Dear Doug:
Thanks for your reply.
I tried the following:
1- Cold boot into safe mode.
2- Turned off system restore.
3- Ran Norton anti-virus (2002) system scan with 3/22/04
virus definitions. No virus found.
4- Ran AD-aware 6.0 system scan. Found and quarantined
many data miners.
5- Regedit works OK in safe mode.
6- Normal cold boot - Regedit closes by itself.
7- Turned on system restore.
I ran your Startup Program Tracker:
-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\RunOnce
No Items Found
-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run
NvCplDaemon RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
MoneyStartUp10.0 "C:\Program Files\Microsoft
Money\System\Activation.exe"
AdaptecDirectCD "C:\Program
Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
DwlClient C:\Program Files\Common
Files\Dell\EUSW\Support.exe
Microsoft Works Update DetectiC:\Program Files\Common
Files\Microsoft Shared\Works Shared\WkUFind.exe
QD FastAndSafe
NAV Agent C:\PROGRA~1\NORTON~2
\NORTON~3\navapw32.exe
iamapp C:\Program Files\Norton
Internet Security\IAMAPP.EXE
KernelFaultCheck
HPDJ Taskbar Utility C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb04.exe
nwiz nwiz.exe /install
Multi-PC mpc.exe
-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\RunOnce
Multi-PC mpc.exe
-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Run
ctfmon.exe C:\WINDOWS\System32
\ctfmon.exe
NvMediaCenter RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVers
ion\RunOnce
No Items Found
-- Start Menu - Current User --
DESKTOP.INI
-- Start Menu - All Users --
Adobe Gamma Loader.lnk
DESKTOP.INI
Digital Line Detect.lnk
Microsoft Office.lnk
NkvMon.exe.lnk
-- Disabled Items --
No Items Found
-- Registry - Shell Value -
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon --
Explorer.exe
-- Running Processes --
System Idle Process
System
smss.exe \SystemRoot\System32\smss.exe
CSRSS.EXE
winlogon.exe winlogon.exe
SERVICES.EXE C:\WINDOWS\system32\services.exe
lsass.exe C:\WINDOWS\system32\lsass.exe
SVCHOST.EXE C:\WINDOWS\system32\svchost -k rpcss
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k
netsvcs
SVCHOST.EXE
SVCHOST.EXE
SPOOLSV.EXE C:\WINDOWS\system32\spoolsv.exe
explorer.exe C:\WINDOWS\Explorer.EXE
Directcd.exe "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
Support.exe "C:\Program Files\Common
Files\Dell\EUSW\Support.exe"
WkUFind.exe "C:\Program Files\Common
Files\Microsoft Shared\Works Shared\WkUFind.exe"
Navapw32.exe "C:\PROGRA~1\NORTON~2\NORTON~3
\navapw32.exe"
IAMAPP.EXE "C:\Program Files\Norton Internet
Security\IAMAPP.EXE"
hpztsb04.exe "C:\WINDOWS\System32
\spool\drivers\w32x86\3\hpztsb04.exe"
mpc.exe "C:\WINDOWS\System32\mpc.exe"
ctfmon.exe "C:\WINDOWS\System32\ctfmon.exe"
RUNDLL32.EXE "C:\WINDOWS\System32\RUNDLL32.EXE"
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
NkvMon.exe "C:\Program Files\Nikon\NkView5
\NkvMon.exe"
alg.exe
CISVC.EXE C:\WINDOWS\System32\cisvc.exe
CTSVCCDA.EXE C:\WINDOWS\System32\CTSvcCDA.EXE
mdm.exe "C:\Program Files\Common
Files\Microsoft Shared\VS7Debug\mdm.exe"
Navapsvc.exe "C:\Program Files\Norton
SystemWorks\Norton AntiVirus\navapsvc.exe"
NISUM.EXE "C:\Program Files\Norton Internet
Security\NISUM.EXE"
NPROTECT.EXE "C:\Program Files\Norton
SystemWorks\Norton Utilities\NPROTECT.EXE"
nvsvc32.exe C:\WINDOWS\System32\nvsvc32.exe
NOPDB.EXE C:\PROGRA~1\NORTON~2\SPEEDD~1
\nopdb.exe
SVCHOST.EXE C:\WINDOWS\System32\svchost.exe -k
imgsvc
SYMPROXYSVC.EXE "C:\Program Files\Norton Internet
Security\SymProxySvc.exe"
wanmpsvc.exe "C:\WINDOWS\wanmpsvc.exe"
MsPMSPSv.exe C:\WINDOWS\System32\MsPMSPSv.exe
NISSERV.EXE "C:\Program Files\Norton Internet
Security\NISSERV.EXE"
CIDAEMON.EXE cidaemon.exe
DownLevelDaemon "c:\program
files\dell\support\ui\search\catalog.wci" 196672l 1272l
StartupTracker3.exe "C:\Mark\microsoft\StartupTracker3
\StartupTracker3.exe"
wmiprvse.exe
(I did not include Running Services, as per your
directions)
This virus seems well hidden. What should I do now?
Regards,
Mark
-----Original Message-----
You have a virus. Likely one of the following:
W32.Klez
http://securityresponse.symantec.com/avcenter/venc/data/w (e-mail address removed)
(e-mail address removed)
32.spybot.worm.html
For additional help see
www.dougknox.com, Win XP
Utilities, Create Emergency Copies of Critical XP System
Utilities. This small VB Program will create backup,
usable copies of Task Manger, Regedit and MSConfig (named
Taskmgr1.exe, Regedit.com and MSConfig1.exe) in a new
folder C:\EmergencyUtil. Many virus programs will
intercept these programs, based on their original file
name. The modified file names, allow them to be run.
Open Windows Explorer to C:\EmergencyUtil and double
click the application you need. The next revision will
allow you to browse for the folder you want to place the
backups in.
Additionally, see the Win XP Utilities section for
Startup Programs Tracker. This small utility scans your
system for startup programs and running processes. It
also allows you to create a log file that can be copied
and pasted into a newsgroup post. The contents of the
program window are also copied to the Windows Clipboard,
automatically. For replies to newsgroup posts, do NOT
include the Running Services, unless its absolutely
necessary.
--
In memory of Robert McGregor (aka Koldbear)
http://www.btinternet.com/~winnoel/winhelp.htm
--------------------------------
Doug Knox, MS-MVP Windows XP/ Windows Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
"Mark C. Stern" <
[email protected]>
wrote in message
[email protected]...
