Super Corrupted PC

[orage]

Hello everybody!

My sister gave me her computer to check why it was running so slow. I tried to install Norton in it, but the virus didn’t let me do it. When I scan the system, the report showed 29 viruses. None of them were removed.

I tried to run an Online virus scan, and it was working find. It detected a lot of Trojan viruses and I was hoping to get thru the whole system. Mysteriously, the Internet Explored shut down and there were like 7 programs install on the desktop while I was doing the virus scan.

What should I do? Should I format the hard drive and install a new copy of Windows? What would be the best solution to this? This computer is extremely corrupted and I don’t really know what else to do since Virus scan doesn’t work at all.

Thank you all!

[Detah]

Lets have a look before you do anything as drastic as reformat.

HijackThis instructions (~208kB)

• Download HiJackThis v1.99.1 (written by Merijn Bellekom) from
  http://www.spywareinfo.com/~merijn/downloads.html
  Save HijackThis.exe into its own permanent directory, NOT in a TEMPorary folder or on the DESKTOP. Temporary folders get cleaned out periodically and are often destinations for viruses and spyware. So you don't want it there. If you place HJT on the Desktop, then all of your logs and backups will get spread out over the desktop. That is not efficient. For simplicity, I recommend c:/program files/HJT/
  Important: Close all windows/programs, internet connections and especially internet browsers before scanning and fixing with HJT.
• Doubleclick HijackThis.exe. Config | Misc Tools | Check for update online, save into your permanent directory. If you find a new version, then close HJT. Unzip into permanent directory. Replace file=Yes.
• Doubleclick HijackThis.exe. Press the <Scan> button
  DO NOT FIX ANYTHING YET!! Most of the entries found in a HiJackThis scan are programs/files which are REQUIRED for your computer to operate normally.
• Press the <Save Log> button and save into your HJT folder. Change the file name to HJT 9-22-04a.log or some similar dating nomenclature so you can identify each log
• The log should automatically open in Notepad. If not, open the log file from any text editor (Notepad, MS Word, Word Perfect, etc)
• Copy/paste the results here in this forum and let an expert evaluate it for you.
• Close HiJackThis//

[orage]

Please Help! I tried to run HiJackThis, but I couldn't do it. It shuts down and I can't even get to the main window. What should I do then?

Thanks.

[orage]

By the way, I run the "variant of the Coolwebsearch trojan" but it didn't work... HELP!

[MicroBell]

Try rebooting to safe mode and run hijackthis. If that still doesn't work..lets try one more tool..

Please empty any Quarantine folder in your antivirus, empty your recycle bin and purge/delete all recovery items in the spybot program if you use it…before running this tool.

Download this virus checker and tool from eScan Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4. Select all local drives, scan all files, Uncheck the "Registry" box and press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane (Bottom Window)
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file. DO NOT post the log from the “View Log” button as that log does NOT contain the info we are after.

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here along with a new hijackthis log.

[orage]

I was able to run HJT under Safe Mode. This is what I got:

Logfile of HijackThis v1.99.1
Scan saved at 6:03:00 AM, on 5/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\SCardClnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/d...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcy/d.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/d...search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdirs.com/panel/?aff=3000&exp=4
O2 - BHO: imGiantObj Class - {00000062-2E5F-4AF7-986E-5B64E0951A96} - C:\WINDOWS\imGiant.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PeoplePC FixedBandBHO - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\ISP50\MAXSPEED\propelac.exe"
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [dglud] C:\WINDOWS\dglud.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\
O4 - HKLM\..\Run: [SDdh0MEp] C:\WINDOWS\kmrpni.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [PPPOEOE] winlite.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: AutoPlay.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me...ridge-c139.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1105507693608
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Unknown owner - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsysmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

I'm assuming this log is not going to show all the viruses since the PC is not running in regular mode, but I was finally able to see HijackThis running...
Please advise!!! Thanks a lot!

[Detah]

Start | Run | type 'services.msc',
look for something called Smart Card Client,
select it, rightclick, Properties, click Stop, then under Startup Type change to Disabled, OK, close Services.
Reboot

This is the HJT entry, if that helps with the above search.
DONT TOUCH ANYTHING WITH HJT YET!
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe

[orage]

Quote:

Originally Posted by Detah

Start | Run | type 'services.msc',
look for something called Smart Card Client,
select it, rightclick, Properties, click Stop, then under Startup Type change to Disabled, OK, close Services.
Reboot

This is the HJT entry, if that helps with the above search.
DONT TOUCH ANYTHING WITH HJT YET!
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe

What am I suppose to do after this? I disable this process but still can't run HJT. Please help!!!

