Norton PC Checkup reinstalling to registry...

Good evening, everyone! Or whatever time it is where you live.

While getting shockwave on a downloading binge, I stupidly missed the little checkbox that bundled on Norton PC Checkup. I avoid Norton like the plague, and this experience has only convinced me who wise that decision was... and I'm thinking of steering clear from Adobe, as well. Just in case the experience isn't too common, PC Checkup installs itself onto the computer, and is not removable with their 'removal tool', although every norton spokesperson I talked to insisted it would. Tried stopping the program, making sure it was not on in processes, and using said tool; nothing. Tried uninstalling it, and it takes forever to start; the program literally seemed to redownload itself. Finally, I got fed up and hard-deleted both Shockwave and PC Checkup, as all my work goes to showing that the 'infected' files in this case were located in symcheckupstub.exe. So far, so good. I then deleted the registry entry in safe mode, and restarted.

A clean start! Yes! But then the next time I started up there was a long pause... and although Norton couldn't re-install itself, it did flash me the message 'System cannot find "E:\WINDOWS\system32\Adobe\Shockwave 11\symcheckupstub.exe'. How do I terminate this unholy abomination for good? Enclosed is my handy-dandy HijackThis log, because those things are a lifesaver. Well, thanks for your time... I'll try to take out time to help pay back the community with issues if I can, in return. Anyhow! If you've got any good ideas, I'll listen. Thanks again!


--- Log Follows: Lemme know if I'm missing somethin' painfully stupid, you see extra clutter, or anything else obvious that I've missed. Knowing me, I have, haha! ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:22 PM, on 11/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
E:\Program Files\AntiVir PersonalEdition Classic\sched.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\WINDOWS\ehome\ehtray.exe
E:\WINDOWS\AGRSMMSG.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\COMODO\COMODO Internet Security\cfp.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
E:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
E:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Jarte\Jarte.exe
E:\Program Files\Winamp\winamp.exe
E:\WINDOWS\regedit.exe
E:\System Optimization\HiJackThis.exe

O4 - HKLM\..\Run: [ehTray] E:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "E:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DrvLsnr] E:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "E:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [COMODO Internet Security] "E:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\RunOnce: [symPCCheckup] "E:\WINDOWS\system32\Adobe\Shockwave 11\symcheckupstub.exe" /reboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Stardock ObjectDock.lnk.disabled
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - E:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1209419936437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1209419926937
O20 - AppInit_DLLs: E:\WINDOWS\system32\guard32.dll
O23 - Service: Antinat - Unknown owner - E:\Program Files\Antinat\antinat.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - E:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - E:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - E:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: DirectX common - Unknown owner - E:\WINDOWS\system32\dxwizard.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6911 bytes

Hello, Choujin
to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:

• In the meantime, please refrain from making any changes to your computer.
• Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself.
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Finally, please reply using the button in the lower left hand corner of your screen.

We need to create an OTViewIt Report

• Please download OTViewIt by OldTimer.
• Save it to your desktop.
• Double click on the icon on your desktop.
• Click the "Scan All Users" checkbox.
• Push the button.
• Two reports will open, copy and paste them in a reply here:
• OTViewIt.txt <-- Will be opened
• Extra.txt <-- Will be minimized

We need to scan for Rootkits with GMER

• Please download GMER from one of the following mirrors:
  • This is the Primary mirror
  • This is a Secondary mirror
  • This is a Secondary mirror
• Close any and all open programs, as this process may crash your computer.
• Unzip the downloaded file to your desktop.
• Double click on your desktop.
• Allow the gmer.sys driver to load if asked.
• You may see this window. If you do, click No.
  
• Click on and wait for the scan to finish.
• If you see a rootkit warning window, click OK.
• Push and save the logfile to your desktop.
• Copy and Paste the contents of that file in your next post.

In your next reply, please include the following:

• OTViewIt.txt
• Extra.txt
• GMER's Log

Billy3

Hiya, Billy!

Please take your time, as this is a strange problem, logs are a pain, and mine are rather tedious. I've also had a similar problem with x.exe(which I thought was used to emulate unix-based software... Maybe it's time to "roll back" to Suse, haha.), and files in internet explorers local documents... Amusing, since IE has been removed from my system since I got it out of the box! I wouldn't be surprised if they're linked, but don't trouble yourself with that; take your time, enjoy yourself, and if you find the time and inclination to go through these and find something useful, I'd be much obliged. I attached the documents as opposed to copy/pasting them, I hope that's all right? It just seemed to be more organized. If I've done anything to make life more difficult for ya, let me know and I'll send a revised scan/clarify something, etc, and I'll try to keep things as they were. One major thing to note: the Registry value 'symPCCheckup' used to be "C:\WINDOWS\system32\Adobe\Shockwave 11\symcheckupstub.exe /task /reboot". I changed the value to "" to stop it from doing so everytime I started up my PC. I can change it back and revise the logs if it makes things clearer/easier.

Thank you again, Billy, and hope you're having a good one!

Peace!

