This is a strange one to me guys. I just fixed my brother in-law's PC--the usual unprotected devastation, except maybe worse. Everything works and all malware is gone but I have an unexpected thing happening now and I can't figure out how to stop it (maybe I'm just tired). I had to delete some baddies in the system32 folder, they're all gone. But now Windoze Explorer opens the system32 folder window on every boot. How do I fix that?

Thanks

First check tthe usual locations - msconfig, registry run keys and start up folder. If it's XP I think that's in Documents and Settings under the user name.

Also make sure Windows Explorer is closed before you shut down/reboot.

No OS specified but you could look for the blank ("") registry value as per:
http://forums.windrivers.com/archive/index.php/t-15613.html

MSCONFIG is normal, so is the Startup folder. That leaves rregistry run keys. I'll look at that link, too.

He had XP SP1 -- no AV, no Firewall, no antispyware, only IE. He now has XP SP2, and all the fixin's...and no bugs :cool:

I'm sure I've come across this before and it was the "Path" that was messed up.
Windows was set to run a file, but couldn't because the "Path" was wrong, so it was automatically looking in the "System32" folder.

Mods--maybe you should move this to Security based on where this came from and where it's going--see below. Sorry I didn't put it there to begin with.

Sylvander,

I have to believe that's what's happening. There are no "null" entries in the areas of the registry that I looked--mostly run, run once in local machine, current user and users.Since this was brought on after malware removal, my guess is there's a registry entry somewhere calling to run one of the bug files and now it's not there and the System32 window opens.

Before anybody asks, the HJT log is totally clean now. Before I go too far afield, I'll keep this about Windoze rather than malware, but still kind of related. I'm a relative novice to the registry but by no means a total noob. I have a couple of questions that might help me before I just give up and give the in-law his repaired, malware free box back. Well, repaired with one annoyance left.

I'll research these answers too but here goes...

1) Is there a way to "comment" out individual lines in the registry like you do in source code for batch files and apps? Looking at this registry, I see what I think is just that (I didn't do it manually, maybe HJT?). Under HKEY_CURRENT_USER/Software/Microsoft/Windows/Current Version, there are duplicate folder entries for RUN and RUNONCE. One, which is "clean" is simply RUN or RUNONCE. The other two, which have the malware entries and values are RUN- and RUNONCE- (notice the dash at the end). I guess the dash effectively invalidates the folder and the entries/values do not execute? Could I do that as a debugging method? (Relative to those neutered registry folders containing malware entries, why didn't HJT or Adaware or S&D just remove them and not comment them out--backups?)

2) The reason the answer to #1 is important is that under HKEY_USERS, those same malware entries and values are there but they are not duplicated and do not have the dash. Meaning, it looks like they could be executed, but all the offending files (executables) have been deleted (after a vicious battle). I wonder if these could be the files that Windoze is looking to run (most WERE in System32) and can't find so that Sys32 window is opened instead? That would make sense, except wouldn't Windoze normally just pop up an alert that the file could not be found?

Let me know what you think. At a minimum, I think I need to do something with the malware registry entries under HKEY_USERS. I wonder why HJT doesn't see them? BUDFRED?

I guess I should add that the event log does show an error/warning that says a service could not be started because the "module" could not be found. Two of the malware entries that are gone were 023's. They were scvhosting.exe and hwclock.exe.

Methinks it is time for a Hijack this log! Windows Explorer opening into the system32 folder is a known malware exploit. Both svchosting and hwclock are malware too!

The gurus speak, and I listen. Here's the log. I have to eat crow and admit HJT is seeing the scvhosting.exe 023 (file missing). I guess it never went away even when "fix" was checked. I seem to remember, the 023s are funny.

Logfile of HijackThis v1.99.1
Scan saved at 4:11:53 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Update Machine] rundll.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: BCMSMMSG.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Microsoft Update Machine] rundll.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117414166124
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: starter (Protector) - Unknown owner - C:\WINDOWS\System32\scvhosting.exe" -netsvcs (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

EDIT: I'm wondering if this is bad: [B]O4 - HKLM\..\Run: [Microsoft Update Machine] rundll.exe

EDIT AGAIN: On reflection and after digging some, my guess would be that 04 is bad. But I'll wait to hear from you David, or one of the others.

