Theme

Welcome · log in · join	food

Home

Reviews

Speed Test

	All Forums		Hot Topics		Gallery

Security → ?New? Virus Seems to be gateway for spyware

uniqs
2374

« Stopping ZA update reminder • Tell me if his explains it right »

elboricua El Subestimado Premium Member join:2001-08-12 Bronx, NY	elboricua Premium Member 2004-Sep-23 10:41 pm ?New? Virus Seems to be gateway for spyware Hello all, I just wanted to get a warning out there about a really nasty virus. So far Symantec is calling the virus w32.spybot.worm but I think that the write up that they have is erroneous. For the past 3 day at work we have been battling the this virus. We believe that it gets loaded from the following website rev0lt.net We noticed that the problem started after a few users complained of that website opening upon login. Within the hour we had monstrous amounts of network traffic. It only seems to affect NT/2000/XP machines. The 3 98 machines on our network were not affected at all. For the NT based machines it creates several executalble files. The virus creates/drops bling.exe and sys32.exe in the %systemroot%\system32. If the machine does not have windows 2000 sp4 it will create a hidden system file called MSNMGR5.exe in the system32 folder. It also creates a file called index.exe in the root of c:\.. These files together open up every available port on the host PC and infect other pc's through older MS RPC vulnerabilities. To remove the virus we have been doing the following: 1. Boot the PC into safe mode 2. Delete sys32.exe bling.exe, index.exe, and msnmgr5.exe if it exists. 3. Search the registry and delete all entries with those exe's as values. 4. Apply the following Microsoft patches. We downloaded them burned to CD and installed to the infected PC's in safe mode. Win2K KB828035 KB828741 KB828749 KB835732 WinXP Q315000 Q815021 KB828035 KB828741 KB835732 We have noticed that this virus seems to be a gateway for spyware applications. Machines that had no spyware prior to Tuesday had horrible amounts of popups. We found that the following software had been installed WSEM Windows SynchroAD Windows SR 2.0 Active Alert webrebates0 webrebates1 I just wanted to give a heads up to admins out there. I talked to our ISP and they informed me that several of their clients are experiencing the same issue. I hope this helps.
	actions · 2004-Sep-23 10:41 pm ·
Dr Tweak join:2004-09-23 Chesapeake, VA	Dr Tweak Member 2004-Sep-23 10:57 pm Thanks for the heads up but this is something that your network shouldn't even have been slightly effected by at all. If the basics were covered....... ALL Windows updates done, quality AV program, spyware protection and some type of firewall then this would have never been an issue. I can't understand for the life of me why the system admins where I work and everyone else I know works have a reactive instead of proactive response to computer security. I do understand that it takes time to keep things up to date and secure but that is their job. Where I work they are still using Symantec Corp 7.0 and it's not even set for scheduled scans, Symantec is terrible to begin with and they are 3 or 4 versions behind.
	actions · 2004-Sep-23 10:57 pm ·
elboricua El Subestimado Premium Member join:2001-08-12 Bronx, NY 2 edits	elboricua Premium Member 2004-Sep-23 11:08 pm said by Dr Tweak: If the basics were covered....... ALL Windows updates done, quality AV program, spyware protection and some type of firewall then this would have never been an issue. I can't understand for the life of me why the system admins where I work and everyone else I know works have a reactive instead of proactive response to computer security. I do understand that it takes time to keep things up to date and secure but that is their job. Where I work they are still using Symantec Corp 7.0 and it's not even set for scheduled scans, Symantec is terrible to begin with and they are 3 or 4 versions behind. Just for the record we are using Symantec Corp 9.0 and this thing entered through a website port 80. Can't really block that. In a perfect world yes all machines would be updated. In the real world we get to what we can. Not every machine on the network was infected. However the ones that were created a DoS style attack on the network and slowed everyone down. Out of 250 PC's I counted about 30 as being infected. When you are not sure if a machine is infected or not you have to check them all. It took 2 days to get things calmed down. EDIT: Also wanted to add that we have a centralized antivirus server that pushes definition updates out as available. To date the server and clients have not caught this once. I have scanned machines offline with a definition date of 9/22 and it picks up nothing. I scanned the exe's directly and symantec found nothing. I submitted the files directly to Symantec and am awaiting their response. The major problem in the Corp world is that there is too high of a user/computer to IT staff ratio, and poor upper management decisions. We had blocked all known spware sites at the firewall level and were forced by the managing partners to remove this because they were blocked from certain sites. We gave them the we told you so speech when they tried to blame our lack of vigilance (It felt good to give that speech too1)
	actions · 2004-Sep-23 11:08 pm ·
