Page 2 - Problems with my comp :(

Not a problem... I think we got it.

You might want to print these instructions for reference, as you will be off the internet while using HijackThis.

You are still infected with the peper trojan:

Download PeperFix: http://downloads.subratam.org/PeperFix.exe
Save it to your Desktop.
Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.
Ensure that you are online before starting the fix. Make sure to run the fix twice.

Then....

Remove Twain-Tech:

Click on Start > Settings > Control Panel > Add/Remove Programs > Select twain-tech > Click on Add/Remove

Then....

Logoff your internet connection.Please press Ctrl-Alt-Delete and open Task Manager. End the following processes (if running) by selecting it and pressing the End Process button and clicking Yes to the confirmation message:

HnvnCv.exe
vsfvsk.exe
7vgav.exe
apis.exe
msgked.exe

Run HijackThis, close all browsers and any other windows, place a checkmark next to the following items. Click "fix checked".

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://look-today.com/passthrough/index.html?http://about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xslumbqhieqxwpmc.org/wWI9wv8emPit3TuI5kx/zjxU48kproKJoiUcBJRLjQ6Oc_JXxOiUpEu74IcNKZBY.html
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O4 - HKLM\..\Run: [5HSAZG64TA8LA#] C:\WINDOWS\System32\HnvnCv.exe
O4 - HKLM\..\Run: [plrpqntppxcz] C:\WINDOWS\System32\vsfvsk.exe
O4 - HKLM\..\Run: [7vgav] C:\WINDOWS\System32\7vgav.exe
O4 - HKLM\..\Run: [apis] C:\WINDOWS\System32\apis.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe


Optional fixes: Have HijackThis fix these too.

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

Then...

Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode.

Show hidden files:
How to Show hidden files and folders.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html


Delete the following files:

C:\WINDOWS\mxTarget.dll
C:\WINDOWS\System32\HnvnCv.exe
C:\WINDOWS\System32\vsfvsk.exe
C:\WINDOWS\System32\7vgav.exe
C:\WINDOWS\System32\apis.exe
C:\WINDOWS\System32\msgked.exe

Reboot normally.

I'd like you to do a couple of trojan scans. Install and perform a full system scan with each of these trial programs:

Trojan Hunter
http://www.misec.net/trojanhunter/

DiamondCS TDS-3
http://tds.diamondcs.com.au/

Please capture the logs and post them along with a fresh HijackThis log.

Tom

Hi again Tom,

I followed your instructions again, except i skipped a few parts.

I ran peperfix, but it didn't detect anything.

Twain-tech wasn't on the list of files to add/remove, so i couldn't uninstall it.

When i ran hijack this, I deleted the following ones. The others were not there.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xslumbqhieqxwpmc.org/wWI9wv8emPit3TuI5kx/zjxU48kproKJoiUcBJRLjQ6Oc_JXxOiUpEu74IcNKZBY.html
O4 - HKLM\..\Run: [5HSAZG64TA8LA#] C:\WINDOWS\System32\HnvnCv.exe
O4 - HKLM\..\Run: [plrpqntppxcz] C:\WINDOWS\System32\vsfvsk.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe

Also about the .exe files you posted, there was only a few of them. So i deleted those.

Heres the log of the anti-virus program i ran.