Choujin

(Edit: The Extras file has been merged into OTviewit.txt.)

Edited by Choujin, 03 December 2008 - 04:34 AM.

Hello, Choujin

Hmm.. don't see anything too bad in here...

We need to execute an OTMoveIt3 script

• Please download OTMoveIt3 by OldTimer and save it to your desktop.
• Double click the icon on your desktop.
• Paste the following code under the area. Do not include the word "Code".
  

  :files
  E:\WINDOWS\System32\i
  E:\WINDOWS\system32\logonuiX.exe
  :reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  "UIHost"=-
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
  "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
  [HKEY_USERS\S-1-5-21-602162358-562591055-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
  "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
  :commands
  [EmptyTemp]

• Push the large button.
• OTMI3 may ask to reboot the machine. Please do so if asked.
• Copy/Paste the contents under the line here in your next reply.
• If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Scroll down to where it says "Java Runtime Environment (JRE)6 Update 10...allows end-users to run Java applications".
• Click the "Download" button to the right.
• Select your Platform: "Windows" (OR if you are on a x64 system, "Windows x64")
• Select your Language: "Multi-Language".
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
• Click Continue and the page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs (Or "Uninstall a Program" on Vista) and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Follow the onscreen instructions for the Java uninstaller.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u10-windows-i586-p.exe (Or jre-6u10-windows-x64.exe for x64 systems)
• Follow the on screen instructions to install the latest Java version.

I would like us to use ESET (NOD32)'s Online Scanner

• Please go to ESET OnlineScan (NOD32)
• You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
• Now click Start
• Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
• Click Start
  • Note: (the Onlinescanner will now prepare itself for running on your pc)
• To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
• Press Scan
• The Onlinescan will now start and scan your pc (this could take a while)
• When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
• Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
• The Scanresults will now open in Notepad
• Click into the text area, right-click and chose "select all" (or use +A)
• Right-click again and chose "Copy" (or +C)
• Close/Exit Notepad
• Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.

Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:

• OTMoveIt3's Log
• ESET OnlineScan's Log

Billy3

Hello, Billy!

I tried moving the regkeys/files in OTmoveit, and, well, take a look at the log. Anyway, I restarted afterwords, and first they seemed to be gone, but now it's as if they're right back, hmn... Maybe I'll try again when I get back from work tonight. Anyhow, updated java and ditched every previous version I have. The next question would be... ESET found nothing wrong with my computer. That's got to be wrong, somehow. Well, hope this helps out, have a good one!

I don't see any malware in those logs.

Might I suggest the norton removal tool?
http://service1.symantec.com/Support/tsgen...005033108162039

Billy3

Hello again, Billy!

Thanks, but I've tried it before... A lot. I tried it again now, just for the heck of it, and then tried it again in safe mode. I'm thinking of gathering the logs in these forums as well as my previous mails to Adobe, and sending this their way; all I'm asking for is something that'll take it off of my computer permenantly. Say, is there a way I can disable a reg-key from reforming? For example, I can delete the key in regedit or Codesoft's Starter, but it'll just reform somehow... Also, about this x.exe file, it seems to reinstall too... Any bits of advice? Anyhow, I'll let you pass on whatever wisdom floats your way, and then I figure I'll just keep pestering Adobe. They've got to admit to this sometime.

Well, thanks again!

[Huge Edit!]

Hey, I don't know if this has nuked it for good, but I uninstalled *all* my adobe products, then removed their regedit keys and made sure all my remote access points were blocked turned off, then ran the removal tool, and then finally booted up my computer. It all seems to be gone now, and I keep checking in Codestarter, waiting for some trace to lodge itself heinously back. I have no idea if it's worked for good or not, but thank you so much for your patience, my friend. This is one of the weirdest pieces of malware I have ever encountered. I'm wondering if I should be surprised or not it came from adobe/symantec... ;P Well, anyway, I shouldn't count my chickens before they hatch, but if all this has payed off, thanks for the help, the programs, and stayin' through the valley of death with me!

Edited by Choujin, 05 December 2008 - 06:06 AM.

Hello, Choujin
Congratulations! You now appear clean!

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware


We Need to Clean Up Our Mess

• Please reopen on your desktop.
• Push the large "Cleanup" button
• Allow your system to reboot

Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then go to Start > Run and type: Cleanmgr
• Click "OK".
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Recommendations
Below are some recommendations to lower your chances of (re)infection.

• Install Spyware Blaster and update it regularly
  If you wish, the commercial version provides automatic updating.
• Install the MVPs hosts file, and update it regularly
  You can use the HostMan host file manager to do this automaticly if you wish.
  For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
• Install an Anti-Spyware program, and update it regularly
  Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
  SUPERAntiSpyware is another good scanner with high detection and removal rates.
  Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
• Keep Windows (and your other Microsoft software) up to date!
  I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
  
  If you are using Windows XP or earlier
  Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  
  If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
• Keep your other software up to date as well
  Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
• Stay up to date!
  The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing .

Billy3

Hello, Choujin
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3