Dr Tweak join:2004-09-23 Chesapeake, VA	Dr Tweak to elboricua Member 2004-Sep-23 11:40 pm to elboricua I understand your point eloboricua but as i said above "quality AV program" and Symantec does qualify, I have seen it miss virus after virus after trojan after trojan and malware detection.... forget it. It's sad that Symantec is the most widely used corporate AV out there because I have seen first hand how poorly it's detection rate is and down time is extremely costly for big businesses. If they realized how much money they spent for such and AV program and also realized how much downtime and IT personnel time was spent fixing it's lack of virus detection they would never buy such a product. Kaspersky outperforms Symantec any day of the week and when overall cost is figured in it is quite inexpensive.
	actions · 2004-Sep-23 11:40 pm ·
univc @12.10.x.x	univc Anon 2004-Sep-27 11:02 am I face the same problem with rev0lt.net site and another site gen0cide.com... tried all tricks with NAV but hopeless...Have been trying to delete index.exe etc from registry and hard disk but somehow everything seems to come back on next reboot... has anyone else faced the same problem with gen0cide and rev0lt ??
	actions · 2004-Sep-27 11:02 am ·
elboricua El Subestimado Premium Member join:2001-08-12 Bronx, NY	elboricua Premium Member 2004-Sep-27 1:22 pm There are several files that you need to delete if they exist. bling.exe MSNMGR5.exe SYS32.exe and index.exe. Search the registry and delete all instances of each. sys32.exe hides itself as a USB driver. Once you clear out the files and reg entries shut the PC down. Make sure that you have all of the critical updates on the machine as well. The machines might be getting reinfected from another machine on the network.
	actions · 2004-Sep-27 1:22 pm ·
Cudni La Merma - Vigilado MVM join:2003-12-20 Someshire	Cudni MVM 2004-Sep-27 5:03 pm A new variant? from »vil.nai.com/vil/content/ ··· 0282.htm "..- Update March 05, 2004 -- This family of worms has more then 1,000 variants now! Majority of variants are proactively detected. For maximum protection users are recommended to: * use the latest engine/DAT combination * ensure the scanning of compressed files is enabled.." Cudni
	actions · 2004-Sep-27 5:03 pm ·
Randy Bell Premium Member join:2002-02-24 Santa Clara, CA 3 edits	Randy Bell Premium Member 2004-Sep-27 5:30 pm Cudni , I think you have the right idea, there are thousands of variants in this "bot" family .. Dr Tweak , I would be first to say that KAV is excellent but I think we need to try to help elboricua the O.P. with what he has to work with at the moment .. let's try to meet him where he is at right now, rather than where we might wish him to be in the future .. For elboricua -- Sometimes these "spybot worms" are packed, and hopefully your submission will be added for detection soon, since if your version of SAV isn't detecting it they will need to add a signature, even if it is a packed version of something already detected. Hope that helps.
	actions · 2004-Sep-27 5:30 pm ·
elboricua El Subestimado Premium Member join:2001-08-12 Bronx, NY	elboricua Premium Member 2004-Sep-27 8:22 pm From the email that I got from Symantec the newest Intelligent Updater should have the definition file. I installed and tested on a machine that I took offline and infected on purpose. SAV detected the files and deleted them but did nothing to the registry entries. I still had to go through by hand and kill the registry entries. At least it is a start. Oh and the email stated that this was not malicious code. Heh, I guess a worm that causes a denial of service event on a network is not malicious
	actions · 2004-Sep-27 8:22 pm ·
univc @12.10.x.x	univc to elboricua Anon 2004-Sep-28 7:45 am to elboricua Thanks...Did try to delete all these three files. But they seem to reappear for some reason. Also There is another file mt-uninstaller which i think installs MediaTickets everytime i get connected to my dial up internet connection or DSL connection. Any information on gen0cide page it is trying to open ? Thanks
	actions · 2004-Sep-28 7:45 am ·
stevepsilver @knology.net	stevepsilver to elboricua Anon 2004-Sep-28 1:24 pm to elboricua I got boned by this thing too.. I was at the Bellagio hotel in Vegas, I assume they have no/poor firewall. I also have NAV corporate with the latest definitions. I am not positive this is related stuff but I noticed that some of my infected systems also had "mt-uninstaller.exe" and another file with the name "0". These files were installed about the same time as the "msnmsgr5.exe" file. I also had a c.bat file which was trying to run a dos window with some ftp commands. Since the infection I can no longer run a dos version of a program we use here. I get en error box - 16 bit MS-DOS subsystem c:\docume~1\steve\desktop\q&a.pif c:\winnt\system32\autoexec.nt. The system is not suitible for running MS-DOS and Microsoft Windows Applications. Choose close to terminate this application. I hope this helps some of you.. and can anyone tell me what is up with my MS-DOS? I'll check back shortly. Regards, Steve
	actions · 2004-Sep-28 1:24 pm ·
BKayrac Premium Member join:2001-09-29	BKayrac Premium Member 2004-Sep-28 1:26 pm no idea but if you think your infected can follow the steps in this link »Security »I think my computer is infected or hijacked. What should I do? and post a new thread here with your hijackthis log, and a bit explaining
