Virus? wmiprvse.exe wuauclt.exe

Mark_Yohalem · 12-05-2004, 08:29 AM

Guy, I'm baffled and getting pretty worried. Two days ago, I noticed that the WindowsUpdate icon was appearing in my system tray, perpetually stuck at 0%. I became suspicious when forcing termination using Task Manager of wuauclt.exe made no difference -- the program would immediately start running again.

A quick Google search turned up that this file is possibly a virus, so I scanned it using a demo of Norton Anti-Virus and using Housecall (my normal virus scanner), both of which declared the file clean. But every time I deleted the file, it recreated itself, and every time I deleted it and created a read-only file of the same name in the Windows/System32 folder, this file would be overwritten.

Finally, I disabled Windows Update and restarted the computer. This time, wuauclt.exe wasn't running and the icon didn't appear, so I thought I had perhaps been wrong in my diagnosis all along.

This morning, when I started up, my computer was chugging a lot more than usual, so I opened up Task Manager and saw wuauclt.exe in it again -- though no Windows Update icon in the system tray. When I forced termination, it restored itself, AND another previously unseen program appeared: wmiprvse.exe. Again, a Google search confirmed that this file is often infected. I forced termination of both, and neither has resumed running as of this post.

I've now downloaded and am running Sophos Anti-Virus, since the Sophos website identifies. Both of the potential threats. But I'm skeptical that they will turn anything up.

I'd rather NOT format, but I suppose as between formatting and having all of my personal information stolen, I'm willing to do a format if necessary. Still, it seems weird that if this IS a virus, no software can detect it. Yet the symptoms seem so outrageous I cannot imagine it's anything BUT a virus.

Help?

EDIT:

Sophos proclaims them clean. OS is Windows XP Pro.

Here are the file specs:

wuauclt.exe (c:\windows\system32)
Size 113,944
On Disk 114,688

Created: Friday, August 9, 2002
Modified: Tuesday, August 3, 2004
Accessed: Today, December 5, 2004

wmiprvse.exe (c:\windows\system32\wbem)
Size 203,264
On Disk 204,800

Created: 5/9/02
Modified: 5/9/02
Accessed: Today, 12/5/04

---
Logfile of HijackThis v1.97.7
Scan saved at 10:28:11 AM, on 12/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FlashSwitch\FlashSw.exe
C:\Program Files\ICQ\ICQ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\DllHost.exe
E:\SSW\SWEEPSRV.SYS
E:\SSW\SWNETSUP.EXE
E:\SSW\WSWEEPNT.EXE
E:\SSW\ICMON.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Temporary Internet Files\Temporary Internet Files\Content.IE5\E707A5CV\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {46B9D770-1B7D-45D1-81B4-AC07B2F127EF} - C:\PROGRA~1\FLASHS~1\FlashBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: FlashSwitch.lnk = C:\Program Files\FlashSwitch\FlashSw.exe
O4 - Global Startup: InterCheck Monitor.LNK = E:\SSW\ICMON.EXE
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...594.5660300926
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/co...I/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab

**jgvernonco** · 12-05-2004, 10:09 AM

Greetings, and welcome to TSF.

You have a worm in these, and it's not showing on your log. You are using an outdated version of HJT, os the instruction below will give to the link to the newest one, which may show us more.

Post that new log, and we'll have a look.

Please download HijackThis. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help us determine if there is any spyware/malware on your computer.

Mark_Yohalem · 12-05-2004, 10:20 AM

Here is the new log. Note that I should have a couple of new programs running (Ad Aware is running right now, as is Spyware Guard), just in case some new faces show up.

---

Logfile of HijackThis v1.98.2
Scan saved at 12:18:57 PM, on 12/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FlashSwitch\FlashSw.exe
C:\Program Files\ICQ\ICQ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\DllHost.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MyBHO Class - {46B9D770-1B7D-45D1-81B4-AC07B2F127EF} - C:\PROGRA~1\FLASHS~1\FlashBHO.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AdShield.AdShield - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: FlashSwitch.lnk = C:\Program Files\FlashSwitch\FlashSw.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab

greyknight17 · 12-05-2004, 11:24 AM

Your log looks clean.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro (http://housecall.trendmicro.com). Make sure to select the Autoclean option. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Make sure to update Windows and Internet Explorer at http://windowsupdate.microsoft.com.

Mark_Yohalem · 12-05-2004, 11:26 AM

As I said in the original post, I ran Housecall first thing and it turned up nothing. Don't you think the symptoms sound rather odd, though? AFAIK, Windows doesn't replicate files like that (or at least I've never seen it do so before), and wuauclt.exe shouldn't have been running after I disabled autoupdate, right?

greyknight17 · 12-05-2004, 11:53 AM

In that case, run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Download: StartDreck (http://www.greyknight17.com/spy/StartDreck.zip).

Unzip to its own folder and start the program:
Press 'Config'
Press 'unmark all'

Check the following boxes only:
Registry -> Run Keys
System/Drivers> Running Processes
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

I don't see wuauclt.exe as one of the running processes though. Is it still listed in the list of running processes now?

Mark_Yohalem · 12-05-2004, 12:04 PM

wuauclt.exe stopped running after a forced termination this morning, but it definitely was running then. I haven't restarted since (I will do so now). Here is the StartDreck log.

--EDIT--

The moment I pasted log I noticed a familiar face -- wuauclt.exe seems to have started itself up again.

--END EDIT--

--EDIT 2--

wuauclt.exe is no longer running, not due to any intervention on my part.

--END EDIT 2--

StartDreck (build 2.1.5 public BETA) - 2004-12-05 @ 14:03:08
Platform: Windows XP (Win NT 5.1.2600 )

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
*Mirabilis ICQ=C:\Program Files\ICQ\NDetect.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*00000000=<unkown>
*00000004=<unkown>
*0000013C=\SystemRoot\System32\smss.exe
*00000184=<unkown>
*0000019C=\??\C:\WINDOWS\system32\winlogon.exe
*000001C8=C:\WINDOWS\system32\services.exe
*000001D4=C:\WINDOWS\system32\lsass.exe
*00000274=C:\WINDOWS\system32\svchost.exe
*0000028C=C:\WINDOWS\System32\svchost.exe
*000002CC=<unkown>
*000002E0=<unkown>
*000003E4=C:\WINDOWS\Explorer.EXE
*00000400=C:\WINDOWS\system32\spoolsv.exe
*000004D8=C:\Program Files\QuickTime\qttask.exe
*000004E4=C:\Program Files\FlashSwitch\FlashSw.exe
*000004F4=C:\Program Files\ICQ\ICQ.exe
*0000055C=C:\WINDOWS\System32\nvsvc32.exe
*00000598=C:\WINDOWS\System32\svchost.exe
*00000208=C:\WINDOWS\Blitz\WinNotif.exe
*00000470=C:\Program Files\Outlook Express\msimn.exe
*00000358=C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
*0000068C=C:\Program Files\SpywareGuard\sgmain.exe
*000007D8=C:\Program Files\SpywareGuard\sgbhp.exe
*000000FC=C:\WINDOWS\System32\wuauclt.exe
*000002D4=C:\Program Files\Internet Explorer\IEXPLORE.EXE
*00000308=C:\WINDOWS\System32\DllHost.exe
*000004C4=C:\HJT\StartDreck.exe
»Application specific

greyknight17 · 12-05-2004, 12:09 PM

Something must be using it. Let's get a longer StartDreck log:

Make sure to restart first to get that file back again (windows update file).