"The other two, which have the malware entries and values are RUN- and RUNONCE- (notice the dash at the end)."
I believe these are minus signs. When in msconfig startup tab and you untick one of the items, if it's setting is in the "Run" key it gets moved to "Run-", which disables it [the "Run-" key settings are not run]. If you re-tick the box it gets moved back to the "Run" key.
If you delete the data in the "Run-" key, then the entry disappears from the startup list in msconfig [I've done that a number of times. It was once my favourite method for eliminating things from the "Startup" list. Now I use "Startup" from www.mlin.net/StartupCPL.shtml]

"I guess the dash effectively invalidates the folder and the entries/values do not execute? Could I do that as a debugging method?"
No, these are special keys, rather like the "Startup" folder and [what's the name of the folder for disabled Startup items? I've forgotten.]
The way to disable a registry value is to export the key [or whatever] to a ".reg" file then delete the value [or whatever]. If it doesn't work, then "Merge" [double-click] the ".reg" file and the settings will be restored.
I also make backups of the whole C: partition, which when restored, will also restore such minor changes along with any others.

"it looks like they could be executed, but all the offending files (executables) have been deleted"
These are "Orphan" registry settings [they point to files that are not there]. Something like "Quarterdeck Cleansweep" [or is my memory playing tricks] would list things like these and offer the opportunity to delete all "orphans".
[Rather risky to delete ALL orphans in one go.]

OK Sylvander, that explains something. I didn't use MSCONFIG but I did use Spybot to prevent some stuff from running on startup. I guess that's where those Run- and Runonce- entries come from.

RUNONCE entries should only exist for one startup [the "Run Once" bit], so there's something suspicious if they remain there.
I assume that when this thing [whatever it is] is run [just that once], one of its jobs [after it has done it's thing] is to delete the RUNONCE setting from the registry. Or perhaps Windows deletes the setting as a separate process.

I made the assumption that the 04 was bad abd fixed it with HJT. As far as the system32 window goes, there was no change, it still opens. I'm stumped. :(

There are at least three bad ones there... Please use HJT to fix:

O4 - HKLM\..\Run: [Microsoft Update Machine] rundll.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] rundll.exe
O23 - Service: starter (Protector) - Unknown owner - C:\WINDOWS\System32\scvhosting.exe" -netsvcs (file missing)

That last one will probably require you to stop it in Services.msc or you could open HJT and select Config, then Misc Tools... Use the "Delete an NT service" and paste that entire item into the dialogue... Follow the directions to fix...

Then also try to find and kill:

C:\WINDOWS\System32\scvhosting.exe

Then, of course, reboot and post a fresh log...

The 04s are gone and so is the 023 now. The Event log error/warning that says a service could not be started because the file could not be found is gone too. Guess I thought I knew more about HJT than I do. Good to have you guys around.

System32 window still opens on boot. Here's the log.

Logfile of HijackThis v1.99.1
Scan saved at 10:47:17 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117414166124
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

That O23 is pretty nasty... I suggest try running an MWavScan... It will produce a log in the lower right hand corner and you will need to use Ctrl-C to copy the bottom part of it that has the bad items and then paste it here for review....

http://www.mwti.net/antivirus/free_utilities.asp

It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...

Dowloaded and running. Looks frighteningly thorough. Still scanning after 30 minutes and, yes, it's finding some stuff--22 bugs and some errors so far. Bitdefender onlince scan decalred the PC clean. I ran CCleaner and there's one baddie in a temp directory-off of system32. Wow. I'll post when it's done

Budfred,

The whole log is massive as I'm sure you know. Here's the smaller part in the window area named Virus Log Information. If this isn't correct let me know. BTW, the two items in the recycle have been deleted. I'm going to wait, but I assume the files marked as adware will need to be deleted.