	actions · 2004-Sep-28 1:26 pm ·
elboricua El Subestimado Premium Member join:2001-08-12 Bronx, NY	elboricua to stevepsilver Premium Member 2004-Sep-28 1:40 pm to stevepsilver said by stevepsilver: I hope this helps some of you.. and can anyone tell me what is up with my MS-DOS? I'll check back shortly. Regards, Steve We actually caught this one today. You will need to replace the %systemroot%\system32\autoexec.nt file with one from a known working machine. We did that on a few machines after some of our legacy programs refused to run. The file size should be 605 bytes.
	actions · 2004-Sep-28 1:40 pm ·
NyQuil Kid 8f The Nyquil Kid join:2001-01-06 Brick, NJ	NyQuil Kid to elboricua Member 2004-Sep-28 2:05 pm to elboricua We seen these and other files all over the place; you also want to check for the following: Win32 USB2 Driver smsc.exe starter scvhosting.exe mismo bling.exe tourpath regedit /s c:\winnt\tour.reg Win32 USB service usbspool.exe Windows Automatic Updates bling.exe Windows Update bling.exe window2 homo.exe Microsoft Updating Machine sysc0de.exe Microsoft Update vssav xmimc Microsoft AUT Update MSlti16.exe Microsoft Update Machine Linux.exe Cryptographic Service pfdtpch.exe Windows DLL Loader passcfg16.exe Windows System Configuration passcfg16.exe Videoprocess vv.exe Microsoft Service exename.exe Service Scheduler scheduler.exe Win32 System Spool spoolsvc.exe Microsoft Service exename.exe We used my bootable Public AntiVirus CD to run a scan on the computer, then enter safe mode and clean out the registry as well as look for "rogue" files not picked up by any antivirus (we submit those to Symantec and McAfee). If it helps, feel free to download the Public AntiVirus CD at »nyquil-kid.dyndns.org HTH, [8F] The NyQuil Kid
	actions · 2004-Sep-28 2:05 pm ·
elboricua El Subestimado Premium Member join:2001-08-12 Bronx, NY	elboricua Premium Member 2004-Sep-29 8:56 pm I received an updated reply from Symantec. Bling.exe is now malware in their scans as are index.exe mt-unintaller, and sys32.exe are. Here is an excerpt from their email. quote: Dear First Name Last Name, We have analyzed your submission. The following is a report of our findings for each file you have submitted: filename: bling.exe machine: AVCAutomation: result: This file is infected with W32.Spybot.Worm filename: bling.reg machine: AVCAutomation: result: This file is clean filename: index.exe machine: AVCAutomation: result: See the developer notes filename: sys32.exe machine: AVCAutomation: result: This file is infected with W32.Spybot.Worm Developer notes: bling.exe is non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions. bling.reg does not appear to be malicious. However, it can be a component of a malicious code. It is therefore recommended that you delete this file. index.exe contains no malicious code, but performs actions on your machine without your permission/knowledge. It is safe to delete this file. sys32.exe is non-repairable threat. NAV with the latest rapidrelease definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions.
	actions · 2004-Sep-29 8:56 pm ·
NyQuil Kid 8f The Nyquil Kid join:2001-01-06 Brick, NJ	NyQuil Kid Member 2004-Sep-29 8:59 pm Yeah I received the same email. If it helps, feel free to download my Public AntiVirus CD at »nyquil-kid.dyndns.org - it's an ISO file that you can use to create a bootable CD and scan your HD. HTH. [8F] The NyQuil Kid
	actions · 2004-Sep-29 8:59 pm ·
johngNJ @optonline.net	johngNJ to elboricua Anon 2004-Sep-29 10:49 pm to elboricua I am dealing with the same exact issue at my work. I have 750 desktops and I use SMS to push the critical updates to the PCs and we use symantec anti-virus CE. Our virus definitons are always up to date. About 40 desktops got infected appearently the MS04-011 did install right on these systems and they were vulrnerable to the worm. It must be another variant of the w32.spybot.dhv virus because the SAV Sept 22nd definiton file did not catch it at all even though the Sept 7th definitons supposedly detect it. We called Symantec and they are basically blowing us off about the whole thing. They said that they were not hearing about this from any other corporations. The only way we found out about it was from users calling complaining that there system froze up. We took a look and found the common exe was win32usb.exe it was in the system32 folder and had registry entries. We monitored the network and saw a lot of TCP port 445 traffic coming from the PCs infected.
	actions · 2004-Sep-29 10:49 pm ·
compgeek1981 @attbi.com	compgeek1981 to univc Anon 2004-Oct-2 11:42 am to univc You can remove Bling.exe and all viruses asssoc with it by using stinger. Nav is not able to detect it yet. »vil.nai.com/vil/stinger/
	actions · 2004-Oct-2 11:42 am ·
Aurthuric @dsl.sfldmi.ameritech	Aurthuric to Dr Tweak Anon 2004-Oct-4 6:56 pm to Dr Tweak I have also had to battle this problem in over 100 computers... I also used to use symantec corp 9.0.... I now use AVG from grisoft. It out performs symantec and norton and has better updates. Its cost for a network is much lower than symantec. I also use spybot S&D and ADAWARE 6.0 as an added level of detection. I have had good luck using all three to eliminate this bad boy virus. I have one machine that I cant seem to get cleaned, but I am working on it.
	actions · 2004-Oct-4 6:56 pm ·
