files.
Run the program and press Restore Original Hosts and press OK.


============




Please run at least two of these online scans.
Make sure they are set to clean automatically

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.


Reboot and post a new hijackthis log and the info from your virus scans.

sideboard

Buckeye Sam,
The HIJACK THIS log that had been posted was after Two runs on Panda, 1 Trend, Two runs of MS Spyware, The Host file is a clean as it will get, All entries are mine. I'm currently re-running Panada and BIT Defender again.
Ad-aware and Spybot were also run, along with AboutBuster.
Cleaner 4.0 was run and the system rebooted.
I'm currently running the Bit-defender but it showing 900+ hours to complete.
Thank you for your suggestions!
Dave

Buckeye_Sam

What will be most helpful to me is to see the log from the Panda scan. It usually does a very good job at detecting malware, but can't always remove it. Once I see that we can move on to the next step.

sideboard

Here is the Bitdender Log file:
BitDefender Online Scanner



Scan report generated at: Mon, Jul 04, 2005 - 13:12:47





Scan path: A:\;C:\;D:\;E:\;F:\;







Statistics

Time
02:58:07

Files
724416

Folders
6677

Boot Sectors
4

Archives
8624

Packed Files
78918




Results

Identified Viruses
5

Infected Files
12

Suspect Files
0

Warnings
0

Disinfected
8

Deleted Files
4




Engines Info

Virus Definitions
190424

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\All Users\Start Menu\Programs\L0phtCrack 2.5\L0phtCrack 2.5.lnk=>C:\Program Files\L0phtCrack 2.5\l0phtcrack.exe
Infected with: Trojan.Lophtcrk

C:\Documents and Settings\All Users\Start Menu\Programs\L0phtCrack 2.5\L0phtCrack 2.5.lnk=>C:\Program Files\L0phtCrack 2.5\l0phtcrack.exe
Disinfection failed

C:\Documents and Settings\All Users\Start Menu\Programs\L0phtCrack 2.5\L0phtCrack 2.5.lnk=>C:\Program Files\L0phtCrack 2.5\l0phtcrack.exe
Deleted

C:\Documents and Settings\All Users\Start Menu\Programs\L0phtCrack 2.5\L0phtCrack 2.5.lnk
Update failed

C:\downloads\monitor\nc.exe
Detected with: Application.NTSniff.110

C:\downloads\monitor\nc.exe
Disinfection failed

C:\downloads\monitor\nc.exe
Deleted

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\167E0EB6.exe=>(Quarantine-1)
Infected with: Win32.Valhalla.2048

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\167E0EB6.exe=>(Quarantine-1)
Disinfected

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\167E0EB6.exe
Update failed

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\3EBA5670.exe=>(Quarantine-1)
Infected with: Win32.Valhalla.2048

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\3EBA5670.exe=>(Quarantine-1)
Disinfected

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\3EBA5670.exe
Update failed

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\414A4D9E.exe=>(Quarantine-1)
Infected with: Win32.Valhalla.2048

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\414A4D9E.exe=>(Quarantine-1)
Disinfected

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\414A4D9E.exe
Update failed

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\483C5ED5.exe=>(Quarantine-1)
Infected with: Win32.Valhalla.2048

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\483C5ED5.exe=>(Quarantine-1)
Disinfected

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\483C5ED5.exe
Update failed

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\52A0308A.exe=>(Quarantine-1)
Infected with: Win32.Valhalla.2048

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\52A0308A.exe=>(Quarantine-1)
Disinfected

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\52A0308A.exe
Update failed

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\58A772C4.exe=>(Quarantine-1)
Infected with: Win32.Valhalla.2048

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\58A772C4.exe=>(Quarantine-1)
Disinfected

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\58A772C4.exe
Update failed

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\5BE41B33.exe=>(Quarantine-1)
Infected with: Win32.Valhalla.2048

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\5BE41B33.exe=>(Quarantine-1)
Disinfected

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\5BE41B33.exe
Update failed

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\5E1C24C2.exe=>(Quarantine-1)
Infected with: Win32.Valhalla.2048

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\5E1C24C2.exe=>(Quarantine-1)
Disinfected

C:\Program Files\other\Norton SystemWorks\Norton AntiVirus\Quarantine\5E1C24C2.exe
Update failed

D:\Stuff from Old computer\Downloads\ml530g2\REBOOT.COM
Infected with: Trojan.Rebootpc.A

D:\Stuff from Old computer\Downloads\ml530g2\REBOOT.COM
Disinfection failed

D:\Stuff from Old computer\Downloads\ml530g2\REBOOT.COM
Deleted

D:\Stuff from Old computer\Downloads\netcat\nc.exe
Detected with: Application.NTSniff.110