[Detah]

We want the
C:\WINDOWS\System32\SCardClnt.exe
and
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe

items to be gone. Once they are gone, you should be able to start in Normal Mode.

Either way, please post another HJT log.
Do you have your Windows installation CD? You are going to need it, I think. We need to do a repair. Post your HJT log and I'll give you instructions.

[orage]

I did all that but still can run HJT. What should I do?

[Detah]

Well, youve got a lot of badguys on your machine. Lets try to remove them without the Normal Mode scan.

Reboot in Safe Mode instructions. During reboot, tap the F8 key. Select Safe Mode.
----------------------------------------------------------------
Start | Run | type 'services.msc | OK | search for each of the following 2 items separately.

O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Highlight Smart Card Client service, rightclick, select Properties, select Stop, then under Startup Type, select Disabled. Do the same for Zesoft.
-----
Uninstall the following (from Start | Settings | Control Panel | Add/Remove Programs) if they exist:

Media Access
ISTBar
Internet Optimizer
Bullseye
PowerScan
Bargain Buddy
Date Manager
ShadowBar
SideFind or SideFindBar

----------------------------------------------------------------
Open HiJackThis | Scan,
Put a check next to the following items.

O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [dglud] C:\WINDOWS\dglud.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\
O4 - HKLM\..\Run: [SDdh0MEp] C:\WINDOWS\kmrpni.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [PPPOEOE] winlite.exe
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...Bridge-c139.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1105507693608
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsysmgr.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe


Confirm that you have only the ones above checked, then press <Fix checked>
Close HJT
----------------------------------------------------------------
Open Windows Explorer
Now delete the following files (or delete the whole folder if no specific file is given):

C:\Program Files\Media Access\
c:\temp\salm.exe
C:\WINDOWS\dglud.exe
C:\Program Files\Internet Optimizer\
C:\Program Files\ISTsvc\
C:\WINDOWS\kmrpni.exe
C:\Program Files\BullsEye Network\
C:\Program Files\Power Scan\
C:\WINDOWS\seeve.exe
C:\WINDOWS\mm15201518.Stub.exe
C:\WINDOWS\System32\nsvsvc\
C:\WINDOWS\System32\picsvr\
C:\Program Files\Date Manager\
C:\Program Files\Common Files\GMT\
C:\Program Files\hp center\137903\Shadow\
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\SideFind\
C:\WINDOWS\System32\libsysmgr.exe
C:\WINDOWS\System32\SCardClnt.exe
C:\WINDOWS\zeta.exe
c:/Program Files/DelFin/PromulGate/
c:/Windows/SYSTEM32/pgtools/

Please do a Find Files for the following. If you find multiple instances of these files, DELETE them all.
syslog32.exe
scrtkfg.exe
veritas.exe
winlite.exe
CTSVCCD.EXE

----------------------------------------------------------------
* Empty your c:/windows/temp folder. Note: only empty the contents of the folder, leave the folder there.
* Now empty your Recycle Bin.
* Reboot in Normal Mode, if you can. If you cant, reboot into Safe Mode again.
----------------------------------------------------------------
If you can get into Normal Mode, then you should run an online virus scan. Select one or more of the following. Online virus scans can be superior to PC scans because some malware can infect your PC virus scanner. Select Autoclean if you use TrendMicro's Housecall.
Panda at http://www.pandasoftware.com/actives..._principal.htm
Housecall at http://housecall.trendmicro.com/
RAV Antivirus at http://www.ravantivirus.com/scan

Reboot. When you are done, post a new HJT log.

[orage]

Ok. I'm doing it right now. I'll let you know the income..
Thank you so much!!!

edited:
Well, the computer seems to be frozen when I select "Disable" from Startup Type... Please advise!!!


Edited Ok. I was able to disable both scardclnt and zeta.

Now, I couldn't find ISTBar. I couldn't uninstall Internet Optimizer. Couldn't find Bargain Buddy and shadowBar. I'll keep you posted.

[Detah]

Even if you cannot uninstall from Add/Remove Programs, you should remove their folders,
C:\Program Files\Internet Optimizer\
C:\Program Files\ISTsvc\
et al

Delete them in Windows Explorer.