Run StartDreck again and do the following:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Also post a new HijackThis log.

Mark_Yohalem · 12-05-2004, 12:12 PM

HJT Log:

Logfile of HijackThis v1.98.2
Scan saved at 2:10:53 PM, on 12/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FlashSwitch\FlashSw.exe
C:\Program Files\ICQ\ICQ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Blitz\WinNotif.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\DllHost.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MyBHO Class - {46B9D770-1B7D-45D1-81B4-AC07B2F127EF} - C:\PROGRA~1\FLASHS~1\FlashBHO.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AdShield.AdShield - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: FlashSwitch.lnk = C:\Program Files\FlashSwitch\FlashSw.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab

---

StartDreck Log

StartDreck (build 2.1.5 public BETA) - 2004-12-05 @ 14:12:06
Platform: Windows XP (Win NT 5.1.2600 )

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
*Mirabilis ICQ=C:\Program Files\ICQ\NDetect.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
*.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
*.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
*Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
*Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub
*Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
*Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
*NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
*Windows Messenger 4.6/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Remove.PerUser
*Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
*Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
*Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
*Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
*Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4395}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
*CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=%SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
*Internet Explorer Access/{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}
*StubPath=rundll32 iesetup.dll,IEAccessUserInst
*Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06}
*StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*FlashSwitch.BHO.1/{46B9D770-1B7D-45D1-81B4-AC07B2F127EF}
`InprocServer32=C:\PROGRA~1\FLASHS~1\FlashBHO.dll
*SpywareGuardDLBLOCK.CBrowserHelper/{4A368E80-174F-4872-96B5-0B27DDD11DB2}
`InprocServer32=C:\Program Files\SpywareGuard\dlprotect.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*AdShield.AdShield/{7559B76E-0222-4d77-9499-CCE9EB4EDC2F}
`InprocServer32=C:\PROGRA~1\AdShield\AdShield\AdShield.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\SYSTEM32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.msn.com/
»Default User
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.msn.com/
»Local Machine
*Local Page=C:\WINDOWS\SYSTEM32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\FlashSwitch.lnk
*C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\SpywareGuard.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`[Options]
`BootMulti=1
`BootGUI=1
`AutoScan=1
`WinVer=4.90.3000
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
`DoubleBuffer=1
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`REM Windows MS-DOS Startup File
`REM
`REM CONFIG.SYS vs CONFIG.NT
`REM CONFIG.SYS is not used to initialize the MS-DOS environment.
`REM CONFIG.NT is used to initialize the MS-DOS environment unless a
`REM different startup file is specified in an application's PIF.
`REM
`REM ECHOCONFIG
`REM By default, no information is displayed when the MS-DOS environment
`REM is initialized. To display CONFIG.NT/AUTOEXEC.NT information, add
`REM the command echoconfig to CONFIG.NT or other startup file.
`REM
`REM NTCMDPROMPT
`REM When you return to the command prompt from a TSR or while running an
`REM MS-DOS-based application, Windows runs COMMAND.COM. This allows the
`REM TSR to remain active. To run CMD.EXE, the Windows command prompt,
`REM rather than COMMAND.COM, add the command ntcmdprompt to CONFIG.NT or
`REM other startup file.
`REM
`REM DOSONLY
`REM By default, you can start any type of application when running
`REM COMMAND.COM. If you start an application other than an MS-DOS-based
`REM application, any running TSR may be disrupted. To ensure that only
`REM MS-DOS-based applications can be started, add the command dosonly to
`REM CONFIG.NT or other startup file.
`REM
`REM EMM
`REM You can use EMM command line to configure EMM(Expanded Memory Manager).
`REM The syntax is:
`REM
`REM EMM = [A=AltRegSets] [B=BaseSegment] [RAM]
`REM
`REM AltRegSets
`REM specifies the total Alternative Mapping Register Sets you
`REM want the system to support. 1 <= AltRegSets <= 255. The
`REM default value is 8.
`REM BaseSegment
`REM specifies the starting segment address in the Dos conventional
`REM memory you want the system to allocate for EMM page frames.
`REM The value must be given in Hexdecimal.
`REM 0x1000 <= BaseSegment <= 0x4000. The value is rounded down to
`REM 16KB boundary. The default value is 0x4000
`REM RAM
`REM specifies that the system should only allocate 64Kb address
`REM space from the Upper Memory Block(UMB) area for EMM page frames
`REM and leave the rests(if available) to be used by DOS to support
`REM loadhigh and devicehigh commands. The system, by default, would
`REM allocate all possible and available UMB for page frames.
`REM
`REM The EMM size is determined by pif file(either the one associated
`REM with your application or _default.pif). If the size from PIF file
`REM is zero, EMM will be disabled and the EMM line will be ignored.
`REM
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
`SET windir=C:\WINDOWS
`SET winbootdir=C:\WINDOWS
`SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
`SET PROMPT=$p$g
`SET TEMP=C:\WINDOWS\TEMP
`SET TMP=C:\WINDOWS\TEMP
`SET BLASTER=A220 I5 D3 T4
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment.
`REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a
`REM different startup file is specified in an application's PIF.
`REM Install CD ROM extensions
`lh %SystemRoot%\system32\mscdexnt.exe
`REM Install network redirector (load before dosx.exe)
`lh %SystemRoot%\system32\redir
`REM Install DPMI support
`lh %SystemRoot%\system32\dosx
`REM The following line enables Sound Blaster 2.0 support on NTVDM.
`REM The command for setting the BLASTER environment is as follows:
`REM SET BLASTER=A220 I5 D1 P330
`REM where:
`REM A specifies the sound blaster's base I/O port
`REM I specifies the interrupt request line
`REM D specifies the 8-bit DMA channel
`REM P specifies the MPU-401 base I/O port
`REM T specifies the type of sound blaster card
`REM 1 - Sound Blaster 1.5
`REM 2 - Sound Blaster Pro I
`REM 3 - Sound Blaster 2.0
`REM 4 - Sound Blaster Pro II
`REM 6 - SOund Blaster 16/AWE 32/32/64
`REM
`REM The default value is A220 I5 D1 T3 and P330. If any of the switches is
`REM left unspecified, the default value will be used. (NOTE, since all the
`REM ports are virtualized, the information provided here does not have to
`REM match the real hardware setting.) NTVDM supports Sound Blaster 2.0 only.
`REM The T switch must be set to 3, if specified.
`SET BLASTER=A220 I5 D1 P330 T3
`REM To disable the sound blaster 2.0 support on NTVDM, specify an invalid
`REM SB base I/O port address. For example:
`REM SET BLASTER=A0
`REM
`REM *************************************************
`REM ** Lines below this have been migrated from the
`REM ** original Windows Millennium Edition settings.
`REM *************************************************
`REM
`SET windir=C:\WINDOWS
`SET winbootdir=C:\WINDOWS
`SET COMSPEC=C:\WINDOWS\SYSTEM32\COMMAND.COM
`SET PROMPT=$p$g
`SET TEMP=C:\WINDOWS\TEMP
`SET TMP=C:\WINDOWS\TEMP
`SET BLASTER=A220 I5 D3 T4
`REM LH C:\WINDOWS\ASP4DOS.COM
`PATH=C:\WINDOWS\COMMAND;C:\WINDOWS;C:\WINDOWS\system32
*C:\boot.ini
`[boot loader]
`timeout = 30
`default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect
*C:\WINDOWS\dosstart.bat
»%PATH% Companion Files
*C:\WINDOWS\System32\clspack.exe
*C:\WINDOWS\CLSPACK.EXE
*C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
*C:\WINDOWS\System32\setver.exe
*C:\WINDOWS\SETVER.EXE
*C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
*C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»Running Processes
*00000000=<unkown>
*00000004=<unkown>
*0000013C=\SystemRoot\System32\smss.exe
*00000184=<unkown>
*0000019C=\??\C:\WINDOWS\system32\winlogon.exe
*000001C8=C:\WINDOWS\system32\services.exe
*000001D4=C:\WINDOWS\system32\lsass.exe
*00000274=C:\WINDOWS\system32\svchost.exe
*0000028C=C:\WINDOWS\System32\svchost.exe
*000002CC=<unkown>
*000002E0=<unkown>
*000003E4=C:\WINDOWS\Explorer.EXE
*00000400=C:\WINDOWS\system32\spoolsv.exe
*000004D8=C:\Program Files\QuickTime\qttask.exe
*000004E4=C:\Program Files\FlashSwitch\FlashSw.exe
*000004F4=C:\Program Files\ICQ\ICQ.exe
*0000055C=C:\WINDOWS\System32\nvsvc32.exe
*00000598=C:\WINDOWS\System32\svchost.exe
*00000208=C:\WINDOWS\Blitz\WinNotif.exe
*00000470=C:\Program Files\Outlook Express\msimn.exe
*00000358=C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
*0000068C=C:\Program Files\SpywareGuard\sgmain.exe
*000007D8=C:\Program Files\SpywareGuard\sgbhp.exe
*000002D4=C:\Program Files\Internet Explorer\IEXPLORE.EXE
*00000308=C:\WINDOWS\System32\DllHost.exe
*000000C8=C:\HJT\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine

**jgvernonco** · 12-05-2004, 01:36 PM

By canging names, super-hiding and moving about, they are confounding the tools.

OK. Download KillBox and unzip it to a folder. Run KillBox and copy and paste each of the following (one by one and hit Kill File):[/b]

C:\WINDOWS\SYSTEM32\blank.htm
C:\WINDOWS\System32\clspack.exe
C:\WINDOWS\CLSPACK.EXE
C:\WINDOWS\System32\taskman.exe
C:\WINDOWS\TASKMAN.EXE

Click on the Exit button (restart).

Next, find and delete:

C:\WINDOWS\SYSTEM32\blank.htm
C:\WINDOWS\System32\clspack.exe
C:\WINDOWS\CLSPACK.EXE
C:\WINDOWS\System32\taskman.exe
C:\WINDOWS\TASKMAN.EXE

Then reboot, see how your system is behaving, and post a new Dreck log.

Mark_Yohalem · 12-05-2004, 03:05 PM

wuauclt.exe was running again at startup. I don't know what to do. Honestly, it looks like it's winning. :(

---

I performed a Safe Mode boot and purge of those files, plus wmiprvse.exe and wuauclt.exe. Here is the current StartDreck log

---

StartDreck (build 2.1.5 public BETA) - 2004-12-05 @ 17:22:12
Platform: Windows XP (Win NT 5.1.2600 )

