Hello,

This is my second attempt at posting this problem (thanks to jholland for directing me to the appropriate place); hopefully this is the info needed to figure this out! My computer has essentially been broken for two weeks now, and I'm getting worried I'll have to wipe all the HD's and start fresh. I saw crunchie's recent reply to an Antivirus XP 2008 problem, but I seem to have a slightly different flavor of bug on my hands...

Here's what I'm encountering:

--Downloader.Mislead.app found by Symantec anti-virus (corporate) repeatedly, even after quarantine/delete (which it tells me is successful...)
--Spybot S&D finds nothing major (a couple of tracking cookies after the latest scan)
--The machine will randomly do something that appears to be a BSOD while it is idling (when booted into normal mode, XP Pro, SP2)
--However, these pseudo-BSOD's can be interrupted by hitting any key, at which point the machine resumes functioning as though nothing happened. If I don't hit a key, it reboots.
--A weird folder is continually created in the registry called rhc30bj0ej17.exe (the file associated with Downloader.Mislead.app, apparently
--Antivirus XP 2008 no longer launches on startup, or DL's anything when the machine is connected to the internet

Please let me know which mode I should boot into to execute the things you advise (safe mode, safe mode w/ networking, regular mode). Also, I disabled my media HD's to work on getting rid of this bug-- should I keep them unhooked from the mobo? Could the bug/worm be lurking in them somewhere (both drives are used purely for media storage)? Or perhaps I could clean the C: drive and then turn my attention to the other drives...?

Thank you for any help.


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:08 AM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Documents and Settings\All Users\Application Data\zqropqng\lszujixs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AS01_Netgear] "C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe" -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CanonSolutionMenu] "C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" /logon
O4 - HKLM\..\Run: [CanonMyPrinter] "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [A0SJfOQ9Hb] C:\Documents and Settings\All Users\Application Data\zqropqng\lszujixs.exe
O4 - Global Startup: MLB.TV NexDef Plug-in.lnk = C:\Program Files\Autobahn\mlb-nexdef-autobahn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125873213200
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O21 - SSODL: mntdbinfo - {0CB68836-D036-8F39-7D8D-0946CE6038A9} - C:\Program Files\ujbefxd\mntdbinfo.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7193 bytes

The first thing you need to do is to go into the Spybot S & D program and TURN OFF TeaTimer. It can interfere with any fixes which may need to be completed.
To turn it off open the program. Go to the Mode Button at the top and choose Advanced.
Next on the lower left side you should see Three buttons, settings, tools, info & license.
Choose Tools. When Tools Opens, there on the left side you will see a list. Click on Resident (icon looks like a red shield with a white stripe diagonally down the middle. When that opens REMOVE the checkmark from Resident TeaTimer. Close the program.
Reboot the computer.
Go HERE Please follow ALL the steps given. If the instructions for a particular step tell you to remove whatever is found then please do so.

Also, I disabled my media HD's to work on getting rid of this bug-- should I keep them unhooked from the mobo? Could the bug/worm be lurking in them somewhere (both drives are used purely for media storage)? Or perhaps I could clean the C: drive and then turn my attention to the other drives...?

I would say if these are normally connected then connect them. The scans can be set to scan all drives. All of this should be done in NORMAL mode unless you are later instructed otherwise
Once you have completed all the steps then post back here with the requested logs.

Thank you jholland!! That thread you sent me to was awesome (although I feel kind of dumb for not finding it in the first place).

A couple last questions:

Can I re-enable Tea Timer in Spybot S&D?

Also, can you tell me (or point me to the appropriate thread) about what combination of applications I should be using to ensure that this doesn't happen again? Perhaps the links in this thread are still good, even though it's from 2005?

http://www.daniweb.com/forums/thread27519.html

Thanks again,

Soximus

First of all, the link I sent you requested that the scans be done, the logs saved and then those logs should be posted or attached back here in this thread so I can take a look at them. Could you do that so we can be sure your computer is clean?

Next, I, personally, and many others I might add, would advise AGAINST turning on that TeaTimer portion of Spybot. It CAN interfere with any fixes you have to do from time to time.

The link you posted does have current links to the various programs listed as far as I can tell.
My advice is continue to use the Malwarebytes-Anti-Malware program which is linked in the link that I gave you. Continue to use Spybot WITHOUT the TeaTimer enabled. The ONE other program I would recommend adding is SpywareBlaster which

Helps prevent the installation of spyware, adware, browser hijackers, dialers, and other unwanted software; blocks many spyware/tracking cookies, and restricts the actions of unwanted sites.

It is really a MUST HAVE. Plus it DOES NOT run in the background. Your Norton program, while a pretty good antivirus program does use a lot of system resources and therefore I wouldn't add a lot of other protection programs which can consume more resources.
Please post those logs for me so I can look through them and see what was removed and what other steps might be needed.
Judy

Apologies for not posting these logs in the first place.

So far, everything still looks good here; hopefully the logs will confirm this.