Uptown Joe @roel.com	Uptown Joe to compgeek1981 Anon 2004-Oct-7 6:41 pm to compgeek1981 We have an outbreak on out network - We are using SAV 9 Corp Edition. Bling.exe, Loud.exe, 1oud.exe are the file names that it is using to transport itself. Once it's on the computer it starts adding toolbars to IE and generating pop-ups. The other really cool feature is all the crap programs that are auto-installed onto the machine. Thanks for the heads up on Stinger - We are going to try it and will let you know. Joe
	actions · 2004-Oct-7 6:41 pm ·
seanwjones join:2004-10-15 UK	seanwjones to elboricua Member 2004-Oct-15 6:25 pm to elboricua CURRENT STRESS LEVEL: About to kick computer across the room and then go on murderous rampage. HISTORY: (a) The INFECTION After a hard disc failure I had to rebuild my system. I installed windows xp Pro onto a new HDD, installed Norton Systemworks 2004 (which has NAV as one of its constituent elements) and then went online to download windows patches and NAV virus definition updates. This was a huge error. Very shortly thereafter I began to get Messenger Spam. Then my system began to fail. I would receive a message telling me that there was a problem with Lsass.exe and my system was closing itself down. Eventually I managed to download all the updates and the messenger spam stopped. So, it seemed, did the lsass.exe difficulties. (b) TROUBLE STARTS and FIRST ATTEMPTS TO SOLVE NAV picked up some instances of Blaster which it could not delete. After some web research that problem was dealt with by disabling system restore, booting to safer mode and running NAV. Then I noticed that my browser would launch on dialup connection and open a website with the now familiar rev0lt.net url. After some poking around on the internet and in Windows Task Manager I found 3 files I thought were suspicious: MSNMGR5.exe, INDEX.exe and SOUNDMAN.exe. The last of these said that it was part of my realtek sound drivers (my sound was not working) so I left it alone. I'll come back to that one. I stopped the MSNMGR5 and INDEX.exe processes and deleted the files (INDEX.exe was sat right under c:/). This meant no more trips to rev0lt.net. (c) STILL MORE TROUBLE However, I found that every time I launched Firefox or IE popunder windows would launch bringing me to AOL 9.0, BT openworld and certain other ad sites. This irked me. (d) A SOFTWARE PURCHASE BLITZ I downloaded and registered: Webroot Spysweeper, Spyware Doctor and Ad-Aware SE plus. They each found problems but none solved the popunder issue. I also installed Windows XP SP2 and the its patches. WHERE I AM NOW The popunders continue. I have found in my registry (at HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run) the following (a) MSNMGR5 REG_SZ MSNMGR5 (there is also a reference at the RunServices sub-key) (b) REEGRUN REG_SZ c:\index.exe (c) Soundman REG_SZ SOUNDMAN.EXE (I have uninstalled the sound drivers so I now know this has nothing to do with realtek) There are no apparently corresponding processes visible in Task Manager. If I delete these entries from the registry they immediately reappear. I can watch them pop back in Ad-aware or in spysweeper. This happens whether in safe mode or normal and without any new process apparently jumping into life in Task Manager. In addition to the software mentioned above I have also thrown at it: Hijackthis (bot entries reappear immediately after being fixed), Spybot Search and Destroy (finds nothing), Stinger (found a virus and deleted but without affecting the problem) and Kapersky anti-virus (Worked impressively in that it found much that NAV had missed but did not solve my problem). Having read messages here I have gone looking for (but failed to find) bling.exe, sys32.exe and a number of others. I did not find any. However, windows explorer now falls over everytime I run Search. My paranoia has me convinced it is being disabled by the bot. I am also unable to receive incoming email via port 110 HELP!!! Any suggestions short of a reformat as to what I do next? The only other oddity I have spotted is that last time I booted, having run all the relevant software i safe mode and apparently succeeded in weeding the evil out of the registry, the problem entries instatnly reappeared. I instantly deleted them. NAV then popped up two windows telling me that the following file was waiting for a scan: "wuredir.cab.bak". I know that this nasty tries to DoS windows update. I know it is redirecting my browser and I know that it has some crazy self-helaing backup so I wondered if this might be the culprit. No doubt it isn't but I could not find any reference to the file by googling.
	actions · 2004-Oct-15 6:25 pm ·
claudeo join:2000-02-23 Redmond, WA	claudeo to elboricua Member 2004-Oct-15 6:40 pm to elboricua I suggest you start over, reformat and reinstall from scratch. But this time connect to the internet through a NAT/router, not directly. If you connect directly, your system is attacked and compromised the second you connected, long before the patches were downloaded and installed. Everything you do after that just compounds the problem.
	actions · 2004-Oct-15 6:40 pm ·
seanwjones join:2004-10-15 UK	seanwjones Member 2004-Oct-16 9:48 am Bah! I knew someone would say that. I have done the necessary. 2 days of reinstalling software ahead of me now. The world is a scary place when time to infection is a matter of seconds :-( Sean
	actions · 2004-Oct-16 9:48 am ·