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
*Mirabilis ICQ=C:\Program Files\ICQ\NDetect.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
*.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
*.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
*.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*FlashSwitch.BHO.1/{46B9D770-1B7D-45D1-81B4-AC07B2F127EF}
`InprocServer32=C:\PROGRA~1\FLASHS~1\FlashBHO.dll
*SpywareGuardDLBLOCK.CBrowserHelper/{4A368E80-174F-4872-96B5-0B27DDD11DB2}
`InprocServer32=C:\Program Files\SpywareGuard\dlprotect.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*AdShield.AdShield/{7559B76E-0222-4d77-9499-CCE9EB4EDC2F}
`InprocServer32=C:\PROGRA~1\AdShield\AdShield\AdShield.dll
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\FlashSwitch.lnk
*C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\SpywareGuard.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
*C:\boot.ini
*C:\WINDOWS\dosstart.bat
»System/Drivers
»Running Processes
*00000000=<unkown>
*00000004=<unkown>
*0000013C=\SystemRoot\System32\smss.exe
*00000184=<unkown>
*000001A0=\??\C:\WINDOWS\system32\winlogon.exe
*000001CC=C:\WINDOWS\system32\services.exe
*000001D8=C:\WINDOWS\system32\lsass.exe
*0000027C=C:\WINDOWS\system32\svchost.exe
*00000294=C:\WINDOWS\System32\svchost.exe
*000002DC=<unkown>
*000002E8=<unkown>
*000003F8=C:\WINDOWS\Explorer.EXE
*00000418=C:\WINDOWS\system32\spoolsv.exe
*000004F0=C:\Program Files\QuickTime\qttask.exe
*000004F8=C:\Program Files\FlashSwitch\FlashSw.exe
*00000504=C:\Program Files\SpywareGuard\sgmain.exe
*0000055C=C:\WINDOWS\System32\nvsvc32.exe
*000005A0=C:\WINDOWS\System32\svchost.exe
*000005D4=C:\Program Files\ICQ\ICQ.exe
*0000061C=C:\Program Files\SpywareGuard\sgbhp.exe
*000000CC=C:\Program Files\Internet Explorer\IEXPLORE.EXE
*0000017C=C:\WINDOWS\System32\DllHost.exe
*00000480=C:\HJT\StartDreck.exe
»NT Services
*Alerter Alerter - on demand
*Application Layer Gateway Service ALG - on demand
*Application Management AppMgmt - on demand
*Windows Audio AudioSrv running auto
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser - on demand
*Indexing Service cisvc - on demand
*ClipBook ClipSrv - on demand
*COM+ System Application COMSysApp - on demand
*Cryptographic Services CryptSvc running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver running auto
*DNS Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
*Help and Support helpsvc running auto
*Human Interface Device Access HidServ - disabled
*IMAPI CD-Burning COM Service ImapiService - on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*NVIDIA Display Driver Service NVSvc running auto
*Office Source Engine ose - on demand
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto running on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Registry RemoteRegistry running auto
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Internet Connection Firewall (ICF) / Internet C SharedAccess - on demand
`onnection Sharing (ICS)
*Shell Hardware Detection ShellHWDetection running auto
*Print Spooler Spooler running auto
*System Restore Service srservice - auto
*SSDP Discovery Service SSDPSRV running on demand
*Windows Image Acquisition (WIA) stisvc running auto
*MS Software Shadow Copy Provider SwPrv - on demand
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Telnet TlntSvr - on demand
*Distributed Link Tracking Client TrkWks running auto
*Upload Manager uploadmgr running auto
*Universal Plug and Play Device Host upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time W32Time running auto
*WebClient WebClient running auto
*Windows Management Instrumentation winmgmt running on demand
*Portable Media Serial Number Service WmdmPmSN - on demand
*Windows Management Instrumentation Driver Exten Wmi - on demand
`sions
*WMI Performance Adapter WmiApSrv - on demand
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
»Application specific

CTSNKY · 12-05-2004, 04:44 PM

This is not really a problem file....

Quote:

wuauclt - wuauclt.exe - Process Information
Process File: wuauclt or wuauclt.exe
Process Name: AutoUpdate for WindowsME

Description:
Wuauclt.exe is a process managing automatic updates for Windows. This process continuously checks for the latest updates by going

Are you having any other problems at this time?

Mark_Yohalem · 12-05-2004, 04:59 PM

I've read all that stuff already, but the file was almost certainly trojaned.

See, e.g., http://www.sophos.com/virusinfo/analyses/trojcultb.html
or
http://securityresponse.symantec.com...kdoor.clt.html

The behavior of the file corresponded to a virus, not to a "benign" Microsoft app. Thanks though.

CTSNKY · 12-05-2004, 05:16 PM

In what way? The description you provided at the outset of this thread and the subsequent deep scans do not present the specific behavior of the sort identified in those links.

Your XP & IE are both very very outdated, which should be remedied first.

Also, you don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Please download a free one at ZoneAlarm (http://www.zonelabs.com).

Mark_Yohalem · 12-05-2004, 05:44 PM

Behavior: Windows update running even after Windows update had been disabled. Files recreating themselves after being deleted, or rerunning themselves after termination.

Firewall / Windows / Ie: I've returned to using this computer after having had a different one for some time, so I haven't finished upgrading everything. Once I jump to the next SP, that will have a firewall included.

CTSNKY · 12-05-2004, 05:49 PM

The next SP is SP1 for you, which has no firewall. SP2's firewall only prevents applications on your machine from connecting outbound. You still need a good firewall app running to be safest.

Mark_Yohalem · 12-05-2004, 05:53 PM

Right, I had forgotten just how much updating this computer has to go through. Sigh. I guess it's no surprise that it picked something up (though you seem still to think I'm just being a hypochondriac here). I'll only be using the comp for another 5 months though, so it only needs not to give my credit card numbers out to the world for that long. ;)

12-05-2004, 08:29 AM	#1 (permalink)
Mark_Yohalem Registered User Join Date: Dec 2004 Posts: 9 OS: Windows XP Pro	Virus? wmiprvse.exe wuauclt.exe Guy, I'm baffled and getting pretty worried. Two days ago, I noticed that the WindowsUpdate icon was appearing in my system tray, perpetually stuck at 0%. I became suspicious when forcing termination using Task Manager of wuauclt.exe made no difference -- the program would immediately start running again. A quick Google search turned up that this file is possibly a virus, so I scanned it using a demo of Norton Anti-Virus and using Housecall (my normal virus scanner), both of which declared the file clean. But every time I deleted the file, it recreated itself, and every time I deleted it and created a read-only file of the same name in the Windows/System32 folder, this file would be overwritten. Finally, I disabled Windows Update and restarted the computer. This time, wuauclt.exe wasn't running and the icon didn't appear, so I thought I had perhaps been wrong in my diagnosis all along. This morning, when I started up, my computer was chugging a lot more than usual, so I opened up Task Manager and saw wuauclt.exe in it again -- though no Windows Update icon in the system tray. When I forced termination, it restored itself, AND another previously unseen program appeared: wmiprvse.exe. Again, a Google search confirmed that this file is often infected. I forced termination of both, and neither has resumed running as of this post. I've now downloaded and am running Sophos Anti-Virus, since the Sophos website identifies. Both of the potential threats. But I'm skeptical that they will turn anything up. I'd rather NOT format, but I suppose as between formatting and having all of my personal information stolen, I'm willing to do a format if necessary. Still, it seems weird that if this IS a virus, no software can detect it. Yet the symptoms seem so outrageous I cannot imagine it's anything BUT a virus. Help? EDIT: Sophos proclaims them clean. OS is Windows XP Pro. Here are the file specs: wuauclt.exe (c:\windows\system32) Size 113,944 On Disk 114,688 Created: Friday, August 9, 2002 Modified: Tuesday, August 3, 2004 Accessed: Today, December 5, 2004 wmiprvse.exe (c:\windows\system32\wbem) Size 203,264 On Disk 204,800 Created: 5/9/02 Modified: 5/9/02 Accessed: Today, 12/5/04 --- Logfile of HijackThis v1.97.7 Scan saved at 10:28:11 AM, on 12/5/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\FlashSwitch\FlashSw.exe C:\Program Files\ICQ\ICQ.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\DllHost.exe E:\SSW\SWEEPSRV.SYS E:\SSW\SWNETSUP.EXE E:\SSW\WSWEEPNT.EXE E:\SSW\ICMON.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE E:\Temporary Internet Files\Temporary Internet Files\Content.IE5\E707A5CV\HijackThis[1].exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {46B9D770-1B7D-45D1-81B4-AC07B2F127EF} - C:\PROGRA~1\FLASHS~1\FlashBHO.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Startup: FlashSwitch.lnk = C:\Program Files\FlashSwitch\FlashSw.exe O4 - Global Startup: InterCheck Monitor.LNK = E:\SSW\ICMON.EXE O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: ICQ (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Research (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: AdShield (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...594.5660300926 O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/co...I/0/GDIChk.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab Last edited by Mark_Yohalem; 12-05-2004 at 08:47 AM.