Lastly, here's my plan for anti-spy/malware/virus software:

AV:
Norton Symantec Corporate edition

Firewall:
Built-in XP
Zone Alarm

Anti-Spyware:
Spyware S&D (Tea Timer turned off)
SpywareBlaster

Anti-Malware:
Malwarebytes-Anti-Malware

I plan on uninstalling Ad-Aware and AVG.

Is this a good plan, or should I add/subtract from it? I bought a subscription to Spy Sweeper a few months ago, but it doesn't seem like that's a very popular app... ;(

Thank you for your help; this has been a great learning experience (every gray cloud...).

-Soximus

Security plans look pretty good with the exception of the firewalls....rule is ONLY ONE OF THOSE also. Your choice but just pick one.
Am looking at your logs now and will get back with you on those ASAP.
Judy

I think you had better do one more program to be safe. Download Combofix to the desktop.
When you have the Save as screen configured to save ComboFix.exe to the Desktop, click on the Save button. ComboFix will now start downloading to your computer. If you are on a dialup, this may take a few minutes. When ComboFix has finished downloading you will now see an icon on the desktop.
Once that appears then do the following

Close all open Windows including this one.

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Double-click on the ComboFix icon found on your desktop. You will be asked if you are sure you want to run the program. Click the RUN button. Follow any prompts given and be sure to agree to the disclaimer. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Be aware that ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.

When all is complete post back here with the combofix log.

Here it is...

Thanks.

Looks pretty good. Do things seem back to normal?

I was all set to answer 'yes,' but then suddenly I hit a snag: For some reason, I can't get Symantec to load. I also can't uninstall it (I figured I could just do a fresh installation). Not sure if this topic deserves a new thread, since it's kind of off-topic...?

Here's what happens:

I go to Start>programs>symantec antivirus client
Then, once the app has started, I can see "load service" under the 'File' tab, but it's grayed out. When I select "live update," also under the file tab, I get, "All LiveUpdate packages for Symantec Antivirus have been disabled. Please contact your system administrator."

The user (me) definitely has sys-admin privileges (I verified this by going to user accounts in the control panel). Furthermore, I could successfully load/unload Symantec just a few days ago (when the virus was still present).

When I go to start>settings>control panel>administrative tools>services, I can see "Symantec Antivirus Client," but when I try to start it, I get the message: "Could not start the Symantec Antivirus Client service on Local Computer. Error 5: Access is denied."

I don't know if this is pertinent, but earlier today when I was trying to fix this, I thought I'd just go with AVG Free. That didn't work, either, as AVG was unable to access the internet to check for updates.

Again, I apologize is this is the wrong thread for this question! Thank you for any insight you can give. At this point, I don't really care what AV software I use, just so long as I have something that works...

Best,

Soximus

Try doing this;
Run checkdisk checking both options,
Automatically fix file system errors
Scan for an attempt recovery of bad sectors

I did the Chkdsk procedure, via My Computer (it ran the process after restart), but nothing seems to have changed.

Is it possible a crucial file has been inadvertently erased over the past couple of days...? The fact that I can't manipulate Symantec, and that AVG couldn't access the web for updates, makes me think there's a common problem they're both having...

So close! It would be a shame to have to reinstall windows at this point, but the alternative (operating without any anti-virus software running) is pretty unappealing.

Thoughts?

-Soximus

can't manipulate Symantec, and that AVG couldn't access the web for updates

Are you saying you have both of these on the system at the same time? Did you turn off one of those firewalls?

At one point, I did have them both on the system at the same time. However, when I realized I was having problems loading Norton, I uninstalled AVG immediately. I also uninstalled zone alarm, and turned off Windows firewall.

Basically, I've been uninstalling everything I can think of! I've been rebooting fairly often (most recently to run Chkdsk). I removed the password to the (one) user account. I've tried completely removing Symantec numerous times, with no luck.

I also rolled back to SP2 (before I sought help, I thought maybe upgrading to SP3 would fix things), but this didn't do anything. Perhaps going from SP2 to SP3 broke something somewhere...? There's not much left to uninstall, although if you think it would help, I could take out a bunch of seemingly unrelated apps (bit torrent, games, etc).

Thanks for your patience.

-Soximus

You didn't need to disable the Windows Firewall if you removed Zone Alarm, the rule means only one firewall should be used on the system.
If you have your Norton Install Disk, or if you downloaded it and you have your Product Key so that you can install it again, then go HERE for instructions on the removal of your Corporate Edition. You will have to choose the correct version and follow their steps.

Do you happen to still have the ORIGINAL logs? Not the ones you posted yesterday, they were obviously run yesterday, but the first Malwarebyte's log which must have removed "something". The log you posted showed as clean. Same with the ESET Scanner log. I would really like to know exactly what was removed, since combofix didn't remove or fix anything.

Plus, stop installing and uninstalling programs for now, except the actual program you want to remove, Norton. This won't help really and may confuse things more.