Hey, Bear!

Greetings and salutations!!

Bear, I need some advice (again!) with a virus-type problem. One of our teachers brings in text and pictures from outside (Internet cafes) which he then uses to make hand-outs and various lesson-related sheets. One of the items apparently had a virus-type program hidden within it. It causes a pop-up screen which I don’t want popping up on one of our school’s units. I tried Killafing3, a free anti-popup program, as well as Admuncher, both free from fileforum.com. But these apparently only prevent pop-ups from loading while one is on the net, and cannot delete pop-up programs already imbedded in one’s system. I also tried Spybot and Spywareblaster, with no results.
When I do a HiJackThis scan, the program shows as variations on “norBtok.exe” and has also popped up under shuffled versions of that name, "A.Kortnob" and “about.Brontok.A.” AVG doesn't pick this up, so it may be new or very cleverly coded. It shows as the “C:\Windows\Inf\norBtok.exe” item, and I believe it’s linked with the 04 HKLM\\Run” item. It also places an icon in the “My Pictures” folder of Windows, which is why I believe it may have been piggybacking on some picture brought in. I’ve tried deleting these with HiJackThis; sometimes they’re gone (briefly) after a restart and re-scan, but always reappear soon. There seems to be a timer-function within the code, and they reinstall themselves after so many minutes. Other times they don’t even appear to have been removed. I also checked the ‘Properties” of the #07 “disable regedit” item. I’m told that this is a thing used by hijackers so that the regedit is disabled, and the message which appears when I attempt to go into regedit is that it has been disabled by the system administrator. (This virus is apparently also responsible for keeping him from being able to open an encyclopedia program file he’d loaded in, telling him he must log in as an administrator.) But this unit only has one account and it IS an administrator account. Is there any way of deleting these problem items without wiping and reinstalling Windows?
Also the strange little item with no complete address, which gives me an error message when I try to HJT delete it. Any way to wipe it?

[B]Log 1 is the initial log

Logfile of HijackThis v1.99.1
Scan saved at 7:48:41 AM, on 12/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\KISB\Local Settings\Application Data\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\KISB\Local Settings\Application Data\services.exe
C:\Documents and Settings\KISB\Local Settings\Application Data\lsass.exe
C:\Program Files\HiJackThis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HncUpdate] C:\WINDOWS\system32\HncUpdate.exe /A
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: "C:\WINDOWS\INF\norBtok.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\KISB\Local Settings\ApplicationData\smss.exe"
O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Empty.pif = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe



[B]Log 2 is after ‘fixing’ the 5th, 6th & 7th #04-numbered items

Logfile of HijackThis v1.99.1
Scan saved at 7:51:57 AM, on 12/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\KISB\Local Settings\Application Data\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\KISB\Local Settings\Application Data\services.exe
C:\Documents and Settings\KISB\Local Settings\Application Data\lsass.exe
C:\Program Files\HiJackThis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HncUpdate] C:\WINDOWS\system32\HncUpdate.exe /A
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: Empty.pif = ?
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe


Log 3 is after a restart

Logfile of HijackThis v1.99.1
Scan saved at 7:55:19 AM, on 12/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\KISB\Local Settings\Application Data\winlogon.exe
C:\Documents and Settings\KISB\Local Settings\Application Data\services.exe
C:\Documents and Settings\KISB\Local Settings\Application Data\lsass.exe
C:\Program Files\HiJackThis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HncUpdate] C:\WINDOWS\system32\HncUpdate.exe /A
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\INF\norBtok.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\KISB\Local Settings\Application Data\smss.exe"
O4 - Startup: Empty.pif = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Absolutely friggin’ maddening!!

Sorry I haven’t been around. I hope all is well with you back at the cave and the site.
Thanx, Bear.

O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\INF\norBtok.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\KISB\Local Settings\Application Data\smss.exe"
O4 - Startup: Empty.pif = ?
You need to lose that empty pif as well, and make sure to delete the file in the folder referenced above. They called it smss.exe which is also a legitimate file name in windows, but not from that directory...no way. Find the folder and nuke the whole directory KISB and everything in it. If windows complains it's in use, you might try starting in safe mode and then doing so.
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
Have you tried running this in safe mode yet? Do so, and have HJT fix the regedit part first.

Bear, thanx as ever for the prompt reply. But...I'm scared, Bear!! It's FRIDAY THE 13TH here already!!! What if I try something and the unit gets mad and...and...comes alive???AAARRRRGGGHHHHH!!!!!!!!!

Bear, on that thread where I posted re' a unit that wouldn't boot from the Windows CD (which I finally took to a shop and had them wipe then re-do the whole drive...) I mentioned that these units have a strange power-up screen.
When I try to go into the BIOS screens they're arranged like the tabs on folders, grey, from left to right Main, Advanced, Power, Boot, Exit. I don't recall seeing a "Safe Mode" option, but sometimes I'm good at not seeing things even if they're directly in front of me. I'll try it today and let you know.

Muchos gracias, Senor!!

The BIOS setup screen is very different from Windows in safe mode. As luck would have it, we have a post about starting in safe mode (http://www.wbhelp.com/showthread.php?t=100) in Windows.

De nada. ;)

The BIOS setup screen is very different from Windows in safe mode. As luck would have it, we have a post about starting in safe mode (http://www.wbhelp.com/showthread.php?t=100) in Windows.

De nada. ;)

You're right, as always...please forgive the example of me letting out the clutch on my mouth before my brain/memory had been properly put into gear. I long ago followed your advice and cut/saved/printed that advice on starting in safe mode, and using the F8 key I was able to get into it.
At first, I'd delete those pesky items, then check by running a HJT scan in Windows' normal operating mode...they'd appear to be gone, then I'd try regedit and I'd get the same message about it having been disabled. Then I'd do a rescan and find the disableregedit line back! It seemed that even after deleting it, attempting to go to regedit in Windows' normal mode somehow brought it back. It took a few more tries, and the little log/diary of screens opened & moves taken that I wrote at the time is not beside me as I type this. But I finally got the buggers outta there. (knock on wood) I deleted them in safe mode, then back in normal mode, then rechecked in both. THEN I went into regedit in normal mode and it seemed to have worked. (re-knock)

I'll check that unit tomorrow first thing, and give ANOTHER word to that particular teacher (I've gone over this with him before, but in a gentler tone...that's over!).

Bear, I can't tell you how much those of us in the trenches appreciate your site, your sagacious wisdom, gentle humor and (apparently) endless patience. Hope you have a good Halloween!!

P.S. I made it through the dreaded 13th with nothing more serious than leaving my little coffee-sipping bottle on the seat of my truck that day, which the sun melted into a Dali-esque distortion. Given the way Thai 'drivers' 'drive' (it's being generous to call it that) I consider myself lucky.

Barkeep, another jar of honey for the big guy down the end!

Thanx, again, Bear! :D

Seems you're getting quite good at fixing your own issues, there fella. Terrific detective work in getting that removed. :D

Have some of the honey, you've earned it. ;)

I owe it all to you, coach! I've learned a great deal from this site!
Thanx so much for sharing, and giving all of us out here the benefit of your experience! :)