12-05-2004, 10:09 AM	#2 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	Greetings, and welcome to TSF. You have a worm in these, and it's not showing on your log. You are using an outdated version of HJT, os the instruction below will give to the link to the newest one, which may show us more. Post that new log, and we'll have a look. Please download HijackThis. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help us determine if there is any spyware/malware on your computer. __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

12-05-2004, 11:24 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Your log looks clean. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro (http://housecall.trendmicro.com). Make sure to select the Autoclean option. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Make sure to update Windows and Internet Explorer at http://windowsupdate.microsoft.com. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

12-05-2004, 11:53 AM	#6 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	In that case, run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = Download: StartDreck (http://www.greyknight17.com/spy/StartDreck.zip). Unzip to its own folder and start the program: Press 'Config' Press 'unmark all' Check the following boxes only: Registry -> Run Keys System/Drivers> Running Processes Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. I don't see wuauclt.exe as one of the running processes though. Is it still listed in the list of running processes now? __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

12-05-2004, 12:04 PM	#7 (permalink)
Mark_Yohalem Registered User Join Date: Dec 2004 Posts: 9 OS: Windows XP Pro	wuauclt.exe stopped running after a forced termination this morning, but it definitely was running then. I haven't restarted since (I will do so now). Here is the StartDreck log. --EDIT-- The moment I pasted log I noticed a familiar face -- wuauclt.exe seems to have started itself up again. --END EDIT-- --EDIT 2-- wuauclt.exe is no longer running, not due to any intervention on my part. --END EDIT 2-- StartDreck (build 2.1.5 public BETA) - 2004-12-05 @ 14:03:08 Platform: Windows XP (Win NT 5.1.2600 ) »Registry »Run Keys »Current User »Run »RunOnce »Default User »Run »RunOnce »Local Machine »Run NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup Mirabilis ICQ=C:\Program Files\ICQ\NDetect.exe QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime Installed=1 NoChange=1 Installed=1 Installed=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »Files »System/Drivers »Running Processes 00000000=<unkown> 00000004=<unkown> 0000013C=\SystemRoot\System32\smss.exe 00000184=<unkown> 0000019C=\??\C:\WINDOWS\system32\winlogon.exe 000001C8=C:\WINDOWS\system32\services.exe 000001D4=C:\WINDOWS\system32\lsass.exe 00000274=C:\WINDOWS\system32\svchost.exe 0000028C=C:\WINDOWS\System32\svchost.exe 000002CC=<unkown> 000002E0=<unkown> 000003E4=C:\WINDOWS\Explorer.EXE 00000400=C:\WINDOWS\system32\spoolsv.exe 000004D8=C:\Program Files\QuickTime\qttask.exe 000004E4=C:\Program Files\FlashSwitch\FlashSw.exe 000004F4=C:\Program Files\ICQ\ICQ.exe 0000055C=C:\WINDOWS\System32\nvsvc32.exe 00000598=C:\WINDOWS\System32\svchost.exe 00000208=C:\WINDOWS\Blitz\WinNotif.exe 00000470=C:\Program Files\Outlook Express\msimn.exe 00000358=C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 0000068C=C:\Program Files\SpywareGuard\sgmain.exe 000007D8=C:\Program Files\SpywareGuard\sgbhp.exe 000000FC=C:\WINDOWS\System32\wuauclt.exe 000002D4=C:\Program Files\Internet Explorer\IEXPLORE.EXE 00000308=C:\WINDOWS\System32\DllHost.exe 000004C4=C:\HJT\StartDreck.exe »Application specific Last edited by Mark_Yohalem; 12-05-2004 at 12:07 PM.

12-05-2004, 10:20 AM	#3 (permalink)
Mark_Yohalem Registered User Join Date: Dec 2004 Posts: 9 OS: Windows XP Pro	Here is the new log. Note that I should have a couple of new programs running (Ad Aware is running right now, as is Spyware Guard), just in case some new faces show up. --- Logfile of HijackThis v1.98.2 Scan saved at 12:18:57 PM, on 12/5/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\FlashSwitch\FlashSw.exe C:\Program Files\ICQ\ICQ.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\DllHost.exe C:\hjt\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: MyBHO Class - {46B9D770-1B7D-45D1-81B4-AC07B2F127EF} - C:\PROGRA~1\FLASHS~1\FlashBHO.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: AdShield.AdShield - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Startup: FlashSwitch.lnk = C:\Program Files\FlashSwitch\FlashSw.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab

12-05-2004, 11:26 AM	#5 (permalink)
Mark_Yohalem Registered User Join Date: Dec 2004 Posts: 9 OS: Windows XP Pro	As I said in the original post, I ran Housecall first thing and it turned up nothing. Don't you think the symptoms sound rather odd, though? AFAIK, Windows doesn't replicate files like that (or at least I've never seen it do so before), and wuauclt.exe shouldn't have been running after I disabled autoupdate, right?

12-05-2004, 12:09 PM	#8 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Something must be using it. Let's get a longer StartDreck log: Make sure to restart first to get that file back again (windows update file). Run StartDreck again and do the following: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. Also post a new HijackThis log. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