Dr Tweak join:2004-09-23 Chesapeake, VA	Dr Tweak Member 2004-Oct-16 9:59 am seanwjones please post a HijckThis log for us to look at.
	actions · 2004-Oct-16 9:59 am ·
seanwjones join:2004-10-15 UK	seanwjones Member 2004-Oct-16 11:05 am Kav, It is all academic now. I went nuclear and reformatted my HDD. However, in the interests of science ... here is the HIjackthis log I took: HIJACK THIS LOG: Logfile of HijackThis v1.97.7 Scan saved at 23:55:03, on 15/10/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\SecCopy\SecCopy.exe C:\Program Files\Spyware Doctor\spydoctor.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe C:\Program Files\palmOne\HOTSYNC.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\WINDOWS\System32\alg.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Documents and Settings\Sean Jones\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" O4 - HKLM\..\Run: [MSNMSGR5] MSNMSGR5.exe O4 - HKLM\..\Run: [REEGRUN] C:\index.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\RunServices: [MSNMSGR5] MSNMSGR5.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe" O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ? O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Research (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O9 - Extra button: SmartWhois (HKLM) O9 - Extra 'Tools' menuitem: SmartWhois (HKLM) O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095588126186 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
	actions · 2004-Oct-16 11:05 am ·
CajunTek Insane Cajun Premium Member join:2003-08-08 Arlington, TX	CajunTek Premium Member 2004-Oct-16 12:28 pm You might want to read a little bit about spywaredoctor.. »www.spywarewarrior.com/r ··· ware.htm
	actions · 2004-Oct-16 12:28 pm ·
seanwjones join:2004-10-15 UK	seanwjones Member 2004-Oct-16 2:49 pm There isn't anything about Spyware Doctor at the url you suggest other than to say I shouldn't confuse it with spydoctor (which is apparently suspect). Spyware doctor can be found at »www.pctools.com/spyware-doctor/ and, so far as I can tell, is legitimate. Sean
	actions · 2004-Oct-16 2:49 pm ·

Forums → Software and Operating Systems → Security	« Stopping ZA update reminder • Tell me if his explains it right »