Object "MaxSpeed Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "IBIS Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\System32\CTDetect.cpl". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1D0D01CA-2F42-3C3C-1BDA-55501C2A3958}" refers to invalid object "C:\WINDOWS\System32\Nmdoefgb.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\PROGRA~1\MESSEN~1\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\Updater.BHO" refers to invalid object "{1D7E3B41-23CE-469B-BE1B-A64B877923E1}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
File C:\WINDOWS\pxckdlauninstall.exe tagged as "not-a-virus:AdWare.BHO.NoName.f". Action Taken: No Action Taken.
File C:\WINDOWS\Xfta.exe.tcf tagged as "not-a-virus:AdWare.Midadle.b". Action Taken: No Action Taken.
File C:\WINDOWS\system32\asycfilt.exe tagged as "not-a-virus:AdWare.UrlSpy.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\atl33502.exe tagged as "not-a-virus:AdWare.AdSrve.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\browselc.exe tagged as "not-a-virus:AdWare.UrlSpy.b". Action Taken: No Action Taken.
File C:\WINDOWS\system32\cabview8.exe tagged as "not-a-virus:AdWare.AdSrve.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\cmcfg320.exe.tcf tagged as "not-a-virus:AdWare.IEDriver.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
File C:\Program Files\Common Files\roqf\roqfp.exe tagged as "not-a-virus:AdWare.Xupiter.m". Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1214440339-764733703-725345543-1004\Dc1.cab infected by "Trojan-Dropper.Win32.Agent.az" Virus! Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-1214440339-764733703-725345543-1004\Dc2.tcf tagged as "not-a-virus:AdWare.AdSrve.b". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{0FF25DF8-3F2D-4435-92C1-AC859F9F563E}\RP2\A0000062.dll tagged as "not-a-virus:AdWare.Midadle.e". Action Taken: No Action Taken.
File C:\WINDOWS\pxckdlauninstall.exe tagged as "not-a-virus:AdWare.BHO.NoName.f". Action Taken: No Action Taken.
File C:\WINDOWS\system32\asycfilt.exe tagged as "not-a-virus:AdWare.UrlSpy.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\atl33502.exe tagged as "not-a-virus:AdWare.AdSrve.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\browselc.exe tagged as "not-a-virus:AdWare.UrlSpy.b". Action Taken: No Action Taken.
File C:\WINDOWS\system32\cabview8.exe tagged as "not-a-virus:AdWare.AdSrve.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\cmcfg320.exe.tcf tagged as "not-a-virus:AdWare.IEDriver.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\JRJC45G0\kkq3[1].gif infected by "Trojan-Spy.Win32.Qukart.s" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
File C:\WINDOWS\Xfta.exe.tcf tagged as "not-a-virus:AdWare.Midadle.b". Action Taken: No Action Taken.

Just as an observation here...I'm running this mwav on one of my main systems, which is armed to the teeth. I think some of the results have to be examined closely. There must be some hueristics going on because I see what are likely a few false positives. That machine and those results are not the issue at hand though. Maybe another post at another time. I just wanted to make the point about posible hueristics and results.

The false positives are why I only use this as a scanning tool and don't recommend that people buy it...

That said, it is a good idea to use KillBox for this:

http://www.downloads.subratam.org/KillBox.zip

Then copy/paste this list into a Notepad file so that you can access it in Safe Mode... Boot to Safe Mode (tap F8 just before Windows starts loading and select Safe Mode)... Choose the "Delete on reboot" and "End Explorer Shell while Killing file" options... Copy/paste the entire list into the line for the file... It should be able to accept the whole list, but if it doesn't you will need to enter them one at a time... Do not click through to close it out and reboot until they have all been entered... Once they are all entered, click through to kill them...

C:\WINDOWS\pxckdlauninstall.exe
C:\WINDOWS\Xfta.exe.tcf
C:\WINDOWS\system32\asycfilt.exe
C:\WINDOWS\system32\atl33502.exe
C:\WINDOWS\system32\browselc.exe
C:\WINDOWS\system32\cabview8.exe
C:\WINDOWS\system32\cmcfg320.exe.tcf C:\WINDOWS\system32\KILLAPPS.EXE
C:\Program Files\Common Files\roqf\roqfp.exe

You are also going to need to reset System Restore and please download and run CCleaner to clear out Temp folders:

http://www.ccleaner.com/

A fresh HJT scan and even another MWavScan might be worthwhile to make sure we got it all...

I may be doing something wrong.

The list box is a flat file, not a drop down. It also has a character number limitation. I can enter the file names but do they get separated by anything like a space, semi colon, etc or just run them together. I tried running together and separating using a space. After they're entered and I click on kill, I get the confirmation dialog and a window saying verifying. Then it says they will be deleted on reboot, do you want to reboot now? I click yes, then it does not reboot. How about one at a time?

I did everything. Killed those files you listed, verified they are gone, turned off System Restore, ran CCleaner, ran HJT again followed by MWAV again. MWAV lists three items but doesn't say where they are. Sytem32 still opens on boot.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:13:36 PM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\alg.exe
C:\HijackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url]http://www.bitdefender.com/scan8/oscan8.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1117414166124[/url]
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


[B]Here's the MWAV:[/B]

Object "MaxSpeed Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "IBIS Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\System32\CTDetect.cpl". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1D0D01CA-2F42-3C3C-1BDA-55501C2A3958}" refers to invalid object "C:\WINDOWS\System32\Nmdoefgb.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\PROGRA~1\MESSEN~1\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\Updater.BHO" refers to invalid object "{1D7E3B41-23CE-469B-BE1B-A64B877923E1}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.