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Arial;}}
{\colortbl ;\red255\green0\blue0;\red0\green0\blue255;\red8\green0\blue0;}
\viewkind4\uc1\pard\b\fs20 Registry scan
\par \pard\li200\b0 No suspicious entries found
\par \pard\b Inifile scan
\par \pard\li200\b0 No suspicious entries found
\par \pard\b Port scan
\par \pard\li200\b0 No suspicious open ports found
\par \pard\b Memory scan
\par \pard\li200\b0 No trojans found in memory
\par \pard\b File scan
\par \pard\li200\cf1\b0 Found trojan file: C:\\!PeperFix\\Elr0i.exe (Luxi.100)
\par Found trojan file: C:\\!PeperFix\\EpqxT5uE.exe (Nbx.100)
\par Found trojan file: C:\\!PeperFix\\EpqxT5uE.exe (Wowex)
\par Found trojan file: C:\\!PeperFix\\Esv6.exe (Nbx.100)
\par Found trojan file: C:\\!PeperFix\\Esv6.exe (Wowex)
\par Found trojan file: C:\\!PeperFix\\Gnku.exe (Nbx.100)
\par Found trojan file: C:\\!PeperFix\\Gnku.exe (Wowex)
\par Found trojan file: C:\\!PeperFix\\HnvnCv.exe (Luxi.100)
\par Found trojan file: C:\\!PeperFix\\IrqY.exe (Nbx.100)
\par Found trojan file: C:\\!PeperFix\\IrqY.exe (Wowex)
\par Found trojan file: C:\\!PeperFix\\VedlMu.exe (Luxi.100)
\par Found trojan file: C:\\!PeperFix\\WxwngMwt.exe (Nbx.100)
\par Found trojan file: C:\\!PeperFix\\WxwngMwt.exe (Wowex)
\par Found trojan file: C:\\!PeperFix\\YslJopex.exe (Nbx.100)
\par Found trojan file: C:\\!PeperFix\\YslJopex.exe (Wowex)
\par Found trojan file: C:\\Documents and Settings\\Cal\\Application Data\\dwhyrqie.exe (TrojanDownloader.Curl.100)
\par \pard\li200\tx6000 Found possible trojan file: C:\\Documents and Settings\\Cal\\Application Data\\ehfiomwf.exe (Possible trojan downloader)\cf0 \tab (\cf2\ul What's a possible trojan file?\cf3\ulnone )\cf0 \tab (\cf2\ul Submit for analysis...\cf3\ulnone )\cf0 \tab (\cf2\ul Add to ignore list\cf3\ulnone )\cf1
\par \pard\li200 Found trojan file: C:\\Documents and Settings\\Cal\\Application Data\\hsryogtj.exe (TrojanDownloader.Curl.100)
\par Found trojan file: C:\\Documents and Settings\\Cal\\Application Data\\inoneclj.exe (TrojanDownloader.Curl.100)
\par Found trojan file: C:\\Documents and Settings\\Cal\\Application Data\\lztuynmh.exe (TrojanDownloader.Curl.100)
\par Found trojan file: C:\\Documents and Settings\\Cal\\Application Data\\prwiysfi.exe (TrojanDownloader.Curl.100)
\par Found trojan file: C:\\Documents and Settings\\Cal\\Application Data\\qjkytisx.exe (TrojanDownloader.Curl.100)
\par Found trojan file: C:\\Documents and Settings\\Cal\\Application Data\\vgtlduph.exe (TrojanDownloader.Curl.100)
\par Found trojan file: C:\\Documents and Settings\\Cal\\Application Data\\zkackcud.exe (TrojanDownloader.Curl.100)
\par \cf0 Found trojan file: C:\\Documents and Settings\\Calvin\\Local Settings\\Temp\\polmx.exe/CK6I0t.exe (Adware.CallingHome.100)
\par \cf1 Found trojan file: C:\\Documents and Settings\\Calvin\\Local Settings\\Temporary Internet Files\\Content.IE5\\XE21AH2O\\bdl34125[1].exe (TrojanDownloader.Agent.100)
\par \cf0 Found trojan file: C:\\RECYCLER\\S-1-5-21-790525478-448539723-725345543-1005\\Dc10.zip/winshell.exe (WinShell.500)
\par \cf1 Found trojan file: C:\\RECYCLER\\S-1-5-21-790525478-448539723-725345543-1005\\Dc11\\winshell.exe (WinShell.500)
\par Found trojan file: C:\\WINDOWS\\infamous.exe (Tarkz.100)
\par Found trojan file: C:\\WINDOWS\\istinstall_si.exe/rw4CyOXa.exe (TrojanDownloader.Istbar.102)
\par Found trojan file: C:\\WINDOWS\\polmx.exe/iEOur8.exe (Adware.CallingHome.100)
\par Found trojan file: C:\\WINDOWS\\polmx3.exe/tMI3dN.exe (Adware.CallingHome.100)
\par Found trojan file: C:\\WINDOWS\\rotum32.dll (KLog.SvcLog)
\par Found trojan file: C:\\WINDOWS\\system32\\a.exe/BIgffb.exe (Adware.WinFavorites.100)
\par Found trojan file: C:\\WINDOWS\\system32\\a5wu37rd.exe/5FwdvX.exe (Adware.ATPartners.100)
\par Found trojan file: C:\\WINDOWS\\system32\\AnnaKournikova.exe (Tarkz.100)
\par Found trojan file: C:\\WINDOWS\\system32\\basui1.exe (TrojanDownloader.Apropo.100)
\par Found trojan file: C:\\WINDOWS\\system32\\d2kbpn.exe/kWEgtn4.exe (Dialer.Dsk.100)
\par Found trojan file: C:\\WINDOWS\\system32\\first.exe/uifL0Ttj.exe (Adware.ATPartners.100)
\par Found trojan file: C:\\WINDOWS\\system32\\infamous.exe (Tarkz.100)
\par Found trojan file: C:\\WINDOWS\\system32\\istinstall_adlogix.exe/Dy08Z9M4.exe (TrojanDownloader.Istbar.102)
\par Found trojan file: C:\\WINDOWS\\system32\\third.exe/dwTSv4o.exe (Adware.ATPartners.100)
\par \pard\li200\tx6000 Found possible trojan file: C:\\WINDOWS\\system32\\uti3d.exe (SDBot)\cf0 \tab (\cf2\ul What's a possible trojan file?\cf3\ulnone )\cf0 \tab (\cf2\ul Submit for analysis...\cf3\ulnone )\cf0 \tab (\cf2\ul Add to ignore list\cf3\ulnone )\cf1
\par Found possible trojan file: C:\\WINDOWS\\system32\\winrr.exe (Suspicious: UPX-packed file in Windows System folder)\cf0 \tab (\cf2\ul What's a possible trojan file?\cf3\ulnone )\cf0 \tab (\cf2\ul Submit for analysis...\cf3\ulnone )\cf0 \tab (\cf2\ul Add to ignore list\cf3\ulnone )\cf1
\par \pard\li200 36 trojan files found
\par 3 possible trojan files found
\par \cf0
\par }

I'll make another post with the latest hijack this log.