[orage]

After doing a virus scan (which I was finally able to do it) this is what I got:

Scan started at 5/21/2005 1:22:15 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\oi.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\oi.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\oi.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\oi.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\poi.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\poi.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\poi.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\poi.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QFABUJWL\io[1].exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QFABUJWL\io[1].exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QFABUJWL\io[1].exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QFABUJWL\io[1].exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\Owner\sysv.exe - Trojan:Win32/LowZones.C -> Suspicious
C:\Documents and Settings\Owner\up.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\Documents and Settings\Owner\up.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\Owner\up.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\Documents and Settings\Owner\up.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\Owner\us.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\Documents and Settings\Owner\us.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\Owner\us.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\Documents and Settings\Owner\us.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\Owner\%SYSROOT%\kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\Documents and Settings\Owner\%SYSROOT%\kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temp\bb.exe - TrojanDownloader:Win32/Adload.E -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2T8FAXU5\up[1].jpg->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2T8FAXU5\up[1].jpg->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2T8FAXU5\up[1].jpg->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2T8FAXU5\up[1].jpg->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6HWZMP65\bb[1].exe - TrojanDownloader:Win32/Adload.E -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8P4RGB0B\io[1].exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8P4RGB0B\io[1].exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8P4RGB0B\io[1].exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8P4RGB0B\io[1].exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C8A72ME5\optimize[1].exe - TrojanDownloader:Win32/Dyfuca.DX -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KJHJMQFX\istrecover[1].exe - TrojanDownloader:Win32/IstBar.IJ -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP310\A0029457.dll - TrojanDownloader:Win32/IstBar.HG -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP310\A0029463.exe - TrojanDownloader:Win32/IstBar.HE -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP310\A0029490.exe - Backdoor:Win32/Sdbot -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP310\A0029531.exe - Backdoor:Win32/Rbot -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP335\A0033967.exe - Trojan:Win32/LowZones.C -> Suspicious
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP340\A0050131.exe - Sahat.A -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP340\A0050134.exe - Backdoor:Win32/Rbot -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP340\A0050153.exe - Backdoor:Win32/Rbot -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP340\A0050183.exe - Trojan:Win32/LowZones.C -> Suspicious
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP340\A0050185.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP340\A0050186.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP340\A0050193.sys - VirTool:WinNT/FURootkit.C -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP340\A0050234.exe - Backdoor:Win32/Sdbot -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP340\A0050844.exe - Backdoor:Win32/Rbot.KD -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP354\A0068045.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP354\A0068045.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP354\A0068045.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP354\A0068045.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP354\A0069041.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP354\A0069041.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP354\A0069041.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP354\A0069041.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP354\A0069042.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP354\A0069043.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP355\A0069061.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP355\A0069062.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0069087.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0069088.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0070085.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0070085.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0070085.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0070085.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0070086.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0070087.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0072083.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0072083.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0072083.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0072083.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0072085.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP357\A0072086.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP358\A0074092.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP358\A0074092.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP358\A0074092.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP358\A0074092.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP358\A0074093.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP358\A0074094.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP358\A0074100.exe - Trojan:Win32/StartPage.IT -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP358\A0074165.exe - Worm:Win32/Gaobot -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP358\A0074166.exe - Worm:Win32/Gaobot -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP358\A0074167.exe - Backdoor:Win32/Rbot -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP359\A0077178.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP359\A0077179.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0077181.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0077181.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0077181.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0077181.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0077182.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0077183.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0078181.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0078181.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0078181.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0078181.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0078188.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0078189.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP360\A0078404.exe - Sahat.A -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0084451.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0084451.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0084451.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0084451.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0084453.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0084454.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086556.exe - Backdoor:Win32/Sdbot -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086558.exe - Backdoor:Win32/Rbot -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086559.exe - Backdoor:Win32/Rbot -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086561.exe - TrojanDownloader:Win32/IstBar.IJ -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086564.exe - TrojanDownloader:Win32/Delmed.B -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086607.exe - TrojanDownloader:Win32/Dyfuca.DX -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086620.exe->(UPXW)->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086620.exe->(UPXW)->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086620.exe->(RARSfx)->kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086620.exe->(RARSfx)->kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086621.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP364\A0086622.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\WINDOWS\kansy.reg - Trojan:WinREG/LowZones.O* -> Infected
C:\WINDOWS\kany.reg - Trojan:WinREG/LowZones.N* -> Infected
C:\WINDOWS\Nail.exe->(ASPack 2.12) - TrojanDownloader:Win32/Agent.LO -> Infected
C:\WINDOWS\optimize.exe - TrojanDownloader:Win32/Dyfuca.DX -> Infected
C:\WINDOWS\svcproc.exe - Trojan:Win32/Small.AZ -> Infected
C:\WINDOWS\Downloaded Program Files\olehelp.exe - Trojan:Win32/StartPage.IT -> Infected
C:\WINDOWS\SYSTEM32\DrPMon.dll - Trojan:Win32/Agent.CA -> Infected
C:\WINDOWS\SYSTEM32\SCardClnt.exe - Backdoor:Win32/Rbot.KS -> Infected
C:\WINDOWS\SYSTEM32\scrtkfg.exe - Backdoor:Win32/Rbot -> Infected
C:\WINDOWS\SYSTEM32\TFTP2376 - Win32/Msblast.A.dam#2 -> Infected
C:\WINDOWS\SYSTEM32\TFTP2380 - Backdoor:Win32/Rbot -> Infected
C:\WINDOWS\SYSTEM32\TFTP2960 - Backdoor:Win32/Sdbot.SE -> Infected
C:\WINDOWS\SYSTEM32\TFTP3700 - Backdoor:Win32/Rbot -> Infected
C:\WINDOWS\SYSTEM32\txuvfts.exe - TrojanDownloader:Win32/Small.ABE -> Infected
C:\WINDOWS\SYSTEM32\vpc32.exe - Backdoor:Win32/Rbot -> Infected
C:\WINDOWS\SYSTEM32\wnetlogin.exe - Worm:Win32/Donk.C -> Infected