It sounds like you made the KillBox process harder than it needs to be, but it seems to have worked... It may be time to try a Repair Install to see if that fixes the problem... If it doesn't, we probably need to go to looking for a rootkit... If you want to go there first, run this:

http://www.f-secure.com/blacklight/

I've never successfully gotten the Repair Console on an XP system to work. Never. I have inevitably been forced to do in place reinstalls instead. The issue there is, as far as the OS goes on this machine, I would be back at XP SP1 and have to redo all the updates. I'll wait on that. I'm game for this root kit thing. I'll download and run and get back. Any additional or special instructions?

Budfred, is it possible I just broke something while doing repairs myself or that the system32 thing is just left over collateral damage? Windoze seems to be just not remembering that that window was closed and reopens it n boot. It does remember the location and size. I tried searching the registry for settings for this stuff but naturally came up empty.

Off to f-secure.

A Repair Install is different than using the Recovery Console...

http://www.michaelstevenstech.com/XPrepairinstall.htm

I am thinking that there was some damage in removing the malware, but it wasn't necessarily you that broke it... Some of the malware these days is embedding itself so deeply that it is not possible to remove it without damage... That is why I suggested the Repair Install...

The Backlight Root Kit app came back clean. Guess I'll have to go for the repair. Will advise later, likely tomorrow.

Thanks Budfred.

Found this
System32 Folder Opens When Logging on to Windows XP (http://support.microsoft.com/default.aspx?scid=kb;en-us;170086)

Sylvander,

Thanks very much. I did look for null values in some areas of the registry and found none but I was Easter egg hunting (didn't know exactly where to look). This information will give me focus. It would be nice to give my brother in-law back his PC in perfect condition since I put so much work into killing all the malware. I'll get on it when I get home from work.

Thanks again.

Sylvander,

Thanks again. Microsoft actually had some helpful info for a change. Thanks for pointing it out. What I found was that a single registry entry somehow got truncated, chopped off, or damaged and was causing the problem. It was in HKEY CURRENT USER SOFTWARE MICROSOFT WINDOWS CURRENT VERSION RUN. It was an entry for a software app menu. I deleted the truncated value and all is well. We may have to reinstall the software for that application (the sound card) but this is great. I can do that and declare this puppy well...till next time.

Thanks Budfred and Sylvander.

"What I found was that a single registry entry somehow got truncated, chopped off, or damaged and was causing the problem."
I find it rather amazing that such things happen! :)
I wonder how/why?

I have no idea how or why. The registry entry was benign enough, not something malware would do. It was for the SoundBlaster Audigy menu. Specifically, it looked like language selection. The only thing in the "Data" value was this: /L = En.

I have a SoundBlaster card in one of my boxes and there is no entry like that, not even similar, and my SB entries are not in the same area of the registry. Beats me, Sylvander. I just know it is fixed.

Now, today I found some more info on a "bug" that WAS in his system. It's very disturbing. The registry entry was a command to run an executable caled winman.exe. When I Googled that, I wound up on a web page for a commercial product called Backlog. It's a product that records absolutely everything done on a PC...all keystrokes, all web sites visited, IMs, chats...everything. The instructions for it (following buying) are download, unzip, and install. After that, it runs on every boot and saves all the data to a text file for later viewing. This would seem to me to indicate someone had physical access to his PC and put this thing on there. The text file, if there ever was one, was nowhere to be found. Scary stuff.

I'd be willing to bet that one of the pieces of malware that you deleted was a little SMTP email server. Very small and randomly named and used to send that text file to...

You might be right, Steve. I killed so much stuff it is very possible.

What really pisses me off about this is we've shot right by malicious intent to flat out criminal. Someone should serve time for this type of stuff. People are just so naive. They seem to have no clue as to how really bad it is out there and that they must, must protect themselves.

Most of this garbage is criminal, even if it hasn't been called that yet by the government... It looks like they are beginning to move on making it illegal and punishable, but they are still leaving some loopholes... There are at least a couple of them that have been taken down in the last year, but there are dozens more grabbing for a piece of the pie... :mad:

Even if the US government makes these actions criminal (which I doubt will happen soon), what are they going to do when the offending party is in Madagascar or Rumania?

The global nature of the internet is one of it's biggest advantages and one of it's biggest liabilities.

I am not sure how they intend to deal with that, but they are addressing it in the law, so hopefully someone has at least thought about it... The proposals are posted at SWI with Mike's analysis of them...

pop pop,

I got a PM from an Expert at SWI who was looking at your log that this may have been the reason for your issue:

O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG

She said: Maybe this could be a help, but the system32-folder is opening because there is an improper registry setting present that can cause the problem.And said that fixing it with HJT may be worthwhile... I know you already resolved the problem, but it may be worthwhile to check this out...

Thanks Budfred.