Thanks again for the help.

-Fraq

Heres the latest hijack this log.

And finally, heres the latest hijack this log.

Logfile of HijackThis v1.98.1
Scan saved at 1:21:15 AM, on 8/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~3\PE\BIN\ETSLAU~1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\evmgmtd.exe
C:\WINDOWS\System32\ipfldrz.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SmartPopupBlocker\SmartPopupBlockerTray.exe
C:\Program Files\StealthBot\StealthBot v2.4R3.exe
c:\program files\warcraft iii\war3.exe
C:\WINDOWS\System32\taskmgr.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [eTrustCIPE] "C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Deskshield\PE\BIN\EZDSMain.EXE"
O4 - HKLM\..\Run: [SoloSentry] C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] C:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\PROGRA~1\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [evmgmtd] C:\WINDOWS\System32\evmgmtd.exe
O4 - HKLM\..\Run: [ipfldrz] C:\WINDOWS\System32\ipfldrz.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eTrust EZ Firewall.lnk = C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Firewall\efpeadm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: PopStop - {451A1C42-3A88-11d5-962E-00207803F0A6} - C:\Program Files\CobraSoft\PopStop\CSIEPopStop.dll
O9 - Extra 'Tools' menuitem: &PopStop - {451A1C42-3A88-11d5-962E-00207803F0A6} - C:\Program Files\CobraSoft\PopStop\CSIEPopStop.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab

Thanks,

-Fraq

The folder C:\!PeperFix can be deleted, they are the pepper trojan files removed by running Pepperfix.

Did you delete the files found by the trojan scanner?

\par Found trojan file: C:\\WINDOWS\\infamous.exe (Tarkz.100)

If you are using TDS3, I believe you have to right click the file in the log it produces and select Delete.

Also, please perform an online scan at:

Trend Micro Housecall
http://housecall.trendmicro.com/

Reboot and post a fresh log.

Tom

Alright Tom,

I did what you said in your last post.

Heres my hijack this log

Logfile of HijackThis v1.98.1
Scan saved at 9:18:49 PM, on 8/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\Program Files\eTrust\VPN\evpnsvc.exe
C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~3\PE\BIN\ETSLAU~1.EXE
C:\Program Files\eTrust\VPN\evpnnt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Firewall\efpeadm.exe
C:\WINDOWS\System32\himgvws.exe
C:\Program Files\StealthBot\StealthBot v2.4R3.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\warcraft iii\war3.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [eTrustCIPE] "C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Deskshield\PE\BIN\EZDSMain.EXE"
O4 - HKLM\..\Run: [SoloSentry] C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] C:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\PROGRA~1\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [himgvws] C:\WINDOWS\System32\himgvws.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eTrust EZ Firewall.lnk = C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Firewall\efpeadm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab

I already see how much cleaner it is, it's hard for me to express how much i aprreciate your help.

Thanks a bunch,

-Fraq

Remove this line with HijackThis:

O4 - HKLM\..\Run: [himgvws] C:\WINDOWS\System32\himgvws.exe

Boot into Safe mode and delete the file:

C:\WINDOWS\System32\himgvws.exe

Reboot normally and post a final log for recheck.

Tom

Hey again Tom,

Did what you said, heres my most recent log.

Logfile of HijackThis v1.98.1
Scan saved at 3:58:03 PM, on 8/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
C:\Program Files\eTrust\VPN\evpnsvc.exe
C:\Program Files\eTrust\VPN\evpnnt.exe
C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~3\PE\BIN\ETSLAU~1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Firewall\efpeadm.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\warcraft iii\war3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [eTrustCIPE] "C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Deskshield\PE\BIN\EZDSMain.EXE"
O4 - HKLM\..\Run: [SoloSentry] C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] C:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\PROGRA~1\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eTrust EZ Firewall.lnk = C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Firewall\efpeadm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab


Thanks,

-Fraq

Good work! your log is clean!

Re-enable System Restore and create a new restore point.


These are tools that will help keep you from getting infected again:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard is a real-time spyware scanner.
http://www.wilderssecurity.net/spywareguard.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

All are very small free programs. Occasionally check for updates.

Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available"
http://v4.windowsupdate.microsoft.com/

Tom

Alright Tom, all done!

Thanks a BUNCH for all this superb help. It was really easy to follow and now my comp runs great! I'm now more motivated to keep my computer safe a clean.

Thanks again,

-Fraq

Your welcome!

Tom