12-05-2004, 12:12 PM	#9 (permalink)
Mark_Yohalem Registered User Join Date: Dec 2004 Posts: 9 OS: Windows XP Pro	HJT Log: Logfile of HijackThis v1.98.2 Scan saved at 2:10:53 PM, on 12/5/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\FlashSwitch\FlashSw.exe C:\Program Files\ICQ\ICQ.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Blitz\WinNotif.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\DllHost.exe C:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: MyBHO Class - {46B9D770-1B7D-45D1-81B4-AC07B2F127EF} - C:\PROGRA~1\FLASHS~1\FlashBHO.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: AdShield.AdShield - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Startup: FlashSwitch.lnk = C:\Program Files\FlashSwitch\FlashSw.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab --- StartDreck Log StartDreck (build 2.1.5 public BETA) - 2004-12-05 @ 14:12:06 Platform: Windows XP (Win NT 5.1.2600 ) »Registry »Run Keys »Current User »Run »RunOnce »Default User »Run »RunOnce »Local Machine »Run NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup Mirabilis ICQ=C:\Program Files\ICQ\NDetect.exe QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime Installed=1 NoChange=1 Installed=1 Installed=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) .bat batfile="%1" % .com comfile="%1" %* .disabled SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" .exe exefile="%1" %* .hta htafile=C:\WINDOWS\System32\mshta.exe "%1" %* .htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome .html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome .js JSFile=%SystemRoot%\System32\WScript.exe "%1" %* .jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* .pif piffile="%1" %* .scr scrfile="%1" /S .txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 .vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* .vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* .wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* .wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* .lnk `lnkfile= [key or value does not exist] »Active Setup (LM) Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT Windows Messenger 4.6/{5945c046-1e7d-11d1-bc44-00c04fd912be} StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Remove.PerUser Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4395} StubPath=regsvr32.exe /s /n /i:U shell32.dll CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} StubPath=%SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl Internet Explorer Access/{ACC563BC-4266-43f0-B6ED-9D38C4202C7E} StubPath=rundll32 iesetup.dll,IEAccessUserInst Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06} StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf »Browser Helper Objects (LM) AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} `InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx FlashSwitch.BHO.1/{46B9D770-1B7D-45D1-81B4-AC07B2F127EF} `InprocServer32=C:\PROGRA~1\FLASHS~1\FlashBHO.dll SpywareGuardDLBLOCK.CBrowserHelper/{4A368E80-174F-4872-96B5-0B27DDD11DB2} `InprocServer32=C:\Program Files\SpywareGuard\dlprotect.dll {53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll AdShield.AdShield/{7559B76E-0222-4d77-9499-CCE9EB4EDC2F} `InprocServer32=C:\PROGRA~1\AdShield\AdShield\AdShield.dll »Internet Explorer »Current User Local Page=C:\WINDOWS\SYSTEM32\blank.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.msn.com/ »Default User Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.msn.com/ »Local Machine Local Page=C:\WINDOWS\SYSTEM32\blank.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home »ShellServiceObjectDelayLoad (LM) PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Files »Autostart Folders »Current User C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\desktop.ini C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\FlashSwitch.lnk C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\SpywareGuard.lnk »Default User C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=Explorer.exe »Text Files C:\msdos.sys `[Paths] `WinDir=C:\WINDOWS `WinBootDir=C:\WINDOWS `HostWinBootDrv=C `[Options] `BootMulti=1 `BootGUI=1 `AutoScan=1 `WinVer=4.90.3000 `; `;The following lines are required for compatibility with other programs. `;Do not remove them (MSDOS.SYS needs to be >1024 bytes). `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs `DoubleBuffer=1 C:\config.sys C:\WINDOWS\System32\config.nt `REM Windows MS-DOS Startup File `REM `REM CONFIG.SYS vs CONFIG.NT `REM CONFIG.SYS is not used to initialize the MS-DOS environment. `REM CONFIG.NT is used to initialize the MS-DOS environment unless a `REM different startup file is specified in an application's PIF. `REM `REM ECHOCONFIG `REM By default, no information is displayed when the MS-DOS environment `REM is initialized. To display CONFIG.NT/AUTOEXEC.NT information, add `REM the command echoconfig to CONFIG.NT or other startup file. `REM `REM NTCMDPROMPT `REM When you return to the command prompt from a TSR or while running an `REM MS-DOS-based application, Windows runs COMMAND.COM. This allows the `REM TSR to remain active. To run CMD.EXE, the Windows command prompt, `REM rather than COMMAND.COM, add the command ntcmdprompt to CONFIG.NT or `REM other startup file. `REM `REM DOSONLY `REM By default, you can start any type of application when running `REM COMMAND.COM. If you start an application other than an MS-DOS-based `REM application, any running TSR may be disrupted. To ensure that only `REM MS-DOS-based applications can be started, add the command dosonly to `REM CONFIG.NT or other startup file. `REM `REM EMM `REM You can use EMM command line to configure EMM(Expanded Memory Manager). `REM The syntax is: `REM `REM EMM = [A=AltRegSets] [B=BaseSegment] [RAM] `REM `REM AltRegSets `REM specifies the total Alternative Mapping Register Sets you `REM want the system to support. 