D:\Stuff from Old computer\Downloads\netcat\nc.exe
Disinfection failed

D:\Stuff from Old computer\Downloads\netcat\nc.exe
Deleted

Here is the Panda Log:
Incident Status Location

Adware:Adware/PopCapLoader No disinfected C:\downloads\backups\backup-20050702-221339-313.dll
Adware:Adware/PopCapLoader No disinfected C:\downloads\backups\backup-20050702-221339-313.inf
Possible Virus. No disinfected C:\Program Files\BitPim\_libusb.dll
Virus:W32/Badtrans@MM Disinfected Local Folders\Inbox\Re: Re[2]: Trip to North Carolina\[s3msong.MP3.pif]
Virus:W32/Badtrans@MM Disinfected Local Folders\Inbox\Re: Trip to North Carolina\[New_Napster_Site.DOC.scr]
Virus:W32/Hybris Disinfected Local Folders\Inbox\Snowhite and the Seven Dwarfs - The REAL story!\[sexy virgin.scr]
Adware:Adware/Aureate-Radiate No disinfected Local Folders\Inbox\Web Copier\[wcopier.exe][data1.cab][ADIMAGE.DLL]
Adware:Adware/Aureate-Radiate No disinfected Local Folders\Inbox\Web Copier\[wcopier.exe][data1.cab][MSIPCSV.EXE]
Adware:Adware/Aureate-Radiate No disinfected Local Folders\Inbox\Web Copier\[wcopier.exe][data1.cab][HTMDENG.EXE]
Adware:Adware/Aureate-Radiate No disinfected Local Folders\Inbox\Web Copier\[wcopier.exe][data1.cab][IPCClient.dll]
Adware:Adware/Aureate-Radiate No disinfected Local Folders\Inbox\Web Copier\[wcopier.exe][data1.cab][TFDE.DLL]
Virus:VBS/LoveLetter Disinfected Local Folders\Sent Items\test with virus\[iloveyou.txt]
Virus:W32/Klez.I Disinfected Local Folders\Sent Items\Fw: Live Chat\[ATT01040.rmi]
Virus:W32/Sobig.F Disinfected Local Folders\Sent Items\Fw: Fwd[2]:Re: Approved\[details.pif]
And finally the HIJACKTHIS log
Logfile of HijackThis v1.99.1
Scan saved at 2:42:32 PM, on 7/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\belkin\Bluetooth Software\BTTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Phyle's Wallpaper Switcher\PhylWall.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O1 - Hosts: 127.0.0.7 click.hotlog.ru
O1 - Hosts: 127.0.0.7 hit20.hotlog.ru
O1 - Hosts: 127.0.0.8 load2k.info
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [DirectX shell driver] C:\WINNT\sammp32.exe
O4 - Startup: Adobe Gamma.lnk.disabled
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PhylWall.lnk = C:\Program Files\Phyle's Wallpaper Switcher\PhylWall.exe
O4 - Startup: POW!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2386745D-827F-48A1-8F07-DA4A365A8A91} (TeleControl Class) - http://qw-telereach/Trc.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_09) - https://fileconnect.symantec.com/plugin/jinstall-1_4-windows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_09) - https://insight2:50000/ui/classes/j2re-1_3_1_09-windows-i586-i.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sandata.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD741071-2727-49DF-8464-506000AC209E}: Domain = sandata.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD741071-2727-49DF-8464-506000AC209E}: NameServer = 172.18.20.18,172.18.20.17,198.6.1.195
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sandata.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sandata.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Reflection Servers - WRQ, Inc. - C:\Program Files\Reflection\rninetd.exe
O23 - Service: WRQ Reflection TimeSync (Reflection TimeSync) - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: WhatsUp Gold Syslog - Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 - C:\Program Files\WhatsUp\IPSyslog.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Buckeye_Sam

Find this file...

C:\WINNT\sammp32.exe

and submit it to this site for analysis. Let me know what you find out.

http://virusscan.jotti.org/

sideboard

Service load: 0% 100%

File: sammp32.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 b69209a8c8dab48dced417f58ca656f0
Packers detected: FSG
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

**** I have renamed this file and rebooted. It seems that it may have helped. Prelim regedit checks and Security levels have not been changed. The Home page change usually happens during the morning.

I'll let you know in the morning.
Thanks
Dave

sideboard

It does look like the strangeness has been resolved on the system!
Thanks for your Help!
Dave

Buckeye_Sam

Fix this line with hijackthis, if it's still there.

O4 - HKCU\..\Run: [DirectX shell driver] C:\WINNT\sammp32.exe


And post one last hijackthis log. Let me know if you are still having any problems.