Scanned
============================
Objects: 44258
Directories: 3495
Archives: 6314
Size(Kb): -187393
Infected files: 131

Found
============================
Viruses found: 23
Suspicious files: 3
Disinfected files: 0
Mail files: 169

-------------------------------------------------------------------

No virus was removed for what I can see...

I'll try to run HJT and post the log.

Thank you!!!

Edited By the way, Trendmicro scan shows "Non Cleanable" for all the virus found. What should I do?

[orage]

... And, finally, HJT is running!!! Here it's the log:

Logfile of HijackThis v1.99.1
Scan saved at 3:09:08 PM, on 5/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\CTSVCCD.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
c:\windows\system32\qonfwjj.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\DllHost.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdirs.com/?aff=3000&exp=4
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PeoplePC FixedBandBHO - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\ISP50\MAXSPEED\propelac.exe"
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SDdh$æÆõö/ØG%)ßfÏNC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\kmrpni.exe
O4 - HKLM\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [bpckixa] c:\windows\system32\qonfwjj.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CT Control Settings] CTSVCCD.EXE
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Unknown owner - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsysmgr.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

---------------------------------

Please Help!!!

Thank you so much!!!

[MicroBell]

Download ewido security suite from here… http://www.ewido.net/en/download/

Update it’s database from here.. http://www.ewido.net/en/download/updates/
Run a scan and let it clean the PC.

Download and install CleanUp http://cleanup.stevengould.org/

Please download nailfix at http://users.pandora.be/bluepatchy/nailfix.zip (for Windows XP) or http://users.pandora.be/bluepatchy/nailfix2k.zip (for Windows 2000)
Unzip it to the desktop but do NOT run it yet.

Run the cleanup utility and reboot/logoff when prompted.

Then reboot into safe mode...

Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal

Reboot back to normal windows and post another hijackthis log.

[orage]

I've downloaded all the files. I don't know if ewido did the scan properly. I got a pop up at the end of the scanning process asking me to restart my PC, but I didn't get any reports about files deleted or anything. Then, after running CleanUp and rebooting the PC, I was not able to get to the Desktop since it seems like the computer stops working after showing the Windows XP logo. I'm not able to get into the desktop anymore. Is this normal??? Please advise!

Thank you.

[jgvernonco]

Can you boot it into safemode? If so, run the tools from there.

[orage]

No, I can't. It stops running after showing the Win. XP loading page and then I get a black screen. It doesn't do anything from there. Please help!

[Detah]

To do a Repair with the Windows XP Installation CD
* Boot with Windows XP Installation CD in CD drive.
* You'll see a "Welcome to Setup" screen with a few options.
* Choose the first one: "To setup Windows XP now, press ENTER" <Press Enter>
DO NOT CHOOSE THE SECOND OPTION "To repair..." !!!!!!
* You'll be asked to accept the licensing agreement then it will search for any existing Windows installations. Pick the one you want to repair from the list and press "R" to start the repair.
Don't press any keys. It will _look_ like a clean install, but only necessary files are being copied to the hard drive. Windows will then begin to load.
Your computer will then reboot. It will notice that the CD is in the drive—don't press any keys, let it bypass the CD.
* Now hopefully, it will boot into Normal Mode. If so, the first thing you need to do is update your Windows with SP2 and all accompanying critical updates.

Run HJT in Normal Mode and give us a new log please.