1 <= AltRegSets <= 255. The `REM default value is 8. `REM BaseSegment `REM specifies the starting segment address in the Dos conventional `REM memory you want the system to allocate for EMM page frames. `REM The value must be given in Hexdecimal. `REM 0x1000 <= BaseSegment <= 0x4000. The value is rounded down to `REM 16KB boundary. The default value is 0x4000 `REM RAM `REM specifies that the system should only allocate 64Kb address `REM space from the Upper Memory Block(UMB) area for EMM page frames `REM and leave the rests(if available) to be used by DOS to support `REM loadhigh and devicehigh commands. The system, by default, would `REM allocate all possible and available UMB for page frames. `REM `REM The EMM size is determined by pif file(either the one associated `REM with your application or _default.pif). If the size from PIF file `REM is zero, EMM will be disabled and the EMM line will be ignored. `REM `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\autoexec.bat `SET windir=C:\WINDOWS `SET winbootdir=C:\WINDOWS `SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND `SET PROMPT=$p$g `SET TEMP=C:\WINDOWS\TEMP `SET TMP=C:\WINDOWS\TEMP `SET BLASTER=A220 I5 D3 T4 C:\WINDOWS\System32\autoexec.nt `@echo off `REM AUTOEXEC.BAT is not used to initialize the MS-DOS environment. `REM AUTOEXEC.NT is used to initialize the MS-DOS environment unless a `REM different startup file is specified in an application's PIF. `REM Install CD ROM extensions `lh %SystemRoot%\system32\mscdexnt.exe `REM Install network redirector (load before dosx.exe) `lh %SystemRoot%\system32\redir `REM Install DPMI support `lh %SystemRoot%\system32\dosx `REM The following line enables Sound Blaster 2.0 support on NTVDM. `REM The command for setting the BLASTER environment is as follows: `REM SET BLASTER=A220 I5 D1 P330 `REM where: `REM A specifies the sound blaster's base I/O port `REM I specifies the interrupt request line `REM D specifies the 8-bit DMA channel `REM P specifies the MPU-401 base I/O port `REM T specifies the type of sound blaster card `REM 1 - Sound Blaster 1.5 `REM 2 - Sound Blaster Pro I `REM 3 - Sound Blaster 2.0 `REM 4 - Sound Blaster Pro II `REM 6 - SOund Blaster 16/AWE 32/32/64 `REM `REM The default value is A220 I5 D1 T3 and P330. If any of the switches is `REM left unspecified, the default value will be used. (NOTE, since all the `REM ports are virtualized, the information provided here does not have to `REM match the real hardware setting.) NTVDM supports Sound Blaster 2.0 only. `REM The T switch must be set to 3, if specified. `SET BLASTER=A220 I5 D1 P330 T3 `REM To disable the sound blaster 2.0 support on NTVDM, specify an invalid `REM SB base I/O port address. For example: `REM SET BLASTER=A0 `REM `REM ********************************************** `REM Lines below this have been migrated from the `REM original Windows Millennium Edition settings. `REM *********************************************** `REM `SET windir=C:\WINDOWS `SET winbootdir=C:\WINDOWS `SET COMSPEC=C:\WINDOWS\SYSTEM32\COMMAND.COM `SET PROMPT=$p$g `SET TEMP=C:\WINDOWS\TEMP `SET TMP=C:\WINDOWS\TEMP `SET BLASTER=A220 I5 D3 T4 `REM LH C:\WINDOWS\ASP4DOS.COM `PATH=C:\WINDOWS\COMMAND;C:\WINDOWS;C:\WINDOWS\system32 C:\boot.ini `[boot loader] `timeout = 30 `default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect C:\WINDOWS\dosstart.bat »%PATH% Companion Files C:\WINDOWS\System32\clspack.exe C:\WINDOWS\CLSPACK.EXE C:\WINDOWS\System32\notepad.exe C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\System32\setver.exe C:\WINDOWS\SETVER.EXE C:\WINDOWS\System32\taskman.exe C:\WINDOWS\TASKMAN.EXE C:\WINDOWS\System32\winhlp32.exe C:\WINDOWS\winhlp32.exe »System/Drivers »Running Processes 00000000=<unkown> 00000004=<unkown> 0000013C=\SystemRoot\System32\smss.exe 00000184=<unkown> 0000019C=\??\C:\WINDOWS\system32\winlogon.exe 000001C8=C:\WINDOWS\system32\services.exe 000001D4=C:\WINDOWS\system32\lsass.exe 00000274=C:\WINDOWS\system32\svchost.exe 0000028C=C:\WINDOWS\System32\svchost.exe 000002CC=<unkown> 000002E0=<unkown> 000003E4=C:\WINDOWS\Explorer.EXE 00000400=C:\WINDOWS\system32\spoolsv.exe 000004D8=C:\Program Files\QuickTime\qttask.exe 000004E4=C:\Program Files\FlashSwitch\FlashSw.exe 000004F4=C:\Program Files\ICQ\ICQ.exe 0000055C=C:\WINDOWS\System32\nvsvc32.exe 00000598=C:\WINDOWS\System32\svchost.exe 00000208=C:\WINDOWS\Blitz\WinNotif.exe 00000470=C:\Program Files\Outlook Express\msimn.exe 00000358=C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 0000068C=C:\Program Files\SpywareGuard\sgmain.exe 000007D8=C:\Program Files\SpywareGuard\sgbhp.exe 000002D4=C:\Program Files\Internet Explorer\IEXPLORE.EXE 00000308=C:\WINDOWS\System32\DllHost.exe 000000C8=C:\HJT\StartDreck.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine

12-05-2004, 01:36 PM	#10 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	By canging names, super-hiding and moving about, they are confounding the tools. OK. Download KillBox and unzip it to a folder. Run KillBox and copy and paste each of the following (one by one and hit Kill File):[/b] C:\WINDOWS\SYSTEM32\blank.htm C:\WINDOWS\System32\clspack.exe C:\WINDOWS\CLSPACK.EXE C:\WINDOWS\System32\taskman.exe C:\WINDOWS\TASKMAN.EXE Click on the Exit button (restart). Next, find and delete: C:\WINDOWS\SYSTEM32\blank.htm C:\WINDOWS\System32\clspack.exe C:\WINDOWS\CLSPACK.EXE C:\WINDOWS\System32\taskman.exe C:\WINDOWS\TASKMAN.EXE Then reboot, see how your system is behaving, and post a new Dreck log. __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

12-05-2004, 03:05 PM	#11 (permalink)
Mark_Yohalem Registered User Join Date: Dec 2004 Posts: 9 OS: Windows XP Pro	wuauclt.exe was running again at startup. I don't know what to do. Honestly, it looks like it's winning. :( --- I performed a Safe Mode boot and purge of those files, plus wmiprvse.exe and wuauclt.exe. Here is the current StartDreck log --- StartDreck (build 2.1.5 public BETA) - 2004-12-05 @ 17:22:12 Platform: Windows XP (Win NT 5.1.2600 ) »Registry »Run Keys »Current User »Run »RunOnce »Default User »Run »RunOnce »Local Machine »Run NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup Mirabilis ICQ=C:\Program Files\ICQ\NDetect.exe QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime Installed=1 NoChange=1 Installed=1 Installed=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) .bat batfile="%1" % .com comfile="%1" %* .disabled SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" .exe exefile="%1" %* .hta htafile=C:\WINDOWS\System32\mshta.exe "%1" %* .htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome .html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome .js JSFile=%SystemRoot%\System32\WScript.exe "%1" %* .jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" %* .pif piffile="%1" %* .scr scrfile="%1" /S .txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 .vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* .vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" %* .wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" %* .wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" %* .lnk `lnkfile= [key or value does not exist] »Browser Helper Objects (LM) AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} `InprocServer32=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx FlashSwitch.BHO.1/{46B9D770-1B7D-45D1-81B4-AC07B2F127EF} `InprocServer32=C:\PROGRA~1\FLASHS~1\FlashBHO.dll SpywareGuardDLBLOCK.CBrowserHelper/{4A368E80-174F-4872-96B5-0B27DDD11DB2} `InprocServer32=C:\Program Files\SpywareGuard\dlprotect.dll {53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll AdShield.AdShield/{7559B76E-0222-4d77-9499-CCE9EB4EDC2F} `InprocServer32=C:\PROGRA~1\AdShield\AdShield\AdShield.dll »Files »Autostart Folders »Current User C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\desktop.ini C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\FlashSwitch.lnk C:\Documents and Settings\Mark Yohalem\Start Menu\Programs\Startup\SpywareGuard.lnk »Default User C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=Explorer.exe »Text Files C:\msdos.sys C:\config.sys C:\WINDOWS\System32\config.nt C:\autoexec.bat C:\WINDOWS\System32\autoexec.nt C:\boot.ini C:\WINDOWS\dosstart.bat »System/Drivers »Running Processes 00000000=<unkown> 00000004=<unkown> 0000013C=\SystemRoot\System32\smss.exe 00000184=<unkown> 000001A0=\??\C:\WINDOWS\system32\winlogon.exe 000001CC=C:\WINDOWS\system32\services.exe 000001D8=C:\WINDOWS\system32\lsass.exe 0000027C=C:\WINDOWS\system32\svchost.exe 00000294=C:\WINDOWS\System32\svchost.exe 000002DC=<unkown> 000002E8=<unkown> 000003F8=C:\WINDOWS\Explorer.EXE 00000418=C:\WINDOWS\system32\spoolsv.exe 000004F0=C:\Program Files\QuickTime\qttask.exe 000004F8=C:\Program Files\FlashSwitch\FlashSw.exe 00000504=C:\Program Files\SpywareGuard\sgmain.exe 0000055C=C:\WINDOWS\System32\nvsvc32.exe 000005A0=C:\WINDOWS\System32\svchost.exe 000005D4=C:\Program Files\ICQ\ICQ.exe 0000061C=C:\Program Files\SpywareGuard\sgbhp.exe 000000CC=C:\Program Files\Internet Explorer\IEXPLORE.EXE 0000017C=C:\WINDOWS\System32\DllHost.exe 00000480=C:\HJT\StartDreck.exe »NT Services Alerter Alerter - on demand Application Layer Gateway Service ALG - on demand Application Management AppMgmt - on demand Windows Audio AudioSrv running auto Background Intelligent Transfer Service BITS - on demand Computer Browser Browser - on demand Indexing Service cisvc - on demand ClipBook ClipSrv - on demand COM+ System Application COMSysApp - on demand Cryptographic Services CryptSvc running auto DHCP Client Dhcp running auto Logical Disk Manager Administrative Service dmadmin - on demand Logical Disk Manager dmserver running auto DNS Client Dnscache running auto Error Reporting Service ERSvc running auto Event Log Eventlog running auto COM+ Event System EventSystem running on demand Fast User Switching Compatibility FastUserSwitchingCom running on demand Help and Support helpsvc running auto Human Interface Device Access HidServ - disabled IMAPI CD-Burning COM Service ImapiService - on demand Server lanmanserver running auto Workstation lanmanworkstation running auto TCP/IP NetBIOS Helper LmHosts running auto Messenger Messenger - disabled NetMeeting Remote Desktop Sharing mnmsrvc - on demand Distributed Transaction Coordinator MSDTC - on demand Windows Installer MSIServer - on demand Network DDE NetDDE - on demand Network DDE DSDM NetDDEdsdm - on demand Net Logon Netlogon - on demand Network Connections Netman running on demand Network Location Awareness (NLA) Nla running on demand NT LM Security Support Provider NtLmSsp - on demand Removable Storage NtmsSvc - on demand NVIDIA Display Driver Service NVSvc running auto Office Source Engine ose - on demand Plug and Play PlugPlay running auto IPSEC Services PolicyAgent running auto Protected Storage ProtectedStorage running auto Remote Access Auto Connection Manager RasAuto running on demand Remote Access Connection Manager RasMan running on demand Remote Desktop Help Session Manager RDSessMgr - on demand Routing and Remote Access RemoteAccess - disabled Remote Registry RemoteRegistry running auto Remote Procedure Call (RPC) Locator RpcLocator - on demand Remote Procedure Call (RPC) RpcSs running auto QoS RSVP RSVP - on demand Security Accounts Manager SamSs running auto Smart Card Helper SCardDrv - on demand Smart Card SCardSvr - on demand Task Scheduler Schedule running auto Secondary Logon seclogon running auto System Event Notification SENS running auto Internet Connection Firewall (ICF) / Internet C SharedAccess - on demand `onnection Sharing (ICS) Shell Hardware Detection ShellHWDetection running auto Print Spooler Spooler running auto System Restore Service srservice - auto SSDP Discovery Service SSDPSRV running on demand Windows Image Acquisition (WIA) stisvc running auto MS Software Shadow Copy Provider SwPrv - on demand Performance Logs and Alerts SysmonLog - on demand Telephony TapiSrv running on demand Terminal Services TermService running on demand Themes Themes running auto Telnet TlntSvr - on demand Distributed Link Tracking Client TrkWks running auto Upload Manager uploadmgr running auto Universal Plug and Play Device Host upnphost - on demand Uninterruptible Power Supply UPS - on demand Volume Shadow Copy VSS - on demand Windows Time W32Time running auto WebClient WebClient running auto Windows Management Instrumentation winmgmt running on demand Portable Media Serial Number Service WmdmPmSN - on demand Windows Management Instrumentation Driver Exten Wmi - on demand `sions WMI Performance Adapter WmiApSrv - on demand Automatic Updates wuauserv running auto Wireless Zero Configuration WZCSVC running auto »Application specific Last edited by Mark_Yohalem; 12-05-2004 at 03:23 PM.*

12-05-2004, 04:59 PM	#13 (permalink)
Mark_Yohalem Registered User Join Date: Dec 2004 Posts: 9 OS: Windows XP Pro	I've read all that stuff already, but the file was almost certainly trojaned. See, e.g., http://www.sophos.com/virusinfo/analyses/trojcultb.html or http://securityresponse.symantec.com...kdoor.clt.html The behavior of the file corresponded to a virus, not to a "benign" Microsoft app. Thanks though.

12-05-2004, 05:16 PM	#14 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	In what way? The description you provided at the outset of this thread and the subsequent deep scans do not present the specific behavior of the sort identified in those links. Your XP & IE are both very very outdated, which should be remedied first. Also, you don't seem to have a firewall program installed. Using a firewall will allow you to give/deny access for applications that want to go online. Please download a free one at ZoneAlarm (http://www.zonelabs.com). __________________ GO BIG BLUE!!

12-05-2004, 05:44 PM	#15 (permalink)
Mark_Yohalem Registered User Join Date: Dec 2004 Posts: 9 OS: Windows XP Pro	Behavior: Windows update running even after Windows update had been disabled. Files recreating themselves after being deleted, or rerunning themselves after termination. Firewall / Windows / Ie: I've returned to using this computer after having had a different one for some time, so I haven't finished upgrading everything. Once I jump to the next SP, that will have a firewall included.

12-05-2004, 05:49 PM	#16 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	The next SP is SP1 for you, which has no firewall. SP2's firewall only prevents applications on your machine from connecting outbound. You still need a good firewall app running to be safest. __________________ GO BIG BLUE!!

12-05-2004, 05:53 PM	#17 (permalink)
Mark_Yohalem Registered User Join Date: Dec 2004 Posts: 9 OS: Windows XP Pro	Right, I had forgotten just how much updating this computer has to go through. Sigh. I guess it's no surprise that it picked something up (though you seem still to think I'm just being a hypochondriac here). I'll only be using the comp for another 5 months though, so it only needs not to give my credit card numbers out to the world for that long. ;)